Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

‘Bash’ Shellshocks the Internet – Here’s What You Should Know

Update: Apple has patched the Bash bug. For more info (including links to download the updates on your Mac), check out this TechCrunch report.

As of last week, there’s a new security bug in the news, and it’s wreaking havoc on the Internet.

Bash Bug

(Source: Macworld/Errata Security)

Discovered by Stephane Chazelas, a security researcher for Akamai (who revealed the bad news to the world last Thursday), the ‘Bash bug, or ‘Shellshock’, is a particularly nasty vulnerability affecting the Bourne-Again Shell (thus the Bash acronym) of certain versions of the Unix and Linux operating systems. Yes, that includes derivatives like the Mac OS. In other words, it’s everywhere, and could affect a countless number of devices that connect to the internet.

Remember Heartbleed? This is scarier. And potentially a bigger deal, too.

Bash Tweet

Why? According to Robert Graham of Errata Security:

Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

Oh, and it IS old. How old? Graham said in a different blog post that the bash issue has been around for 20 years.

For the record, the National Vulnerability Database gave Bash a 10/10! Here’s what you should know.

What is it?

As previously mentioned, it’s vulnerability, a bug affecting the Bash shell used in many Unix and Linux operating systems. Think of the Bash shell as the command-line shell. This means that a hacker could take over and issue remote commands to web servers that aren’t patched. As a result, private information could quickly become public information.

Is every device running Linux or Unix vulnerable?

No. According to Rapid7 Global Security Strategist Trey Ford, there are certain requirements that make a server vulnerable. More specifically, servers capable of passing commands over the internet remotely, are susceptible.

What makes it so dangerous?

Bash may not affect as many devices as Heartbleed, but that may be the only consolation. Because (unlike Heartbleed) Bash lets hackers execute commands remotely, the repercussions could be a lot more serious.

Who should be worried? Should you?

While network administrators who manage internet presence for their companies (particularly those running a CGI app written in Bash or using Bash script), should be concerned, the everyday desktop user probably doesn’t have as much to worry about. That is unless you have a bunch of connected ‘Internet-of-things devices’

What about those Internet-of-Things Devices?

This is largely about patching updates, so while the aforementioned everyday desktop user may not be affected by Bash, that doesn’t necessarily mean his or her connected devices aren’t vulnerable. From home automation systems to routers to webcams to refrigerators, there are many Internet-of-things devices that use the Bash script. And most users would probably never think twice about installing software updates on something like a fridge. Now they should.

What’s being done? 

Companies like Google and Amazon were quick to react, rushing Thursday to patch this latest vulnerability on their end. And because recent versions of the Mac OS are vulnerable, Apple quickly responded, saying that while most OSX users aren’t at risk, the company was quickly working on patching the flaw. You can read more about that here.

What should you do?

Unfortunately, there’s not much you can do as this is a widespread vulnerability rather than say, a sneaky piece of malware. And because this is the case, you, as a consumer, can’t contain it by yourself. Rather, it’s up to the those maintaining the web servers. But absolutely do pay attention, run updates, and look for notifications from service providers who are vulnerable to Bash. And if a company tells you to take action and change your password because their servers are affected, listen to them and get on that immediately.

What about Webroot Servers?

We took all the necessary precautions and upgraded all of our systems to the patched version. We can verify that none of our services are susceptible. You can find our official statement on this support section of our site.

We’ll be keeping a close watch to see how this story unfolds, but in the meantime, take the necessary steps to ensure you’re as protected as possible and install necessary updates as they become available.

5 million GMail accounts breached, and I was one of them

There is a bit of irony in this blog post, if you will.  Over my time at Webroot, I have become a major advocate and vocal evangelist of digital security, from talking about major level breaches to sharing my experiences with dating-website scams.  My work has focused around the education of those who will listen and read my work on the value of keeping one’s self safe at home, work, and while traveling.  Like many others, I never thought (often quite ignorantly) that my information could get out there in a breach. And if it did, I was sure I would be still protected.

This morning, we found out that there was a breach of over 5 million Gmail accounts, all hosted in a plain text file on Russian hacker forums.  Naturally, we wanted to see what the data was like, and there it was, plain as day for everyone to see.  We started to look up our various accounts, and out of my whole team, I was the only one to appear.  Right in front of me, on a list with 5 million other people, was my information.  My heart sank a little, followed by the sort of nervous laugh I get at times all while I played through the major steps I had taken to protect myself prior, and what I needed to go change.  Luckily, at the beginning of the year, I did my own security update and implemented two-factor authentication across all my major accounts, changed my standard passwords, and updated my security settings.  And while we have covered these tips in the past (along with Tyler Moffitt’s security tips), there is no reason we shouldn’t all go back and just do a quick audit to make sure.  In this case, there are two major steps I took to ensure my security online with this breach; changing my passwords and making certain that I have two-factor authentication turned on.

Change your passwords:  Every three months is the average for a company for changing of passwords, often not allowing you to repeat for at least 10 passwords.  This may be an annoyance, but with breaches like this occurring on a daily basis, it’s a necessary step that you should be following at home as well.  It’s no longer simply about someone figuring your password out, but rather the idea that any level of breach can grab your standard password and e-mail address, and attempt it across multiple channels until success is found.  Changing your password removes this ability.  Need help figuring out a new password you can remember?  Take your standard password and move one key left or right for each letter.  The keystrokes will be similar and it will help product a difficult password. Remember, characters and numbers should be intermixed to increase the difficulty.  Reminding yourself with a calendar note to change all your passwords on the same day every three months.  I would also recommend looking into a password manager, such as the one included in Webroot SecureAnywhere™ Internet Security Complete for home users, to help with the difficult passwords you now have to remember.

Enable Two Factor Authentication:  I have talked about this before (and shared links), and I cannot stress enough the importance of this level of security.  With cell phones being at the ready in almost all aspects of our daily lives, this is one of the most convenient and easy layers to implement.  By adding this layer, the service will authenticate any login attempt through an independent channel, allowing you to know if someone is attempting unauthorized access.  Below are links to the sites listed above for their steps on enabling this step.

While we are still unsure how the hacker was able to get all this information, it’s clear as day that it is out there, and because of that, vigilance is key.  Just as you wouldn’t leave your credit cards laying around, you shouldn’t risk your passwords being out there either.  Data is valuable, and the more private or financially focused it is, the more we need to take it seriously.  So take these simple steps, get another layer of security established, and make it a habit to change passwords so you don’t become another name on the list as I did.  In the mean time, you can check and see if your e-mail is apart of the breach by following this link: https://isleaked.com/en.php

Other helpful links:

Cryptographic Locker

It seems as though every few weeks we see a new encrypting ransomware variant. It’s not surprising either since the business model of ransoming files for money is tried and true. Whether it’s important work documents, treasured wedding pictures, or complete discographies of your favorite artists, everyone has valuable data they don’t want taken.

The last thing anyone wants to see

This is the last thing anyone wants to see.

 

This variant does bring some new features to the scene, but also fails at other lessons learnt by previous variants. Starting with the new features this variant will now just “delete” the files after encrypting them (it just hides them from you). This doesn’t add any more intangibility since they are encrypted with AES-128 anyway, but it does add a greater sense of loss and panic since all of your common data directories will appear to have been cleaned out. Another new feature is the constant raise in price every 24 hours. While price bumping was used on previous variants, this one doesn’t have a limit and will increase by .2 bitcoins (~$97) every 24 hours until you crack or make peace with this loss.

Where this variant falls short on overall volatility is in the failure to delete the VSS (Volume Shadow Service) so using tools like Shadow Explorer will work to retrieve your files and circumvent paying the ransom. As I’ve said in previous blogs I do expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution.

 

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants – remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage.  Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

 

The Weekend of Nude Celebrity Selfies, iCloud, and How to Protect Your Personal Info

What do celebrities (mostly young and female), 4chan, hackers, Bitcoin, and iCloud have in common?

They’re all ingredients of a scandalous Labor Day Weekend, one that was filled with celebrity ‘skin’, outrage, confirmation (and denial)…and now an FBI investigation into the crazy incident that has everyone talking.

But is it the ultimate internet scandal or a sobering reality of the importance of safeguarding your content to reduce the risk of it being stolen? Both.

Before we go into that, however, in a nutshell (and in case you don’t know by now), here’s what happened:

On Sunday, users of the often-controversial message-board 4chan, saw a large trove of nude celebrity pics posted on the /b/ (also known as the ‘random’) thread. The extensive list of celebrity ‘victims’ included Jennifer Lawrence, Kate Upton, Mary Elizabeth Winstead, Kirsten Dunst, Ariana Grande, Kim Kardashian, Victoria Justice and many others. Afterwards, the photos quickly spread to Reddit.

Ariana Grande and Kate Upton

Then the reactions started to come in.

While Jennifer Lawrence didn’t respond herself, here was her spokesman’s reaction (which confirmed the pictures’ legitimacy): “This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”

Jennifer Lawrence

(Source: Washington Post)

Not surprisingly, many of the celebrities were quick to respond themselves, taking to Twitter, some denying the legitimacy of the photos while others admitting that they were real. Below are some of the celebrity reactions on Twitter.

Actress and singer Victoria Justice took the humorous route as she called ‘her’ pics ‘fake’:

Victoria Justice Tweet

On the other end of the spectrum, actress Mary Elizabeth Winstead took a very serious tone as she confirmed that her stolen photos were real:

Mary Winstead Tweets

And here was Kirsten Dunst’s reaction:

Kirsten Dunst Tweet

But why is Dunst ‘thanking’ iCloud? And who was behind this ‘leak’? Million-dollar questions. Let’s start with the ‘who’.

It’s still uncertain exactly who the perpetrator (or perpetrators) are. According to reports, 4chan apparently hosted a shady, unorganized ‘black market’ for celebrity photos where users would sell, buy and/or swap these photos and often boast of their ‘collection’. And while some Redditors have put the blame on Bryan Hamade, a 27-year-old man from Georgia, he is ‘vehemently denying’ the claims (he did an interview with BuzzFeed yesterday morning). You can read it here (warning: could have some NSFW content).

Now back to the iCloud bit…

Some 4chan hackers claimed that they exploited a previously-unknown flaw in Apple’s iCloud, more specifically the photos, contacts, and music syncing feature.

After ‘more than 40 hours’ of investigation, however, Apple is claiming that its systems aren’t the ones to blame for the breach, saying that this was a targeted attack on the celebrities rather than a widespread breach. Here is part of their statement: “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone.” For more on Apple’s take, you can read the CNET report here.

Also, as mentioned before, the FBI is now involved. The following is a comment from FBI spokesperson Laura Eimeiller regarding the matter: “[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.”

As this story continues to develop, many of you are probably wondering (and worrying) about the security of your own, personal (and possibly sensitive) information. Some people are arguing that the easiest way to avoid these scandals would be to not take nude selfies in the first place, (NYT Colunmnist Nick Bilton and comedian/actor Ricky Gervais both made similar jokes on Twitter about it – see below), while others are calling that ‘gross advice’ (read Amanda Hess’ Slate article here).

Gervais ended up deleting his Tweet, but here’s what he said originally: “Celebrities, make it harder for hackers to get nude pics of you from your computer by not putting nude pics of yourself on your computer.”

Here was Bilton’s Tweet (he later apologized):

Nick Bilton Tweet

A major takeaway, regardless of your opinion on this matter (or whether you snap revealing pics of yourself on your iPhone), is that many people take internet and mobile security for granted and don’t do enough to protect their personal information.

Here are some general tips safeguarding tips that will help reduce the risk of losing or unwillingly exposing your personal info:

  • Malware often targets user log-in details. Use security software to protect yourself, particularly one with a secure web browser. We here at Webroot have found that over 50% of internet traffic stems from mobile devices, and web browsing is the most likely source of attacks.
  • Have a different secure password for each place you store important data – pictures, documents, etc. is critical – and change the password often (at least once every few months). This will keep you a step ahead of cyber criminals.
  • Watch out for phishing attacks! Never click on a link in an email except from a trusted party. Never enter your login information just because a company sends you an email with a link to a page that looks like the real company page – it could be a fake phishing page.
  • Use passwords that are difficult for automated computer programs to crack. Use phrases or even whole short sentences like CowboysNeverbeat49ers!! Change it often.
  • Pet names, birth dates, and simple number combinations are not secure passwords, nor a replacement for real-time protection software and basic security practices.

And one tip for Apple iCloud users – Apple is saying that its internal systems aren’t to blame and they’re probably telling the truth. But the fact that iCloud wasn’t breached isn’t an excuse to use a weak password or have a simple (or honest) answer for your security question. Remember, the easier it is for you to log in to an account, the easier it else for somebody else to do so, too.

Oh, an one last thing. Just because you delete a photo from your iPhone doesn’t mean it’s automatically deleted from iCloud (or wherever else you may have stored it). Stay secure!

 

 

ZeroLocker

Recently in the news we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional​ red GUI cryptolocker that became famous. Any previous victims from these variants that still have encrypted files left on their machine should be able to decrypt them with ease. All they have to do is upload a single encrypted file ​to this webpage​ and their server will email you your RSA key. Then you can just download their tool (dubbed “DeCryptolocker”) and input the key and it will decrypt all files that are still encrypted. Sadly, anyone that was hit with different variants of encrypting ransomware are still out of luck.

However, since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all scams do….payment.

Presenting ZeroLocker

ZeroLocker

At least they have a 100% guarantee…

This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using Bitcoin for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer. Once again I expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants – remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage.  Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Critroni/Onion – Newest Addition to Encrypting Ransomware

In my last blog post about a week ago, I talked about how Cryptolocker and the like are not dead and we will continue to see more of them in action. It’s a successful “business model” and I don’t see it going away anytime soon. Not even a few days after my post a new encrypting ransomware emerged. This one even targets Russians!

Presenting Critroni (aka. Onion)

Critroni

 

This newest edition of encrypting ransomware uses the same tactics of contemporary variants including: paying through anonymous tor, using Bitcoin as the currency, changing the background, dropping instructions in common directories on how to pay the scam. Some upgrades that are new to the encrypting ransomware scene are logging the entire directory list of files that were encrypted. They store this list in your documents folder for your convenience come decryption time (how nice of them).

 

html

 

The ransom amount scales with how many files are encrypted. My specific encryption only wanted “.2 Bitcoin (about 24USD)” Please note that the exchange rate displayed by the malware is extremely wrong and .2 Bitcoin is about $120.

Payment Screen

 

This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer. I expect that once this malware goes into widespread distribution for the US and UK that “issues” like this will get fixed and the price will rise to around .5 BTC (around $300) on average. Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants – remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage.  Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Please note there are variations in the naming of this file, including Onion and Critroni.A.

Cryptolocker is not dead

Recently in the news the FBI filed a status report updating on the court-authorized measures to neutralize GameOver Zeus and Cryptolocker. While the report states that “all or nearly all” of the active computers infected with GameOver Zeus have been liberated from the criminals’ control, they also stated that Cryptolocker is “effectively non-functional and unable to encrypt newly infected computers.” Their reasoning for this is that Cryptolocker has been neutralized by the disruption and cannot communicate with the command and control servers to receive instructions or send RSA keys after encryption. Read more here

While seizing the majority of the GameOver Zeus Botnets from the suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been “neutralized”. The reason why this claim should be scrutinized is because it is only the samples dropped on victims computers that communicated to those specific servers seized that are no longer a threat. All samples currently being deployed by different botnets that communicate to different command and control servers are unaffected by this siege – the majority of encrypting ransomware. Although Evgeniy Bogachev and his group had control of a major chunk of zeus botnets and command and control servers that deployed cryptolocker, it was certainly not all or even the majority of zeus botnets in existence. Most malware authors spread their samples through botnets that they either accumulated themselves (Evgeniy), or just rent time on a botnet from someone like Evgeniy (most common). So now that Evgeniy’s servers are seized, malware authors are just going to rent from some of the many other botnets out there that are still for lease.

 

Here are some pictures of samples that we’ve encountered that are still hard at work at infecting users.

All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, but they have some improvements. First is that there is no GUI and instead just background changes and texts instructions in every directory that was encrypted. Second is that you no longer pay using a moneypak key in the GUI, but instead you have to install tor or another layered encryption browser to pay them securely and directly. This allows malware authors to skip money mules and increase the percent of profits. The best way to stay protected by attacks like this is to utilize backups to either the cloud or offline external storage. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.
So while this is a great win on behalf of the FBI, it’s very bold to claim that cryptolocker is now dead. A better way to put it would be that Evgeniy M. Bogachev’s brand of cryptolocker and anyone who purchased time on his botnet is now useless.

A successful Gartner Summit for Webroot

2014-07-01_14-39-44Webroot, the market leader in cloud-based, real-time Internet threat detection, recently returned from the 20th annual Gartner Security and Risk Management Summit in National Harbor, Maryland.  Attended by many of the world’s top business and IT professionals in industries ranging from finance to information technology to government, the focus of this year’s conference was enablement of an organization to move forward towards its objectives, while ensuring security and protection.  The show’s theme at this year’s conference, “Smart Risk: Balancing Security and Opportunity”, summarized the challenges that many large companies are experiencing today, as they work to ensure the safeguarding of their information without slowing down the company’s productivity.

As a ‘Premier Sponsor’, Webroot attended the Gartner Summit to introduce the next generation threat intelligence services for enterprises, BrightCloud Security Services for Enterprise, which collects and analyzes threat intelligence across multiple vectors – IP, URL, File and Application – from a massive network of nearly 35 million users protected by Webroot endpoint security solutions as well as Webroot technology partners. The team was also on-hand to demonstrate Webroot SecureAnywhere Business-Endpoint Protection, which recently was updated with enhanced management capabilities to help protect large, complex network environments.

With a busy booth during the three days of exhibit time, there was a great deal of interest in Webroot’s Threat Intelligence Server and BrightCloud Services as well as the SecureAnywhere Endpoint Protection solution.  The solutions that were introduced aligned well with two key areas that the security community is interested in – namely finding better protection for their endpoints and using external threat intelligence to make their current devices smarter and optimized for more rapid incident response – as well as fitting in with the conference’s overall theme.

While at the event, Webroot was also part of various security discussions and presentations, including two sessions where CISO’s talked endpoint protection and threat intelligence.  Webroot’s Dave Dufour and Chip Witt both presented on real-time intelligence gathering, and Webroot CTO Hal Lonas presented on the difference between threat data and threat intelligence.  Mike Malloy, VP of Products and Strategy, also gave a talk on ‘the death of traditional antivirus’, a theme that forms the foundation of the Webroot security product lineup.

Thanks largely to a combination of a strong security-focused presence as well as a seamless merging of security goals between attendees and Webroot’s product offerings, the company’s presence at this year’s 2014 Gartner Security and Risk Management Summit was a major success.  Webroot is already planning on similar attendance at the coming Japanese and APAC Gartner summits to continue to drive the momentum forward.

A peek inside a commercially available Android-based botnet for hire

Relying on the systematic release of DIY (do-it-yourself) mobile malware generating tools, commercial availability of mobile malware releases intersecting with the efficient exploitation of legitimate Web sites through fraudulent underground traffic exchanges, as well as the utilization of cybercrime-friendly affiliate based revenue sharing schemes, cybercriminals continue capitalizing on the ever-growing Android mobile market segment for the purpose of achieving a positive ROI (return on investment) for their fraudulent activities.

We’ve recently spotted yet another underground market proposition offering access to Android-based infected devices. Let’s take a peek inside its Web-based command and control interface, discuss its features, as well as the proposition’s relevance within the cybercrime ecosystem.

More details:

Sample screenshots of the commercially available Android-based botnet for hire:

read more…

Spamvertised ‘Customer Daily Statement’ themed emails lead to malware

Cybercriminals continue to efficiently populate their botnets, through the systematic and persistent spamvertising of tens of thousands of fake emails, for the purpose of socially engineering gullible end users into executing the malicious attachments found in the rogue emails.

We’ve recently intercepted a currently circulating malicious campaign, impersonating Barkeley Futures Limited, tricking users into thinking that they’ve received a legitimate “Customer Daily Statement”.

read more…

Spamvertised ‘June invoice” themed emails lead to malware

Cybercriminals continue spamvertising tens of thousands of malicious emails on their way to socially engineer gullible end users, ultimately increasing their botnet’s infected population through the systematic and persistent rotation of popular brands.

We’ve recently intercepted a currently circulating malicious campaign enticing users into executing the fake attachment.

More details:

read more…

Malicious Web-based Java applet generating tool spotted in the wild

Despite the prevalence of Web based client-side exploitation tools as the cybercrime ecosystem’s primary infection vector, in a series of blog posts, we’ve been emphasizing on the emergence of managed/hosted/DIY malicious Java applet generating tools/platforms, highlighting the existence of a growing market segment relying on ‘visual social engineering’ vectors for the purpose of tricking end users into executing malicious/rogue/fake Java applets, ultimately joining a cybercriminal’s botnet.

We’ve recently spotted yet another Web based Java drive-by generating tool, and decided to take a peek inside the malicious infrastructure supporting it. read more…