Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two

Cybercriminals continue actively abusing/mixing legitimate and purely malicious infrastructure, on their way to take advantage of clean IP reputation, for the purpose of achieving a positive ROI (return on investment) out of their fraudulent/malicious activities, in terms of attribution and increasing the average lifetime for their campaigns. Acting as intermediaries within the exploitation/social engineering/malware-serving chain, the market segment for this type of cybercrime-friendly services continues flourishing, with more vendors joining it, aiming to differentiate their UVP (unique value proposition) through a variety of ‘value-added’ services.

We’ve recently spotted yet another managed/on demand redirector generating service, that’s empowering potential cybercriminals with the necessary infrastructure for the purpose of launching (layered) fraudulent/malicious (multiple) redirector enabled attacks, capable of bypassing popular Web filtering solutions. Let’s profile the service, discuss its relevance within the cybercrime ecosystem, and provide actionable intelligence on the static redirectors managed by it.

More details:

read more…

Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)

Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host.

We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. Let’s profile the campaign, and provide actionable intelligence on the infrastructure behind it.

More details:

read more…

Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild

For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures).  The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime ecosystem which is an indication of an understanding of basic business/economic processes/theories.

We’ve recently spotted a cybercrime-friendly service that’s offering commercial access to 50M+ ccTLD zone transfer domains whose availability could lead to a widespread mass abuse. Let’s profile the service and discuss its relevance/potential for abuse in the overall threat landscape.

More details:

read more…

Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry.

In a series of blog posts we’ve published throughout 2013, we proactively highlighted the emergence of the TDoS (Telephony Denial of Service) attacks in the context of cybercriminals’ growing non-attributable capabilities to target and exploit (basic) vulnerabilities in telephone/mobile systems internationally. Largely relying on fraudulently obtained SIM cards and compromised accounting data at legitimate VoIP providers, as well as active utilization of purely malicious infrastructure, TDoS vendors constantly seek new tactics to apply to their OPSEC procedures.

Having proactively profiled the TDoS market segment throughout 2013, we’re also keeping eye on value-added services/features, namely, the modification of a mobile device/USB dongle’s International Mobile Station Equipment Identity (IMEI), for the purpose of adding an additional layer of anonymity to the fraudulent/DoS process. Let’s profile several vendors offering IMEI modification services and discuss their relevance within the TDoS market segment.

More details:

read more…

A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have everything they need to reach an efficient state of fraudulent/malicious operation.

We’ve recently spotted a commercially obtainable modular, Tor C&C enabled, Bitcoin mining malware/botnet generating tool. Let’s discuss its features, key differentiation factors and take a peek inside it’s Web-based command and control interface.

More details:

read more…

Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme

Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets.

We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 — compromised/hacked hosts as a service. Let’s profile the service, discuss its key differentiation factors, and take a peek inside its Web based interface.

More details:

read more…

#SXSW 2014 and the future of digital security

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, Grayson Milbourne had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. This is a recap of his time on the panel and his thoughts of mobile security going forward.

You can read the blog here: https://www.webroot.com/blog/2014/03/14/sxsw-apps-exposed-panel-re-cap-mobilerisk/

http://youtu.be/S9AKy8AcV1Q

#SXSW 2014 and the future of digital security – Webroot Threat Blog

5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile  malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment.

In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and QA (Quality Assurance).

We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status/gender/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware/bot ID.

More details:

read more…

SXSW Apps Exposed Panel Re-cap (#MobileRisk)

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, I had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. With me on the panel was Alan Murray, Senior VP of Products at Apperian and Erich Stuntebeck, Director of Mobile Security at AirWatch. Fahmida Rashid, Analyst for PC Mag, moderated the event.

Questions initially focused on malicious app behaviors such as accessing private user data, SMS history and GPS tracking as well as spyphone apps, rooting apps and the increased focus on exploiting mobile devices. All panelists agree that obtaining apps from either Google Play or Apple’s Application Store are the safest ways to go, but that there is still risk involved with using any app – especially those which interact with sensitive information.

A great case and point to this is the recent WhatsApp security oversight, detailed in this blog post. Basically another installed app could easily offload and decrypt saved SMS history with only needing two permissions, internet and access to the SD card – both very common to the vast majority of apps. This is especially concerning considering WhatsApp has over 450 million users, many who install apps from 3rd party sources. It also further demonstrates that security is not being prioritized during the app development process. While WhatsApp was using encryption to protect saved SMS history, the use and public availability of a decryption tool made their encryption irrelevant.

Questions also focused on security differences between iOs and Android. There is a widespread belief that iOS is more secure, however the discovery of the SSL ‘gotofail’ exploit has definitely shaken things up. Last year Android suffered a similar critical exploit, known as ‘Master Key,’ which enabled an installed app to replace the code of an existing app and piggyback its permissions. Both of these discoveries will not be the last of their type and are good examples of how difficult it is to design secure systems – even when that is a top priority. Apple does have an advantage with iOS as they manufacture all iOS devices. When a security patch is released, they can quickly update all iPhones and iPads. Google’s Android is in an entirely different boat. While Google does make devices which support Android, they are one of dozens. This has created an uneven landscape where millions of devices are using older, more vulnerable versions of Android which contain many known, and since fixed, exploits. The trouble is, these users lack an easy way to upgrade to the latest and most secure version.

During the course of the panel’s discussion, a few key themes emerged. One is that app developers play a big role in user privacy. They have the ability and technology to handle private data securely – but doing so hasn’t been a priority or focus. The other is that users should not be overly burdened with the responsibility of keeping their private data secure. Encrypting data shouldn’t be a user decision, it should happen, by default, through the application. Authentication is another area in need of improvement. Four digit pins and swipe screens are not sufficient. The panel was optimistic that future biometrics technology will greatly improve authentication and provide a seamless experience without the burden of passwords.

In all, it was a great event and there is a lot of interest in improving data security and privacy on our mobile devices. Continued discussions like this are essential to the advancement of new technology and the mobile security space is ripe for improvements.

Multiple spamvertised bogus online casino themed campaigns intercepted in the wild

Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications.

We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.

More details:

read more…

Commercial Windows-based compromised Web shells management application spotted in the wild – part two

Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the ‘malicious economies of scale’ concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare.

In a series of blog posts, we’ve been emphasizing on the level of automation and QA (Quality Assurance) applied by vendors of cybercrime-friendly tools and services, compromised/hacked Web shells in particular. Largely utilized for the hosting of fraudulent/malicious content, in addition to acting as stepping stones for the purpose of providing a cybercriminal with the necessary degree of anonymity when launching campaigns, the concept continues representing an inseparable part of the cybercrime ecosystem, due to the ever-green public/OTC (over-the-counter) marketplace for high page-ranked Web shells.

We’ve recently spotted a newly released commercial Windows-based compromised/hacked Web shells management application that empowers potential cybercriminals with the necessary capabilities to maintain and manage their portfolio of Web shells. Let’s take a peek at the application, and discuss some of its features.

More details:

read more…

Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild

Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) – all for the purpose of achieving a positive ROI with each new release.

We’ve recently spotted a newly released, Web-based DNS amplification enabled DDoS bot, and not only managed to connect it to what was once an active DDoS attack, but also, to the abuse of a publicly accessible open DNS resolver which has been set up for research purposes. Let’s discuss some of its features and take a peek at the bot’s Web-based command and control interface.

More details:

read more…