Threat Lab

For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures).  The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime ecosystem which is an indication of an understanding of basic business/economic processes/theories.

We’ve recently spotted a cybercrime-friendly service that’s offering commercial access to 50M+ ccTLD zone transfer domains whose availability could lead to a widespread mass abuse. Let’s profile the service and discuss its relevance/potential for abuse in the overall threat landscape.

More details:

read more…

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry.

In a series of blog posts we’ve published throughout 2013, we proactively highlighted the emergence of the TDoS (Telephony Denial of Service) attacks in the context of cybercriminals’ growing non-attributable capabilities to target and exploit (basic) vulnerabilities in telephone/mobile systems internationally. Largely relying on fraudulently obtained SIM cards and compromised accounting data at legitimate VoIP providers, as well as active utilization of purely malicious infrastructure, TDoS vendors constantly seek new tactics to apply to their OPSEC procedures.

Having proactively profiled the TDoS market segment throughout 2013, we’re also keeping eye on value-added services/features, namely, the modification of a mobile device/USB dongle’s International Mobile Station Equipment Identity (IMEI), for the purpose of adding an additional layer of anonymity to the fraudulent/DoS process. Let’s profile several vendors offering IMEI modification services and discuss their relevance within the TDoS market segment.

More details:

read more…

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have everything they need to reach an efficient state of fraudulent/malicious operation.

We’ve recently spotted a commercially obtainable modular, Tor C&C enabled, Bitcoin mining malware/botnet generating tool. Let’s discuss its features, key differentiation factors and take a peek inside it’s Web-based command and control interface.

More details:

read more…

Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets.

We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 — compromised/hacked hosts as a service. Let’s profile the service, discuss its key differentiation factors, and take a peek inside its Web based interface.

More details:

read more…

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile  malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment.

In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and QA (Quality Assurance).

We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status/gender/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware/bot ID.

More details:

read more…

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, I had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. With me on the panel was Alan Murray, Senior VP of Products at Apperian and Erich Stuntebeck, Director of Mobile Security at AirWatch. Fahmida Rashid, Analyst for PC Mag, moderated the event.

Questions initially focused on malicious app behaviors such as accessing private user data, SMS history and GPS tracking as well as spyphone apps, rooting apps and the increased focus on exploiting mobile devices. All panelists agree that obtaining apps from either Google Play or Apple’s Application Store are the safest ways to go, but that there is still risk involved with using any app – especially those which interact with sensitive information.

A great case and point to this is the recent WhatsApp security oversight, detailed in this blog post. Basically another installed app could easily offload and decrypt saved SMS history with only needing two permissions, internet and access to the SD card – both very common to the vast majority of apps. This is especially concerning considering WhatsApp has over 450 million users, many who install apps from 3rd party sources. It also further demonstrates that security is not being prioritized during the app development process. While WhatsApp was using encryption to protect saved SMS history, the use and public availability of a decryption tool made their encryption irrelevant.

Questions also focused on security differences between iOs and Android. There is a widespread belief that iOS is more secure, however the discovery of the SSL ‘gotofail’ exploit has definitely shaken things up. Last year Android suffered a similar critical exploit, known as ‘Master Key,’ which enabled an installed app to replace the code of an existing app and piggyback its permissions. Both of these discoveries will not be the last of their type and are good examples of how difficult it is to design secure systems – even when that is a top priority. Apple does have an advantage with iOS as they manufacture all iOS devices. When a security patch is released, they can quickly update all iPhones and iPads. Google’s Android is in an entirely different boat. While Google does make devices which support Android, they are one of dozens. This has created an uneven landscape where millions of devices are using older, more vulnerable versions of Android which contain many known, and since fixed, exploits. The trouble is, these users lack an easy way to upgrade to the latest and most secure version.

During the course of the panel’s discussion, a few key themes emerged. One is that app developers play a big role in user privacy. They have the ability and technology to handle private data securely – but doing so hasn’t been a priority or focus. The other is that users should not be overly burdened with the responsibility of keeping their private data secure. Encrypting data shouldn’t be a user decision, it should happen, by default, through the application. Authentication is another area in need of improvement. Four digit pins and swipe screens are not sufficient. The panel was optimistic that future biometrics technology will greatly improve authentication and provide a seamless experience without the burden of passwords.

In all, it was a great event and there is a lot of interest in improving data security and privacy on our mobile devices. Continued discussions like this are essential to the advancement of new technology and the mobile security space is ripe for improvements.

Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications.

We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.

More details:

read more…

Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the ‘malicious economies of scale’ concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare.

In a series of blog posts, we’ve been emphasizing on the level of automation and QA (Quality Assurance) applied by vendors of cybercrime-friendly tools and services, compromised/hacked Web shells in particular. Largely utilized for the hosting of fraudulent/malicious content, in addition to acting as stepping stones for the purpose of providing a cybercriminal with the necessary degree of anonymity when launching campaigns, the concept continues representing an inseparable part of the cybercrime ecosystem, due to the ever-green public/OTC (over-the-counter) marketplace for high page-ranked Web shells.

We’ve recently spotted a newly released commercial Windows-based compromised/hacked Web shells management application that empowers potential cybercriminals with the necessary capabilities to maintain and manage their portfolio of Web shells. Let’s take a peek at the application, and discuss some of its features.

More details:

read more…

Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) – all for the purpose of achieving a positive ROI with each new release.

We’ve recently spotted a newly released, Web-based DNS amplification enabled DDoS bot, and not only managed to connect it to what was once an active DDoS attack, but also, to the abuse of a publicly accessible open DNS resolver which has been set up for research purposes. Let’s discuss some of its features and take a peek at the bot’s Web-based command and control interface.

More details:

read more…

The threat landscape today is very different from a few years ago. With an increasingly creative number of threat vectors through which to launch an attack, it has never been more challenging to secure our data and devices in all the ways we connect. In today’s hyper-dynamic landscape, well over 8 million malware variants are discovered each month. The majority are financially motivated, very low in volume and very sophisticated. On the mobile front, cybercriminals have shown a clear focus on compromising devices made evident by an explosion in the discovery of malicious mobile apps and websites. Also on the rise are attacks orchestrated by organized cybercrime rings which are now focused on large retail establishments, department stores and hotel chains. And of course, there is the ever persistent battle of state vs. state cyber espionage with hacktivists vying for influence. With such a complex and diverse threat landscape, complicated by a variety of device types and platforms, providing security has only become more challenging.

Companies today struggle digesting data created by various security solutions as they all act independently from one another. For example, the network firewall doesn’t communicate or share data with the endpoint security software. As companies add on layers of protection, they are presented with additional feeds of data which, again, are all independent. This has led to solutions such as Security Information & Event Management (SIEM) systems which aim to correlate data from various independent data feeds. The problem however, is that the sources of data remain independent and unaware of each other. Additionally, data is only correlated within a single environment, unaware of other corporations and their encounters with security events. Ultimately, what this leads to is time wasted by dealing with data collection and correlation when it could be used for incidence response and remediation.

To deal with today’s threats you need the ability to transform data feeds into actionable intelligence. To succeed, you must have the ability to provide context and to show interconnectivity at a granular level, whether it be for internet security, endpoints, or mobile devices – and to do so on a large scale by correlating data from millions of sources across consumer and corporate environments alike. Data does not equal intelligence, and without a way to bring it all together, to break it down and understand it, responding to the threats at hand becomes all the more challenging. Intelligence is making sense of data and working with the results to respond, remediate, and to protect against future attack.

BrightCloud Security Services provide the necessary context, detail and interconnectedness needed to transform data into actionable intelligence.

Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them.

We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application. Let’s assess this campaign and provide actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post.

More details:

read more…