Threat Lab

In a series of blog posts published throughout 2012, we’ve been highlighting the existence of a vibrant underground market segment, namely, that of ‘hacking for hire’ services, email hacking in particular. Commercially available as a service for years, the practice’s growth was once largely fueled by the release of DIY Web-based popular email provider hacking tools, which once acquired by prospective cybercriminals, quickly became the foundation for a successful business model. How have things changed nowadays, in terms of tactics, techniques and procedures? Profoundly.

Case in point, we’ve been tracking two such ‘hacking for hire’ services, both of which offer a diversified portfolio of malicious services to prospective customers, such as email hacking, Web site hacking, DDoS for hire, DDoS protection, and grade modification. What type of tactics, tools and procedures do they rely on? Let’s find out.

read more…

In a cybercrime ecosystem populated by commercially available WordPress brute-forcing and mass vulnerable WordPress installation scanning tools, cybercriminals continue actively capitalizing on the platform’s leading market share within the Content Management System’s market segment. Successfully exploiting tens of thousands of installations on a daily basis, for the purpose of utilizing the legitimate infrastructure to achieve their fraudulent/malicious campaign objectives, the tactic is also largely driven by the over-supply of compromised/accounting data, usually embedded within sophisticated Web-based attack platforms like the ones we’ve profiled in the past.

We’ve recently intercepted a malicious campaign exclusively relying on rogue WordPress sites, ultimately serving client-side exploits to users through the Magnitude Web malware exploitation kit. Despite its relatively low profile in terms of proliferation — we believe the campaign is in its early stages — it exposes a pseudo-randomly generated sub-domains based fraudulent infrastructure that is worth keeping an eye on.

read more…

In the first ThreatVlog of 2014, Marcus Moreno discusses the increase in Potentially Unwanted Applications/Programs and their impact on machines, productivity, and the user experience. Also in the video is a talk on the wonderful audio ads that have been infecting machines and annoying computer users, discussing how they get into the machine and where to find them. Finally, he talks about Microsoft’s call for all security companies to come together to help end malicious malware families.

http://youtu.be/LzaC-XIKaCA

Operational Security (OPSEC) has always been an inseparable part of the cybercrime ecosystem, especially in the context of preventing law enforcement agencies from tracking down the activities of fraudulent and malicious adversaries online. Throughout the years, the industry has witnessed active utilization of malware-infected hosts (Socks4/Socks5) as anonymization ‘stepping stones’ and the use of cybercrime-friendly VPN providers, bypassing internationally accepted data retention regulations, as some of the primary anonymization tactics used by cybercriminals. Nowadays, this set of tactics has evolved into a diversified mix of legitimate and purely malicious infrastructure that provides value-added services such as APIs supporting Socks4/Socks5 services, DIY real-time Socks4/Socks5 syndicating tools, and the development of hybrid based type of anonymous ‘solutions’. These services empower cybercriminals with the necessary ‘know-how’ to  conceal their activities online, and there is a as clear attempt to standardize this ‘know-how’ through the distribution of commercial OPSEC training manuals.

read more…

The rise of boutique cybercrime-friendly E-shops, which we’ve extensively profiled in our “A Peek Inside a Boutique Cybercrime-Friendly E-Shop” series, continues further expanding as a market segment within the underground marketplace. Driven by the proliferation of public/commercially obtainable DIY (do it yourself) type of malware/botnet generating tools along side the ongoing standardization of the monetization process offered by opportunistic cybercriminals acting as intermediaries between those possessing the fraudulently obtained assets and their prospective customers, the market segment is prone to expand.

Having already profiled a managed hosting service, empowering novice cybercriminals possessing compromised/hacked accounting information with efficient ways to monetize the stolen data, we continue finding factual evidence that further confirms an ongoing standardization of the monetization process. In this post, I’ll discuss a market leading managed hosting service that is currently hosting 2500+ boutique E-shops offering access to a vast amount of compromised/hacked accounting data, with hosting services, through a convenient Web-based E-shop management interface.

read more…

Digital security is not the first thing that comes to mind when thinking about during the Sochi Olympics, but should be something that is on your mind when travelling to popular areas.  Just as scams are popular in tourist areas around the world, hacking is on the rise where media professionals, security, and large groups of travelers will be gathering.   In the past, malicious attacks through the digital infrastructure have occurred at the Olympics and other such events, and the Sochi Olympics will not be any different.  So, as you get ready to hit the Russian mountains, here are some tips to keep you and your digital work safe.

Before you head into Olympic Village

• Ask yourself if you really do need that laptop with you.  If not, leave it at home.
• Ensure all your programs are updated to their latest versions including browsers, e-mail, and antivirus.  Double check your drivers as well.
• Backup your full computer onto an external device that is staying home.
• Clear your cache and temporary internet files, and remove all remembered passwords from the browsers.
• Encryption is your friend.  There are many solutions out there that can provide full disk encryption, or even just encryption of vital folders.
• Setup cloud based backup solutions that maintain strong security around login procedure (Webroot/Dropbox/Box).  Backup and save all the files you will be working on while travelling to the cloud server and revert back upon return from the games.

While at the Olympics

• Your Wi-Fi and Bluetooth connections are the fastest and easiest to exploit.  If you do not need to be using these connections, keep them turned off.  This tip goes for phones, tablets, and computers.
• Do not plug any USBs into your computer that you find on the ground or are given to you by people you do not trust.  The largest breach in US National Security occurred from a rogue USB drive, and while your data might not have the same impact, the method of breach is still one of the more common.
• If you can connect to the internet through a wired connection in your room, do so.  This helps keep you off rogue Wi-Fi signals that could gather your data.
• Avoid logging into private websites, banking websites, and any other website where your private information could be compromised.
• If connecting for work, use your VPN to connect and stay secured.

Remember, digital security should not be forgotten when traveling, and hackers are getting increasingly more innovative with each digital advance.  The best security you can provide for your digital work is to leave your laptop at home, but if you insist on bringing it, ensure you remember you are the first line of defense in protecting yourself.

Since its inception in 1996, Alexa has positioned itself as primary Web metrics data portal, empowering Web masters, potential investors, and marketers with access to free analytics based on data gathered from toolbars installed on millions of PCs across the world. Successfully establishing itself as the most popular, publicly accessible Web site performance benchmarking tool, throughout the years, the Alexa PageRank has acted as a key indicator for the measurement of a Web site’s popularity, growth and overall performance, often used in presentations, competitive intelligence campaigns, and comparative reviews measuring the performance/popularity of particular Web sites.

Operating in a world dominated by millions of malware-infected hosts, converted to Socks4/Socks5 for, both, integration within automatic account registration tools, DoS tools, in between acting as anonymization ‘stepping-stones’, cybercriminals continue utilizing this legitimate, clean IPs-based infrastructure for purely malicious and fraudulent purposes. Their latest target? Utilizing the never-ending supply of malware-infected hosts to influence Alexa’s PageRank system. A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service.

read more…

In need of a fresh example of penetration pricing, within the cybercrime ecosystem, used by a cybercrime-friendly vendor in an attempt to quickly gain as much market share as possible in the over-supplied market segment for keylogging-specific systems? We’re about to give you a very fresh one.

A newly released, commercially available PHP/MySQL based, keylogging-specific malware/botnet generating system, with full Unicode support, is currently being offered for $5o, with the binary re-build priced at $20, in a clear attempt by the vendor to initiate basic competitive pricing strategies to undermine the market relevance of competing propositions. Just like the Web based DDoS/passwords-stealing tool that we profiled yesterday, this most recently released keylogging system is once again acting as a very decent example of a “me too” type of underground market release, whose overall success in the short term would mostly rely on basic branding, and whose long term success relies on the systematic introduction of new features.

To get a better view of the tool’s core functions, let’s take a peek at its administration panel.

read more…

Driven by the never ending supply of newly released DIY (do it yourself) underground market releases, in combination with the systematically rebooted life cycles of releases currently in circulation, cybercriminals continue actively developing new cybercrime-friendly malware generating/botnet building applications. Motivated by the desire to further continue the monetization of this ever-green market segment, a key driving force behind the consequential rise of E-shops offering access to compromised accounting data like those we’ve extensively profiled at Webroot’s Threat Blog in the past, these cybercriminals continue to ‘innovate’ and reboot the life cycles of known releases through the systematic and persistent introduction of new features.

We’ve recently spotted a newly released, commercially available Web-based DDoS/Passwords stealing-capable DIY type of botnet generating tool, whose general availability is prone to empower potential cybercriminals with DDoS attack capabilities, as well as an efficient platform for the mass harvesting of accounting data, both of which will be inevitably monetized through the usual, now standardized monetization channels. Let’s take a peek inside the tool’s command and control interface, and discuss its key differentiation features in the broader context of their applicability in the overall threat landscape.

read more…

Regular readers of Webroot’s Threat Blog are familiar with our “A Peek Inside a Boutique Cybercrime-Friendly E-shop” series, originally started in 2012, highlighting the trend emerging at the time of boutique based E-shops selling access to compromised/hacked accounts. Popping up on our radars on systematic basis, this maturing market segment is already entering in a new life cycle stage in early 2014. The current stage is the direct result of the ongoing efficiency-oriented mentality applied by cybercriminals over the years in the face of the active implementation of tactics such as, for instance, templatization, ultimately leading to standardization of key cybercrime ecosystem processes, resulting in improved return on investment/stolen assets liquidity for their fraudulent operations.

read more…

Operating in a world dominated by millions of malware-infected hosts acting as proxies for the facilitation of fraudulent and malicious activity, the Web’s most popular properties are constantly looking for ways to add additional layers of authentication to the account registration process of prospective users, in an attempt to undermine automatic account registration tactics. With CAPTCHA under automatic fire from newly emerging CAPTCHA solving/breaking services, re-positioning the concept from what was once the primary automatic account registration prevention mechanism, to just being a part of the ‘authentication mix’ these days, in recent years, a new (layered) authentication concept got the attention of the Web’s ‘most popular’. Namely, the introduction of SMS/Mobile number account verification, a direct result of wide adoption of mandatory prepaid SIM card registration internationally, in the context of preventing crime and terrorism.

Naturally, the bad guys quickly adapted to the new authentication mechanism, and in a true ‘malicious economies of scale’ fashion, undermined the concept, successfully continuing to populate any Web property with hundreds of thousands of bogus accounts, degrading the quality of the services offered, as well as directly abusing the one-to-one/one-to-many trust model in place. How do they do it? What type of tactics do they rely on in an attempt to bypass the mandatory prepaid SIM cards registration process, in order to secure a steady flow of tens of thousands of non-attributable SIM cards, at any given moment in time, empowering them to bypass the SMS/Mobile number activation account registration process? Let’s find out.

read more…

It can be easily argued, that CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is the modern day’s ‘guardian of the Web’, in the context of preventing the mass, systematic, and efficient abuse of virtually each and every Web property there is.

Over the years, CAPTCHA developers continued to strike a balance between the actual usability and sophistication/resilience to attacks, while excluding the beneath the radar emergence of a trend, which would later on prove to successfully exploit a fundamental flaw in the very concept of the CAPTCHA process. Namely, the fact that, the very same humans it was meant to differentiate against the automated bots, would start to efficiently monetize the solving process, relying on the ‘human factor’, instead of applying scientific based type of attack methods.

Acquired by Google in 2009, reCAPTCHA, quickly emerged as a market leader in the space, leading to good old fashioned (eventual) exploitation of monocultural type of flaws, applied not just by security researchers, but naturally, by cybercriminals as well. How do cybercriminals bypass the Web’s most popular CAPTCHA? Do they rely on human-factor type of attacks, or continue aiming to scientifically break it, like it is most commonly assumed by CAPTCHA developers? Based on the average response times that we’re aware of, a newly launched CAPTCHA-solving/breaking service, that’s exclusively targeting Google reCAPTCHA, might have actually found a way to automate the process, as we’re firm believers in the fact that, no ‘CAPTCHA solving junkie’, can solve a reCAPTCHA in less than a second. Let’s take a peek inside the service, discuss its relevance in the CAPTCHA-solving/breaking market segment, and why its reliance on an affiliate network type of revenue sharing scheme, is poised to help the service, further acquire high-end customers, namely vendors of blackhat SEO/spam tools.

read more…