Threat Lab

In a series of blog posts, we’ve highlighted the ongoing commoditization of hacked/compromised/stolen account data (user names and passwords), the direct result of today’s efficiency-oriented cybercrime ecosystem, the increasing availability of sophisticated commercial/leaked DIY undetectable malware generating tools, malware-infected hosts as a service, log files on demand services, as well as basic data mining concepts applied on behalf of the operator of a particular botnet. What are cybercriminals up to these days in terms of obtaining such type of data? Monetization through penetration pricing on their way to achieve stolen asset liquidity, so hosts can be sold before its owner becomes aware of the compromise, thereby diminishing its value to zero.

A newly launched E-shop is currently offering access to hundreds of thousands of compromised legitimate Mail.ru, Yahoo, Instagram, PayPal, Twitter, Livejournal, Origin, Skype, Steam, Facebook, and WordPress accounts, as well as 98,000 accounts at corporate SMTP servers, potentially setting up the foundation for successful spear-phishing campaigns.

read more…

Throughout the years, cybercriminals have been perfecting the process of automatically abusing Web application vulnerabilities to achieve their fraudulent and malicious objectives. From the utilization of botnets and search engines to perform active reconnaissance, the general availability of DIY mass SQL injecting tools as well as proprietary malicious script injecting exploitation platforms, the results have been evident ever since in the form of tens of thousands of affected Web sites on a daily basis.

We’ve recently spotted a publicly released, early stage Python source code for a Bing based SQL injection scanner based on Bing “dorks”. What’s the potential of this tool to cause any widespread damage? Let’s find out.

read more…

In this episode of the ThreatVlog, Marcus Moreno discusses a new, very malicious form of FBI Ransomware that forces the users of infected machines to look at illegal imagery, taking the scare tactics to the next level. He also discusses a new Javascript hack that takes over your browser temporarily, attempting to get people to pay for it to be unlocked.

http://youtu.be/FAoRSLvtkA4

Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let’s dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns.

read more…

Today’s modern cybercrime ecosystem offers everything a novice cybercriminal would need to quickly catch up with fellow/sophisticated cybercriminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem. Among the most popular questions the general public often asks in terms of cybercrime, what else, besides money, acts as key driving force behind their malicious and fraudulent activities? That’s plain and simple greed, especially in those situations where Russian/Eastern European cybercriminals would purposely sell access to Russian/Eastern European malware-infected hosts, resulting in a decreased OPSEC (Operational Security) for their campaigns as they’ve managed to attract the attention of local law enforcement.

In this post, I’ll discuss yet another such service offering access to Russian malware-infected hosts, and emphasize the cybercriminal’s business logic to target Russian users.

read more…

Based on historical evidence gathered during some of the major ‘opt-in botnet’ type of crowdsourced DDoS (distributed denial of service) attack campaigns that took place over the last couple of years, the distribution of point’n’click DIY DoS (denial of service attack) tools continues representing a major driving force behind the success of these campaigns. A newly released DIY DoS tool aims to empower technically unsophisticated users with the necessary expertise to launch DDoS attacks by simultaneously utilizing an unlimited number of publicly/commercially obtainable Socks4/Socks5/HTTP-based malware-infected hosts, most commonly known as proxies.

read more…

The general availability of DIY malware generating tools continues to contribute to the growth of the ‘malware-infected hosts as anonymization stepping stones‘ Socks4/Socks5/HTTP type of services, with new market entrants entering this largely commoditized market segment on a daily basis. Thanks to the virtually non-attributable campaigns that could be launched through the use of malware-infected hosts, the cybercrime underground continues to seek innovative and efficient ways to integrate the inventories of these services within the market leading fraudulent/malicious campaigns managing/launching tools and platforms.

Let’s take a peek at one of the most recently launched services offering automatic access to hundreds of malware-infected hosts to be used as anonymization stepping stones.

read more…

For years, cybercriminals have been abusing a rather popular, personally identifiable practice, namely, the activation of an online account for a particular service through SMS. Relying on the basic logic that a potential service user would not abuse its ToS (Terms of Service) for fraudulent or malicious purposes. Now that it associates a mobile with the account, the service continues ignoring the fact the SIM cards can be obtained by providing fake IDs, resulting in the increased probability for direct abuse of the service in a fraudulent/malicious fashion.

What are cybercriminals up to in terms of anonymous SIM cards these days? Differentiating their UVP (unique value proposition) by offering what they refer to as “VIP service” with a “personal approach” for each new client. In this post, I’ll discuss a newly launched service offering anonymous SIM cards to be used for the activation of various services requiring SMS-based activation, and emphasize on its unique UVP.

read more…

Opportunistic 419 advance fee scammers are currently using CNN.com’s “Email This” feature to spamvertise Syrian Crysis themed emails, in an attempt to successfully bypass anti-spam filters. Ultimately tricking users into interacting with these fraudulent emails. The emails are just the tip of the iceberg in an ongoing attempt by multiple cybercrime gangs, looking to take advantage of the geopolitical situation (event-based social engineering attack) for fraudulent purposes, who continue spamming tens of thousands of emails impersonating internationally recognized agencies, on their way to socially engineer users into believing the legitimacy of these emails.

read more…

In a series of blog posts, we’ve been profiling the tactics and DIY tools of novice cybercriminals, whose malicious campaigns tend to largely rely on social engineering techniques, on their way to trick users into thinking that they’ve been exposed to a legitimate Java applet window. These very same malicious Java applets, continue representing a popular infection vector among novice cybercriminals, who remain the primary customers of the DIY tools/attack platforms that we’ve been profiling.

In this post, I’ll discuss a popular service, that’s exclusively offering hosting services for malicious Java applets.

read more…