Threat Lab

By Dancho Danchev

Despite the fact that the one-to-many type of malicious campaign continues dominating the threat landscape, cybercriminals are constantly looking for new ways to better tailor their campaigns to the needs, wants, and demands of potential customers. Utilizing basic marketing concepts such as localization, market segmentation, as well as personalization, today’s sophisticated cybercriminals would never choose to exclusively specialize in one-to-many or one-to-one marketing communication strategies. Instead, they will multitask in an attempt to cover as many market segments as possible.

In this post, I’ll emphasize on a targeted attacks potentially affecting Steams’ users, thanks to the commercial availability of a DIY (do it yourself) Steam ‘information harvester/mass group inviter’ tool, currently available at multiple cybercrime-friendly online communities. What’s so special about the application? How would cybercriminals potentially use it to achieve their fraudulent objectives? How much does it cost? Is the author/vendor of the application offering access to its features as a managed service?

Let’s find out.

read more…

By Dancho Danchev

Just as we anticipated on numerous occassions in our series of blog posts exploring the emerging DIY (do it yourself) trend within the cybercrime ecosystem, novice cybercriminals continue attempting to steal market share from market leaders, in order for them to either gain credibility within a particular cybercrime-friendly community, or secure a revenue stream.

Throughout 2012, we’ve witnessed the emergence of both, publicly obtainable, and commercially available, DIY unsigned Java applet generators. Largely relying on social engineering thanks to their built-in feature allowing them to “clone” any given Web site, these tools remain a popular attack vector in the arsenal of the less sophisticated cybercriminal, looking for ways to build his very own botnet.

In this post, I’ll profile one of the most recently released DIY tools.

More details:

read more…

What would an average cybercriminal do if he had access to tens of thousands of compromised email accounts? He’d probably start outsourcing the CAPTCHA solving process, in an attempt to hijack the IP reputation of both Domain Keys verified and trusted domains of all major free Web based email service providers.

What about sophisticated attackers wanting to conduct cyber espionage on a mass scale, in an efficient and anonymous — think malware-infected hosts as stepping stones — way? As of early 2013, those willing to pay the modest price of 3000 rubles ($97.47), can get access to a command line DIY tool that’s specifically designed for this purpose – automatic, anonymous and efficient data mining combined with compromised email account content grabbing.

Let’s profile the DIY tool, feature screenshots of the tool in action, and discuss its potential in the context of utilizing OSINT through botnets.

More details:

read more…

What is the Russian underground up to when it comes to ‘spear phishing’ attacks? How prevalent is the tactic among Russian cybercriminals? What “data acquisition tactics” do they rely on, and just how sophisticated are their “data mining” capabilities?

Let’s find out by emphasizing on a recent underground market advertisement offering access to data which can greatly improve the click-through rate for a spear phishing campaign. The irony? It’s being pitched as “spam leads”.

More details:

read more…

Yesterday, a relatively unknown group of cybercriminals publicly announced the availability of a new Web malware exploitation kit. What’s so special about it is the fact that its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”.

Let’s take a peek at the statistics and infection rates produced by this kit, as well as discuss its potential, or lack thereof, to cause widespread damage to endpoints internationally.

More details:

read more…

Thanks to basic disruptive factors like standardization, DIY (do it yourself) underground market releases, Cybercrime-as-a-Service “value added” propositions, efficiency-centered client-side exploitation process, QA (Quality Assurance), and adaptation to the ubiquitous endpoint protection mechanisms, such as for instance, signatures-based antivirus scanning, the cybercrime ecosystem is currently enjoying the monetary joys of its mature state.

In this post, I’ll profile a recently advertised DIY IRC-based DDoS bot, with an emphasis on how market followers, like the author of the bot, attempt to steal market share from the competition. Successful or not, this trend has been taking place for years, and based on the positive type and number of “satisfied customer” comments for this bot, market followers can also secure a revenue stream thanks to the fact that the prospective buyers of such “me too” type of malicious software releases don’t know where to acquire the latest cutting-edge DIY DDoS bot technology from.

More details:

read more…

On Wednesday, February 27th, Webroot’s Security Intelligence Director (Grayson Milbourne) and  Senior Mobile Analyst (Armando Orozco) presented at the RSA Conference in San Francisco.  Their topic, Android Malware Exposed – An In-depth Look at its Evolution, is an expansion on their previous year’s presentation, highlighting the severity of Android malware growth.  Focusing on the history of operating system releases and the diversity across the market, as well at the threat vectors and behaviors in the evolution of Android malware, the team has established strong predictions for 2013. read more…

Earlier this month, we profiled and exposed a newly launched underground service offering access to tens of thousands of malware-infected hosts, with an emphasis on the fact that U.S.-based hosts were relatively more expensive to acquire, largely due to the fact that U.S.-based users are known to have a higher online purchasing power. How much does it cost to buy 10,000 U.S.-based malware-infected hosts? Let’s find out.

In this post, I’ll profile yet another service offering access to malware-infected hosts internationally, that’s been operating since the middle of 2012, and despite the fact that it’s official Web site is currently offline, remains in operation until present day.

More details:

read more…

Have you ever received a blank call, and no one was on the other side of the line? What about a similar blank SMS received through your mobile carrier’s Mail2SMS gateway? There’s a high probability that it was a mobile spammer who’s automatically and efficiently verifying the validity of a recently harvested database of mobile numbers, with QA (Quality Assurance) in mind. These verified databases will be later on used as the foundation for a highly successful spam/scam/malicious software disseminating campaigns, thanks to the fact that the cybercriminals behind them will no longer be shooting into the dark. How do they do that? What kind of tools do they use?

Let’s find out by profiling a Russian DIY (do it yourself) software vendor, that’s been operating since 2011, and is currently offering a Session Initiation Protocol (SIP) based phone number verification tool, as well as USB-modem based phone number verification application.

More details:

read more…

A cybercriminal/gang of cybercriminals that we’ve been closely monitoring for a while now has just launched yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

In this post, I’ll profile their latest campaign and the dropped malware. I will also establish a direct connection between this and three other previously profiled malicious campaigns, as well as an ongoing money mule campaign, all of which appear to have been launched by the same cybercriminal/gang of cybercriminals.

More details:

read more…

The mobile landscape has boomed in the last couple of years mostly in part because of Android devices and social networking. This has opened the door for everyone to have access to a smartphone and have the cyber world at their fingertips. Smartphones have become an extension of us, and we now have our email, banking, social networking, television and internet on the go. We live in a world of instant access.

With this excitement and convenience, we may lose track something we take serious is our privacy and security. Looming in this mobile landscape are people who want benefit from our oversight and continuous usage. read more…

Just how easy is it to generate an undetected piece of malware these days? Too easy to be true, largely thanks to the rise of managed crypting services, and the re-emergence of the DIY (do it yourself) trend within the entire cybercrime ecosystem.

With hundreds of thousands of new malware variants processed by the industry on a daily basis, it’s fairly logical to conclude that over the years, the bad guys have adapted to signature-based antivirus scanning protection mechanisms, and have achieved disturbing levels of automation and efficiency. How do they do that?

Let’s find out by profiling a recently spotted Web-based DIY malware cryptor, emphasize on the future potential of such underground projects, as well as provide MD5s of malware samples known to have been generated using it.

More details:

read more…