Threat Lab

By Dancho Danchev

Utilizing basic site ‘stickiness’ and visitor retention practices, over the years, cybercrime-friendly communities have been vigorously competing to attract, satisfy, and retain their visitors. From exclusive services available only to community members, to DIY cybercrime-friendly tools, the practice is still a common way for the community administrators to boost the underground reputation of their forum.

However, there are certain communities that will use the underground reputation of their forum to boost their sales, by releasing private DIY cybercrime-friendly tools, and promoting them under the umbrella of the community brand.

In this post, I’ll profile a HTTP/SMTP-based keylogger that’s been commercially available to members of a cybercrime-friendly community since 2011.

More details:

read more…

By Dancho Danchev

A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

By Dancho Danchev

We have recently spotted a new underground market ad, featuring a new commercially available malware bot+rootkit based on the ZeuS crimeware’s leaked source code. According to its author, the modular nature of the bot, allows him to keep coming up with new plugins, resulting in systematic “innovation” and the introduction of new features.

What’s the long-term potential of this malware bot with rootkit functionality? Does it have the capacity to challenge the market leading malware bot families? What are some of the features that differentiate it from the rest of competing bots currently in the wild? What’s the price of the bot, and what are the prices for the separate plugins available for purchase? Let’s find out.

More details:

read more…

Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated.

Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

By Dancho Danchev

Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineer BofA’s CashPro users into downloading and executing a bogus online digital certificate attached to the fake emails.

More details:

read more…

By Dancho Danchev

Despite the fact that the one-to-many type of malicious campaign continues dominating the threat landscape, cybercriminals are constantly looking for new ways to better tailor their campaigns to the needs, wants, and demands of potential customers. Utilizing basic marketing concepts such as localization, market segmentation, as well as personalization, today’s sophisticated cybercriminals would never choose to exclusively specialize in one-to-many or one-to-one marketing communication strategies. Instead, they will multitask in an attempt to cover as many market segments as possible.

In this post, I’ll emphasize on a targeted attacks potentially affecting Steams’ users, thanks to the commercial availability of a DIY (do it yourself) Steam ‘information harvester/mass group inviter’ tool, currently available at multiple cybercrime-friendly online communities. What’s so special about the application? How would cybercriminals potentially use it to achieve their fraudulent objectives? How much does it cost? Is the author/vendor of the application offering access to its features as a managed service?

Let’s find out.

read more…

By Dancho Danchev

Just as we anticipated on numerous occassions in our series of blog posts exploring the emerging DIY (do it yourself) trend within the cybercrime ecosystem, novice cybercriminals continue attempting to steal market share from market leaders, in order for them to either gain credibility within a particular cybercrime-friendly community, or secure a revenue stream.

Throughout 2012, we’ve witnessed the emergence of both, publicly obtainable, and commercially available, DIY unsigned Java applet generators. Largely relying on social engineering thanks to their built-in feature allowing them to “clone” any given Web site, these tools remain a popular attack vector in the arsenal of the less sophisticated cybercriminal, looking for ways to build his very own botnet.

In this post, I’ll profile one of the most recently released DIY tools.

More details:

read more…

What would an average cybercriminal do if he had access to tens of thousands of compromised email accounts? He’d probably start outsourcing the CAPTCHA solving process, in an attempt to hijack the IP reputation of both Domain Keys verified and trusted domains of all major free Web based email service providers.

What about sophisticated attackers wanting to conduct cyber espionage on a mass scale, in an efficient and anonymous — think malware-infected hosts as stepping stones — way? As of early 2013, those willing to pay the modest price of 3000 rubles ($97.47), can get access to a command line DIY tool that’s specifically designed for this purpose – automatic, anonymous and efficient data mining combined with compromised email account content grabbing.

Let’s profile the DIY tool, feature screenshots of the tool in action, and discuss its potential in the context of utilizing OSINT through botnets.

More details:

read more…

What is the Russian underground up to when it comes to ‘spear phishing’ attacks? How prevalent is the tactic among Russian cybercriminals? What “data acquisition tactics” do they rely on, and just how sophisticated are their “data mining” capabilities?

Let’s find out by emphasizing on a recent underground market advertisement offering access to data which can greatly improve the click-through rate for a spear phishing campaign. The irony? It’s being pitched as “spam leads”.

More details:

read more…

Yesterday, a relatively unknown group of cybercriminals publicly announced the availability of a new Web malware exploitation kit. What’s so special about it is the fact that its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”.

Let’s take a peek at the statistics and infection rates produced by this kit, as well as discuss its potential, or lack thereof, to cause widespread damage to endpoints internationally.

More details:

read more…

Thanks to basic disruptive factors like standardization, DIY (do it yourself) underground market releases, Cybercrime-as-a-Service “value added” propositions, efficiency-centered client-side exploitation process, QA (Quality Assurance), and adaptation to the ubiquitous endpoint protection mechanisms, such as for instance, signatures-based antivirus scanning, the cybercrime ecosystem is currently enjoying the monetary joys of its mature state.

In this post, I’ll profile a recently advertised DIY IRC-based DDoS bot, with an emphasis on how market followers, like the author of the bot, attempt to steal market share from the competition. Successful or not, this trend has been taking place for years, and based on the positive type and number of “satisfied customer” comments for this bot, market followers can also secure a revenue stream thanks to the fact that the prospective buyers of such “me too” type of malicious software releases don’t know where to acquire the latest cutting-edge DIY DDoS bot technology from.

More details:

read more…