Threat Lab

On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails. Throughout 2012, we intercepted two campaigns pretending to come from the company, followed by another campaign intercepted last month. This tactic largely relies on the life cycle of a particular campaign, intersecting with the publicly generated awareness of its maliciousness.

In this post, I’ll profile one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

On a daily basis, largely thanks to the efficiency-centered malicious campaigns circulating in the wild, cybercriminals get access to tens of thousands of accounting credentials across multiple Web properties, and most disturbingly, online payment processing services like PayPal.

We’ve recently spotted a newly launched underground E-shop that’s exclusively selling access to hacked PayPal accounts. How much does it cost to purchase a hacked PayPal account on the underground marketplace these days? What pricing method is the cybercriminal behind the service using, and does the newly launched E-shop share any similarities with the E-shop selling access to hacked PayPal accounts that we profiled in 2012?

Is your state cyber secure? Or is it one of the most hackable? Find out in our fourth annual Cyber Hygiene Risk Index report.

Let’s take a peek inside the E-shop.

More details:

Sample login page for the E-shop:

Sample entry page for the E-shop:

As you can see in the attached screenshot, the data is segmented in the following way: Email of the affected victim, verified/not verified account, type of account, Card confirmed or not, Bank confirmed or not, Balance, First name of the victim, the country of origin, and the actual selling price.

Screenshot of the inventory of the E-shop:

What about the prices? As you can see, accounts with virtually no assets — at least for the time being — are offered for sale at a static $3 per account. The price for accounts with a balance varies between $20-$15. It’s pretty obvious that the cybercriminal behind the E-shop is using perceived value for his pricing scheme, in the same way as another cybercriminal whose operations we profiled in 2012. Back then, he was selling access to a compromised bank account with a balance of $6,000 for $165. What we’ve got here is a decent example of how these inexperienced cybercriminals are looking for ways monetize the fraudulently obtained data as soon as possible, instead of “cashing out” the accounts by themselves, which could lead to possible risks to their OPSEC (Operational Security).

Second screenshot of the inventory of the E-shop:

The E-shop is exclusively targeting United States citizens, and currently has an inventory of 1,543 hacked PayPal accounts, followed by another 14 for the United Kingdom.

What’s particularly interesting regarding this E-shop is the fact that the cybercriminal behind it tried to come up with a value-added service, in this case a built-in Socks5 proxy checker, to be used when interacting with the hacked PayPal accounts for greater anonymity.

Sample screenshot of the built-in Socks5 proxy server checker:

These are not publicly obtainable Socks5 servers. Instead, they are compromised malware-infected hosts converted into anonymization proxies, allowing the cybercriminals who are about to “cash out” the hacked PayPal accounts to risk-forward the possibility of getting traced back to the IP of an innocent malware-infected victim.

How did the cybercriminal behind the service shape the prices for each hacked PayPal account? Pretty simple. Based on perceived value with asset liquidity in mind. Thanks to his inability/unwillingness to “cash out” the accounts by himself, launching an E-shop to monetize the fraudulently obtained financial data seems a logical development. Unlike the E-shop selling access to hacked PayPal accounts that we profiled in 2012, this one isn’t selling any other type of compromised accounting data, other than PayPal accounts.

We’ll continue monitoring the emergence of these E-shops, and post updates as soon as new developments take place.

Over the last couple of days, we’ve been monitoring a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes. What all of these campaigns have in common is the fact that they all share the same malicious infrastructure.

Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior.

More details:

read more…

We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software.

More details:

read more…

Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt  to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Throughout the past year, we observed an increase in the availability of malicious (DIY) tools and services that were once exclusively targeting sophisticated cybercriminals, often operating within invite-only cybercrime-friendly Web communities. This development is a clear indication that the business models behind these tools and services cannot scale, and in order to ensure a sustainable revenue stream, the cybercriminals behind them need to change their tactics – which is exactly what we’re seeing them do.

By starting to advertise these very same malicious (DIY) tools and services on publicly accessible forums, they’re proving that they’re willing to sacrifice a certain degree of OPSEC (Operational Security) for the sake of growing their business model and attracting new customers. Just like the managed SMS flooding as a service concept, which we previously profiled and discussed, there’s yet another tactic in use by cybercriminals who want to assist fellow cybercriminals in their fraudulent “cash-out schemes’ – and it’s called ‘phone ring flooding as a service’.

In this post, I’ll profile a popular, publicly advertised service, which according to its Web site, has been in operation for 3 years and has had over a thousand customers.

More details:

read more…

Thanks to the success of multiple botnet aggregating malicious campaigns launched in the wild, cybercriminals are launching malware-infected-hosts — also known as loads — as a service type of underground market propositions, in an attempt to monetize the botnet’s infected population by selling “partitioned” access to it.

How much does it cost to buy a thousand US-based malware infected hosts? What about hosts based in the European Union? Let’s find out. In this post, I’ll profile a newly launched underground service offering access to thousands of malware-infected hosts to virtually anyone who’s willing to pay the price.

More details:

read more…

Need a good reason not to connect to the public Web with your phone? Wonder where all that SMS spam is coming from? Keep reading.

Mobile phone spammers have recently released a new version of a well known phone number harvesting tool, whose main objective is to crawl the public Web and index mobile phone numbers, which will later be used for various malicious and fraudulent purposes.

More details:

read more…

What are cybercrime-facilitating programmers up to when they’re not busy fulfilling custom orders? Releasing DIY (do-it-yourself) user-friendly tools allowing anyone an easy entry into the world of cybercrime, and securing their revenue streams thanks to the active advertisements of these tools across closed cybercrime-friendly Web communities.

In this post, I’ll profile a recently advertised DIY HTTP-based botnet tool, that allows virtually anyone to operate their own botnet.

More details:

read more…

by Armando Orozco

Recently, two applications designed with malicious intent were discovered within the Google Play application store.  The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers.

The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer.  The malware was designed to record audio through the computer’s microphone.

AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates.

An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security.  With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network.

While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection.  Below, we will highlight the steps you can take to help stay protected from attacks like these.

Android Devices:

• Ensure the latest version of Webroot SecureAnywhere Mobile is installed from the official Google Play Android app store.

Webroot SecureAnywhere (PC users):

• Ensure USB shield is enabled (on by default)
  • Steps: Open Webroot > Select PC Security Tab > Select Shields > Slide USB Shield to on (green)
  • Advanced users can modify USB heuristic settings:
    • Steps: Open Webroot > Select PC Security Tab > Select Scan > Select Change Scan Settings > Select Heuristics > Select USB > Select desired protection settings

For all users, we recommend ensuring that AutoRun is disabled on your computer.  Even though Microsoft rolled out updates to disable, it is possible it could be enabled.  Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs.

For more information and to keep up with the conversation, head to our community: http://bit.ly/11RKiFa

Source: SecureList http://www.securelist.com/en/blog/805/Mobile_attacks

Kindle owners, watch what you click on!

Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon.com. In reality, when users click on any of the links found in the malicious emails, they’re automatically exposed to the  client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…