Threat Lab

Security researchers and security vendors are constantly profiling and blocking the malicious operations launched by organized crime groups on the Internet.

In an attempt to increase the life cycle of their malicious campaigns, cybercriminals rely on a set of domains hosted on bulletproof servers. In addition to this tactic, they also rely on fast-fluxing, a technique where a domain’s IP automatically rotates on a specific time interval, with IPs from the botnet’s infected population — state of the art bulletproof hosting in a combination with cybercrime-friendly domain registrar.

In order to make it even harder for the security community to disrupt their campaigns, cybercriminals also implement the random domain name generation tactic. This makes it more difficult for researchers to assess and shut down their operations, as of all the randomly generated domains initiating “phone home” command and control server communications, only a few will actually respond and will be registered and operated by the cybercriminals behind the campaign.

In this post, I’ll profile a recently launched DIY malicious domain name registering/managing service which makes it easier for cybercriminals to manage their domains portfolios. The service allows them to register randomly generated domains in mass, instantly change IPs and Name Servers, and cross-reference with anti-spam checklists for verification of clean/flagged IPs.

More details:

read more…

Cybercriminals have recently launched yet another massive spam campaign attempting to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails.

More details:

read more…

Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend – unless you want to compromise the integrity of your computer.

Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns.

More details:

read more…

Cybercriminals are currently impersonating T-Mobile U.K, in an attempt to trick its customers into downloading a bogus billing information report. Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the infected PC.

More details:

read more…

Over the past couple of days, cybercriminals have launched yet another massive spam campaign, once again targeting U.K users. This time, they are impersonating Vodafone U.K, in an attempt to trick its customers into executing a bogus MMS attachment found in the malicious emails. Upon execution, the sample opens a backdoor on the affected hosts, allowing the cybercriminals behind the campaign complete access to the affected PC.

More details:

read more…

From UPS, USPS to DHL, bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails.

Continuing what appears to be a working social engineering tactic, cybercriminals are currently mass mailing bogus DHL ‘Express Delivery Notifications’ in an attempt to trick users into executing the malicious attachment. Once executed, it opens a backdoor on the affected host allowing the cybercriminals behind the campaign complete access to the infected PC.

More details:

read more…

U.K users, beware!

Cybercriminals are currently mass mailing yet another malicious spam campaign, enticing users into viewing a bogus list of parking transactions. Upon executing the malicious attachment, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign complete access to the host.

More details:

read more…

Facebook users, watch out!

A recently launched malicious spam campaign is impersonating Facebook, Inc. in an attempt to trick its one billion users into thinking that they’ve received a notification alerting them on activities they may have missed on Facebook. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Over the past few weeks, cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details: read more…

What would an attacker do if they were attempting to inject malicious iFrames on as many Web sites as possible? Would they rely on search engines’ reconnaissance as a foundation fo their efficient exploitation process, data mine a botnet’s infected population for accounting data related to CPanel, FTP and SSH accounts, purchase access to botnet logs, unethically pen-test a Web property’s infrastructure, or hit the jackpot with an ingenious idea that’s been trending as of recently within the cybercrime ecosystem? No, they wouldn’t rely on any of these. They would just seek access to servers hosting as many domains as possible and efficiently embed malicious iFrames on each and every .php/.html/.js found within these domains. At least that’s what the cybercriminal operations that I’ll elaborate on in this post are all about. Let’s take a peek at a recently advertised DIY mass iFrame injecting Apache 2.x module that appears to have already been responsible for a variety of security incidents across the globe.

This module makes it virtually impossible for a webmaster to remove the infection from their Web site, affects millions of users in the process, and earns thousands of dollars for the cybercriminals operating it. More details: read more…

A currently ongoing spam campaign attempts to trick users into thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process of monetizing the anticipated traffic.

Once users click on the bogus ‘secure download link’, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…