Threat Lab

For years, cybercriminals have been trying to capitalize on the multi-billion dollar PC gaming market. From active development of game cracks and patches aiming to bypass the distribution protection embedded within the games, to today’s active data mining of a botnet’s infected population looking for gaming credentials in an attempt to resell access to this asset, cybercriminals are poised to capitalize on this market.

What are some current trends within this market segment, and how are today’s modern cybercriminals monetizing the stolen accounting data belonging to gamers internationally? Pretty simple – by automating the data mining process and monetizing the results in the form of E-shops selling access to these stolen credentials.

In this post, I’ll profile a recently launched Russian service selling access to compromised Steam accounts.

More details:

read more…

Largely relying on sophisticated and legitimate-looking phishing campaigns, next to active data mining of a botnet’s infected population, today’s cybercriminals are in a perfect position to monetize these fraudulently obtained assets in the form of compromised accounts.

From compromised social networking accounts, to direct access to compromised servers and desktop PCs, the market segment has been steadily growing over the past couple of months.

In this post I’ll profile a newly launched cybercrime-friendly E-shop selling access to compromised accounts belonging primarily to PayPal users, but also, compromised accounts belonging to Apple, Walmart, Ebay and Skype users.

More details:

read more…

Just like in every market, in the underground ecosystem demand too, meets supply on a regular basis.

Thanks to the systematically released DIY SMS flooding applications, cybercriminals have successfully transformed this market segment into a growing and professionally oriented niche market. From the active abuse of the features offered by legitimate infrastructure providers such as ICQ and Skype, to the abuse of Web-based SMS sending gateways, cybercriminals continue developing and releasing point’n’click DIY SMS flooding tools.

In this post, I’ll profile one of the most recently released DIY SMS flooders, this time relying on 23 publicly available SMS-sending Web services, primarily located in Russia.

More details:

read more…

Over the last couple of years, the modular and open source nature of today’s modern DDoS (distributed denial of service) bots inevitably resulted in the rise of the DDoS for hire and DDoS extortion monetization schemes within the cybercrime ecosystem.

These maturing business models require constant innovation on behalf of the cybercriminals providing the easy to use and manage DIY DDoS bots, the foundation of these business models. What are some of the latest developments in this field? Are the malware coders behind these releases actually innovating, or are they basically re-branding old malware bots and reintroducing them on the market? Let’s find out.

In this post, I’ll profile a recently released DIY DDoS bot, which according to its author is a modification of the Dirt Jumper DDoS bot.

More details:

read more…

With affiliate networks continuing to represent among the few key growth factors of the cybercrime ecosystem, it shouldn’t be surprising that cybercriminals continue introducing new services and goods with questionable quality and sometimes unknown origins on the market, with the idea to entice potential network participants into monetizing the traffic they can deliver through black hat SEO (Search Engine Optimization), malvertising, and spam campaigns.

In this post, I’ll profile a recently launched affiliate network selling iPhones that primarily targets Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the network’s participants.

More details:

read more…

What happens once a cybercriminal has managed to obtain access to your credit card data by either compromising an insecure database, or through crimeware dropped on an affected host? Would he purchase blank plastic and holograms and embed the stolen data in an attempt to cash out as much money as possible, or would he look for alternative “risk forwarding” tactics to earn revenue while preserving his security and anonymity in the process?

It depends on the cybercriminal in question. In this post, I’ll profile a recently launched E-shop offering complete access to stolen credit cards data  primarily belonging to U.S citizens.

More details:

read more…

Over the past couple of months, I’ve been periodically profiling the monetization tactics applied by novice cybercriminals, a market segment of less technically sophisticated individuals looking for ways to cash out on their fraudulent Web activities.

The rise of this market segment can be contributed to the rise of managed cybercrime-friendly services and DIY tools, allowing everyone an easy entry into the world of cybercrime.

In this post, I’ll profile yet another recently launched cybercrime-friendly E-shop, and emphasize the emergence of these over-the-counter (OTC) trading E-shops.

More details:

read more…

Over the past several quarters, we’ve witnessed the rise of the so called Police Ransomware also known as Reveton.

From fully working host lock down tactics, to localization in multiple languages and impersonation of multiple international law enforcement agencies, its authors proved that they have the means and the motivation to continue developing the practice, while earning tens of thousands of fraudulently obtained funds.

What’s driving the growth of Police Ransomware? What’s the current state of this market segment? Just how easy is it to start distributing Police Ransomware and earn fraudulently obtained funds in between?

In this post, I’ll profile a recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users, and for the first time ever, offer an inside peek into its command and control interface in order to showcase the degree of automation applied by the cybercriminals behind it.

More details:

read more…

Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

By Brenden Vaughan

A new zero-day vulnerability exploit has been identified in Microsoft’s Internet Explorer web browser versions 9 and below running on Windows XP, Vista and 7. Internet Explorer 10, which comes bundled with Windows 8, is not affected. The exploit could allow remote execution of malicious code from compromised websites. read more…

Cybercriminals are currently spamvertising millions of emails impersonating U.S Airways, in an attempt to trick users into clicking on the malicious links found in the legitimately looking emails. Let’s dissect the malicious campaign, and expose its dynamics.

More details:

read more…