In a coordinated effort Oracle and Apple recently issued a critical security update for Java.
Next to Adobe Flash, and Acrobat Reader, client-side vulnerabilities found in insecure versions of Java are among the most popular entry points for malicious attackers on the hosts of users with outdated third-party software and browser plugins.
More details:
On their way to convert legitimate traffic into malware-infected hosts using web malware exploitation kits, cybercriminals have been actively experimenting with multiple traffic acquisition techniques over the past couple of years. From malvertising (the process of displaying malicious ads), to compromised high-trafficked web sites, to blackhat SEO (search engine optimization), the tools in their arsenal have been systematically maturing to become today’s sophisticated traffic acquisition platforms delivering millions of unique visits from across the world, to the cybercriminals behind the campaigns.
What are some of the latest campaigns currently circulating in the wild? How are cybercriminals monetizing the hijacked traffic? Are they basically redirecting to the landing page of an affiliate network, earning revenue in the process, or are they serving malicious software to unsuspecting and gullible end and corporate users?
Let’s find out by profiling a currently active blackhat SEO (search engine optimization) campaign at the popular document sharing web site Scribd, currently using double monetization of the anticipated traffic, namely, redirecting users to a dating affiliate network, and serving malware in between.
More details:
by Armando Orozco
Today, one of our Webroot SecureAnywhere for Android users reported seeing ad redirections while browsing on his Android device. As we began investigating, we noticed that there were a lot of other mobile users seeing the same thing – yes, on their iPhones as well! We were also able to reproduce the behavior on our devices.
This appears to be a clever Ad redirection using JavaScript. The pop-ups are survey offers for free electronics like iPads and iPhones. The users are asked to complete a survey, at the end of which their email address and phone number is also recorded. I know we’ve all seen these pop-ups before, but we’re not used to seeing them in our mobile world.
These pop-ups are not related to any apps you may have installed – they are a result of how the web page was written. Web developers use “alert()” function in JavaScript, which displays a message box requesting response from a user. The advertisers utilize this method to display their ads.
We are still investigating this issue and hope to track down the advertisers responsible. There does not appear to be anything malicious about these pop-ups for the time being, but we are sure malware authors will employ this tactic soon. With the rash of Rogue Applications and the recent discovery of a Rogue AV app (blog coming soon), we can see how this method could be exploited with malicious intent. Again, these are not platform or application-specific behaviors.
To remedy these pop-ups, you can disable JavaScript in your browser settings.
Thanks to JohnDeth of our Webroot Community for bringing this to our attention.
Everyone uses Amazon! At least that’s what the cybercriminals are hoping. Cybercriminals are currently spamvertising millions of emails impersonating Amazon.com Inc. in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.
More details:
Cybercriminals are currently spamvertising millions of emails impersonating DHL in an attempt trick end and corporate users into downloading and executing the malicious .zip file attached to the emails.
More details:
In yesterday’s Firefox 13 release, Mozilla has fixed seven critical security vulnerabilities, four of which are critical. The majority of these vulnerabilities are also fixed in the latest Thunderbird 13 release.
More details on the vulnerabilities:
Think you received a package? Think again. Cybercriminals are currently spamvertising millions of emails impersonating UPS (United Parcel Service) in an attempt to trick users into downloading the viewing the malicious .html attachment.
More details:
The Electronic Frontier Foundation (EFF) is reporting on a recently intercepted malicious documents distributed over Skype, apparently targeting Syrian activists.
Upon viewing the document, it drops additional files on the infected hosts, and opens a backdoor allowing the cyber spies behind the campaign access to the infected PC.
Webroot has obtained a copy of the malware and analyzed its malicious payload.
More details:
Thanks to the increasing availability of custom coded DDoS modules within popular malware and crimeware releases, opportunistic cybercriminals are easily developing managed DDoS for hire, also known as “rent a botnet” services, next to orchestrating largely under-reported DDoS extortion campaigns against financial institutions and online gambling web sites.
In this post, I’ll profile a managed DDoS for hire service, offering to “take down your competitor’s web sites offline in a cost-effective manner”.
More details:
Screenshots of the DDoS for hire/Rent a botnet service:
The paid DDoS service is currently offering HTTP (GET, POST), Download, ICMP, UDP, and SYN flooding features, using what they’re pitching as private tools operated by expert staff members. Before a potential customer is interested in purchasing a DDoS attack for hire, the service if offering a 15 minute test to the customer in order to prove its effectiveness.
How much do these DDoS for Hire services cost?
Webroot will continue monitoring the development of the DDoS for hire service profiled in this post.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Over the past few months, I’ve been witnessing an increase in underground market propositions advertised by what appears to be novice cybercriminals. The trend, largely driven by the increasing supply of cybercrime-as-a-service underground market propositions, results in an increasing number of newly launched cybercrime-friendly E-shops attempting to monetize fraudulently obtained accounting data.
In this post, I’ll profile yet another currently spamvertised cybercrime-friendly E-shop, offering access to accounts purchased using stolen credit cards as well as highlight the ways in which cybercriminals obtain the account info in the first place.
More details:
Next to commodity underground goods and services such as managed spam, harvested email databases, boutique cybercrime-friendly services, services offering access to hacked PCs, managed malware crypting on demand, and managed email hacking as a service, the cybercrime ecosystem is also a thriving marketplace for stolen intellectual property, such as music releases.
In this post I’ll profile a recently launched affiliate network for pirated music, offering up to 35% revenue sharing schemes with the cybercriminals that start reselling the stolen releases which undercut the official music marketplaces prices in an attempt to increase their profits.
More details:
Cybercriminals are currently spamvertising millions of emails impersonating the Windstream Corporation, in an attempt to trick end and corporate users into clicking on links found in the malicious email.
Upon clicking on the links hosted on compromised web sites, users are exposed to client-side exploits served by the BlackHole web malware exploitation kit.
More details: