New commercially available DIY invisible Bitcoin miner spotted in the wild

May 22, 2013, 12:00 am

≫ Next: Fake ‘Export License/Payment Invoice’ themed emails lead to malware

≪ Previous: CVs and sensitive info soliciting email campaign impersonates NATO

$

0

0

By Dancho Danchev Just as we anticipated in our previous analysis of a commercially available Bitcoin miner, cybercriminals continue “innovating” on this front by releasing more advanced and customizable invisible Bitcoin miners for fellow cybercriminals to take advantage of. In this post, we’ll profile yet another invisible Bitcoin miner, once again available for purchase on the international cybercrime-friendly marketplace, emphasize on […]

---

Fake ‘Export License/Payment Invoice’ themed emails lead to malware

May 23, 2013, 12:00 am

≫ Next: Recent spike in FBI Ransomware striking worldwide

≪ Previous: New commercially available DIY invisible Bitcoin miner spotted in the wild

$

0

0

By Dancho Danchev We have just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details: Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 – detected by 33 out […]

Recent spike in FBI Ransomware striking worldwide

May 23, 2013, 9:30 am

≫ Next: Compromised Indian government Web site leads to Black Hole Exploit Kit

≪ Previous: Fake ‘Export License/Payment Invoice’ themed emails lead to malware

$

0

0

By Israel Chavarria Recently we have seen a spike of this ransomware in the wild and it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to […]

Compromised Indian government Web site leads to Black Hole Exploit Kit

May 24, 2013, 12:00 am

≫ Next: Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware

≪ Previous: Recent spike in FBI Ransomware striking worldwide

$

0

0

By Dancho Danchev Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns. Let’s profile the […]

Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware

May 29, 2013, 12:00 am

≫ Next: Marijuana-themed DDoS for hire service spotted in the wild

≪ Previous: Compromised Indian government Web site leads to Black Hole Exploit Kit

$

0

0

By Dancho Danchev Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails. More details: Sample screenshot of the spamvertised email: […]

Marijuana-themed DDoS for hire service spotted in the wild

May 30, 2013, 12:00 am

≫ Next: Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

≪ Previous: Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware

$

0

0

By Dancho Danchev Largely thanks to the increasing availability of easy to use DIY (do-it-yourself) DDoS bots, we continue to observe an increase in international cybercrime-friendly market propositions for ‘DDoS for hire’ services. And whereas these services can never match the bandwidth capabilities and vendor experience offered by their Russian/Eastern European counterparts, they continue to […]

Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

May 31, 2013, 12:00 am

≫ Next: Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace

≪ Previous: Marijuana-themed DDoS for hire service spotted in the wild

$

0

0

By Dancho Danchev We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K, in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal. More details: Detection rate […]

Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace

June 3, 2013, 12:00 am

≫ Next: New E-shop sells access to thousands of hacked PCs, accepts Bitcoin

≪ Previous: Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

$

0

0

By Dancho Danchev Utilizing the very best in ‘malicious economies of scale’ concepts, cybercriminals have recently released a privilege-escalating Web-controlled mass iFrame embedding platform that’s not just relying on compromised FTP/SSH accounts, but also automatically gains root access on the affected servers in an attempt to target each and every site hosted there. Similar to […]

---

New E-shop sells access to thousands of hacked PCs, accepts Bitcoin

June 4, 2013, 12:00 am

≫ Next: Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs

≪ Previous: Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace

$

0

0

By Dancho Danchev Remember the E-shop offering access to hacked PCs, based on malware ‘executions’ that we profiled last month? We have recently spotted a newly launched, competing E-shop, once again selling access to hacked PCs worldwide, based on malware ‘executions’. However, this time, there’s no limit to the use of (competing) bot killers, meaning […]

Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs

June 5, 2013, 12:00 pm

≫ Next: iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)

≪ Previous: New E-shop sells access to thousands of hacked PCs, accepts Bitcoin

$

0

0

By Dancho Danchev Opportunistic pharmaceutical scammers are currently spamvertising tens of thousands of bogus emails impersonating Facebook’s Notification System in an attempt to trick users into clicking on the links, supposedly coming from a trusted source. Once users click on the links found in the fake emails, they’re exposed to counterfeit pharmaceutical items available for purchase […]

iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)

June 6, 2013, 12:00 am

≫ Next: Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale

≪ Previous: Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs

$

0

0

By Dancho Danchev Our sensors recently picked up an advertisement using Yieldmanager’s ad network, enticing users into downloading the iLivid PUA (Potentially Unwanted Application) on their PCs. Operated by Bandoo Media Inc., the application installs the privacy invading “Searchqu Toolbar”. More details: Sample screenshot of the advertisement: Sample screenshot of the download page: Detection rate for iLivid – MD5: 468bbe0dc83496cad49597a47341c786 - detected […]

Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale

June 7, 2013, 12:00 am

≫ Next: Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details

≪ Previous: iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)

$

0

0

By Dancho Danchev Aiming to capitalize on the multi-billion gaming market, cybercriminals actively data mine their botnets for accounting credentials, not just for popular gaming platforms, but also the actual activation keys for some of the most popular games on the market. A newly launched e-shop aims to monetize stolen accounting credentials, not just for […]

Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details

June 10, 2013, 12:00 am

≫ Next: Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware

≪ Previous: Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale

$

0

0

By Dancho Danchev Opportunistic scammers have just launched a targeted spam campaign impersonating the UN Refugee Agency (UNHCR) in an attempt to trick users into handing over their complete credit card details as they supposedly make a donation to support Syria’s refugees. Needless to say, this scam is seeking full access to your credit card details through a fraudulent […]

Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware

June 11, 2013, 4:16 am

≫ Next: How not to install Adobe Flash Player

≪ Previous: Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details

$

0

0

By Dancho Danchev Have you sent an eFax recently? Watch out for an ongoing malicious spam campaign that tries to convince you that there’s been an unsuccessful fax transmission. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet of the cybercriminals behind the campaign. More […]

How not to install Adobe Flash Player

June 11, 2013, 8:00 am

≫ Next: Tens of thousands of spamvertised emails lead to W32/Casonline

≪ Previous: Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware

$

0

0

By Dan Para It seems simple enough, I want to install Adobe Flash Player so I search for “flash player download and click on the first result, right? Ignoring the second link which doesn’t have a five star rating and 37 reviews, I’m brought to a page called downloadinfo.com. I click the download button, click […]

---

Tens of thousands of spamvertised emails lead to W32/Casonline

June 12, 2013, 12:00 am

≫ Next: Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)

≪ Previous: How not to install Adobe Flash Player

$

0

0

By Dancho Danchev Fraudsters are currently spamvertising tens of thousands of emails enticing users into installing rogue, potentially unwanted (PUAs) casino software. Most commonly known as W32/Casonline, this scam earns revenue through the rogue online gambling software’s affiliate network. More details: Sample screenshots of the landing URLs: Spamvertised URLs: hxxp://luckynuggetcasino.com – 67.211.111.163 hxxp://888casino.com – 213.52.252.59 hxxp://spinpalace.com – 109.202.114.65 hxxp://alljackpotscasino.com – […]

Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)

June 13, 2013, 12:00 am

≫ Next: How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them

≪ Previous: Tens of thousands of spamvertised emails lead to W32/Casonline

$

0

0

By Dancho Danchev Our sensors just picked up yet another rogue ad enticing users into installing the SafeMonitorApp, a potentially unwanted application (PUA) that socially engineers users into giving away their privacy through deceptive advertising of the rogue application’s “features”. More details: Sample screenshot of the landing page, featuring a bogus ‘Norton Secured’ Seal: Sample screenshot […]

How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them

June 14, 2013, 12:00 am

≫ Next: Android.Bankun: Bank Information Stealing Application On Your Android Device

≪ Previous: Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)

$

0

0

By Dancho Danchev In 2013, the use of basic Quality Assurance (QA) practices has become standard practice for cybercrininals when launching a new campaign. In an attempt to increase the probability of a successful outcome for their campaigns — think malware infection, increased visitor-to-malware infected conversion, improved conversion of blackhat SEO acquired traffic leading to the purchase of counterfeit pharmaceutical items etc. — […]

Android.Bankun: Bank Information Stealing Application On Your Android Device

July 3, 2013, 6:30 am

≫ Next: Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Potentially Unwanted Application (PUA)

≪ Previous: How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them

$

0

0

By Nathan Collier There’s one variant of Android.Bankun that is particularly interesting to me.  When you look at the manifest it doesn’t have even one permission.  Even wallpaper apps have internet permissions.  Having no permissions isn’t a red flag for being malicious though.  In fact, it may even make you lean towards it being legitimate. […]

Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Potentially Unwanted Application (PUA)

July 3, 2013, 12:00 pm

≫ Next: Newly launched underground market service harvests mobile phone numbers on demand

≪ Previous: Android.Bankun: Bank Information Stealing Application On Your Android Device

$

0

0

By Dancho Danchev We’ve just intercepted yet another campaign serving deceptive ads, this time targeting German-speaking users into downloading and installing the privacy-invading ‘FLV Player’ Potentially Unwanted Application (PUA), part of Somoto’s pay-per-install network. More details: Sample screenshot of the actual rogue ad telling users that they should update their current media player: Sample screenshot […]