Articles on this Page
- 11/27/13--11:00: _Fake ‘October’s Bil...
- 12/03/13--08:28: _Cybercrime-friendly...
- 12/04/13--09:52: _Commercial Windows-...
- 12/04/13--13:22: _Today’s “massive” p...
- 12/05/13--09:11: _Compromised legitim...
- 12/05/13--12:40: _Staying safe while ...
- 12/06/13--13:59: _Cryptolocker Ransom...
- 12/09/13--08:03: _Malicious multi-hop...
- 12/11/13--08:50: _How cybercriminals ...
- 12/12/13--09:46: _Tumblr under fire f...
- 12/13/13--07:46: _Mobile Security 201...
- 12/16/13--07:50: _Newly launched ‘HTT...
- 12/17/13--08:00: _Cybercriminals offe...
- 12/17/13--15:03: _ThreatVlog Episode ...
- 12/18/13--08:00: _Fake ‘WhatsApp Miss...
- 12/18/13--13:55: _Top 5 Enterprise Th...
- 12/19/13--08:00: _A peek inside the b...
- 12/27/13--11:00: _Cybercrime Trends 2...
- 12/31/13--08:06: _Top consumer securi...
- 01/06/14--08:42: _Zeus Infection Spoo...
- 12/04/13--13:22: Today’s “massive” password breach: a Webroot perspective
- 12/05/13--12:40: Staying safe while doing holiday shopping online
- 12/06/13--13:59: Cryptolocker Ransomware and what you need to know
- 12/13/13--07:46: Mobile Security 2014: Predictions
- 12/17/13--15:03: ThreatVlog Episode 12: Top Cyber Threats of 2013
- 12/18/13--13:55: Top 5 Enterprise Threat Predictions for 2014
- 12/27/13--11:00: Cybercrime Trends 2013 – Year in Review
- 12/31/13--08:06: Top consumer security predictions for 2014
- 01/06/14--08:42: Zeus Infection Spoofing Bitdefender AV
Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned ‘casual social engineering’ campaigns. Sample screenshot of the spamvertised email: Detection rate for the spamvertised malicious attachment: MD5: 36a685cf1436530686d1967b4a9d6680 – detected by 20 out of 46 antivirus scanners as Win32/TrojanDownloader.Waski.A. Once executed, the sample […]
The post Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware appeared first on Webroot Threat Blog.
We’ve recently spotted a multi-hop Russian cybercrime-friendly VPN service provider — ad featured not syndicated at a well known cybercrime-friendly community – that is relying on fake celebrity endorsement on its way to attract new customers, in this particular case, it’s pitching itself as being recommended by ex-NSA contractor Edward Snowden. How have anonymization tactics evolved over the last couple of years? Have the bad guys been ‘innovating’ on their way to cover the malicious/fraudulent online activity orchestrated by them? Let’d discuss some of the current trends in this ever-green market segment within the cybercrime ecosystem. Sample ad featured at the […]
The post Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’ appeared first on Webroot Threat Blog.
For years, whenever I needed a fresh sample of pharmaceutical scams, I always sampled the Web sites of major educational institutions, where a thriving ecosystem relying on compromised Web shells, continues to enjoy the high page ranks of the affected Web sites for blackhat SEO (search engine optimization) purposes. How are cybercriminals managing these campaigns? What type of tools and tactics do they use? In a cybercrime ecosystem that has logically migrated to Web-based platforms for a variety of reasons over the last couple of years, there are still those who’re keeping it old school, by releasing host-based DIY cybercrime-friendly […]
The post Commercial Windows-based compromised Web shells management application spotted in the wild appeared first on Webroot Threat Blog.
First, this is not a blog about a big corporate breach, or a massive new discovery. Rather, the researchers at Trustwave gained access to a botnet controller interface (the C&C element of a botnet) known as Pony and revealed the data within. Not surprisingly, as the vast majority of botnets target user credentials, this controller had a good deal of data related to passwords. While 2 million passwords might seem like a lot, it is really a drop in the bucket compared to many recent breaches. Think about Adobe who lost a minimum of 28 million, but is rumored to […]
The post Today’s “massive” password breach: a Webroot perspective appeared first on Webroot Threat Blog.
We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware. Sample screenshot of the landing page upon automatic redirection: Landing page upon redirection: hxxp://mobleq.com/e/4366 Domain name reconnaissance: mobleq.com – 184.108.40.206 Known to have responded to the same IP, are also the following malicious domains: 700cams.com adflyse.biz android-loads.biz androids-free.net androiduptd.ru androidwapupdate.info antivirus-updatesup.ru best-ponoz.ru bests-cafe.ru bilmobz.ru bovkama.ru chenyezhe.ru […]
The post Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates” appeared first on Webroot Threat Blog.
In this edition of the Webroot ThreatVlog, Grayson Milbourne talks about the threats that exist online in the holiday shopping craze. As more and more money is spent online, criminals are becoming more skilled at stealing all sorts of personal information, from credit card numbers to identifying credentials. As with all shopping, common sense is necessary, and with the tips and tricks provided, you will be even more protected while finding that perfect gift online.
The basics The Ransomware known as Cryptolocker has been prominent in the media lately, and one that we’re asked about often. Ransomware in general is nothing new, we have been seeing ransomware that hijacked your desktop wallpaper demanding payment for several years now, but while the older ransomware was rather easily removed, Cryptolocker has taken ransomware to a new level. What Cryptolocker does is encrypt files (primarily document files but also image files and other file types) on your computer and any network drives that computer has access to using a very strong encryption method and then demands payment with […]
Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side […]
With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays. This process, largely made possible by the massively undermined CAPTCHA bot vs human verification practice, results in automatically registered accounts, or the persistent data mining of malware-infected hosts for accounting data for social media accounts, continues to scale, allowing both individuals and organizations to […]
Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns. From the efficient abuse of Craigslist, the systematic generation of rogue/bogus/fake Instagram, YouTube, and email accounts, the process of automatic account generation continues to take place, driving a cybercriminal’s fraudulent business model, naturally, setting up the foundations for upcoming malicious campaigns that could materialize at any point […]
The most recent and interesting threats we see are more or less “evolved” forms of previous threats, including those originating from the PC side. People have been “spoofing” parts of apps, such as code, appearance, or digital certificates, since Android malware first started appearing. The MasterKey exploit was a whole new way to modify the app without even having to spoof anything (since this was the exploit which allowed applications to be changed without invalidating the existing digital signature). It’s also very interesting to see how threats like Zitmo or RAT-type apps seem to get better and better at mirroring […]
In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal’s botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the sophisticated cybercriminals, tools, is the direct result of cybercrime ecosystem leaks, cracked/pirated versions, or a community-centered approach applied by their authors, […]
In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for customers only, enlightening them to everything a cybercriminals needs to know in order to stay secure and anonymous online. The standardized OPSEC offering is targeting novice cybercriminals, and also has […]
The post Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) appeared first on Webroot Threat Blog.
In the latest ThreatVlog from Webroot, threat researcher Marcus Moreno discusses the top threats that affected the vyber world in 2013. From breaches to crypto-locks, we have seen some very malicious code run around out there, but these three take the cake.
WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it. Sample screenshot of the spamvertised email: Sample screenshot of the landing pharmaceutical scam page: Redirection chain: hxxp://220.127.116.11/horizontally.html -> hxxp://viagraphysician.com (18.104.22.168) We’re also aware of the following fraudulent domains that are known to have phoned back to […]
The post Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams appeared first on Webroot Threat Blog.
Top 5 Enterprise Threat Predictions for 2014 Ransomware for the enterprise Compromised clouds Advanced mobile phishing tactics APT’s focus on mobile Mobile device linked to major compromise When thinking about cyber-security and looking back over the years, there is a clear and unfortunate trend which doesn’t show any signs of slowing. The trend is that year over year, more and more cyber-attacks occur while at the same time, the sophistication of attacks continues to evolve. Additionally, a matured cyber-crime as a service (CCaaS) ecosystem has enabled practically anyone to get involved. Combine this with the growing cost of defenses and […]
The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin mining tools, and predicted that it’s only a matter of time before this still developing market segment starts proliferating with more cybercriminals offering their stealth Bitcoin releases to prospective customers. […]
The post A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools appeared first on Webroot Threat Blog.
It’s that time of the year! The moment when we reflect back on the cybercrime tactics, techniques and procedures (TTPs) that shaped 2013, in order to constructively speculate on what’s to come for 2014 in terms of fraudulent and malicious campaigns, orchestrated by opportunistic cybercriminal adversaries across the globe. Throughout 2013, we continued to observe and profile TTPs, which were crucial for the success, profitability and growth of the cybercrime ecosystem internationally, such as, for instance, widespread proliferation of the campaigns, professionalism and the implementation of basic business/economic/marketing concepts, improved QA (Quality Assurance), vertical integration in an attempt to occupy […]
Top Predictions for 2014 FBI/ICE MoneyPak Cryptolocker Rogues As this year comes to a close we’ve seen some measurable progress on the infiltration techniques for malware. We’re going to give you some insight into some of the top threats of 2013 and what it could mean for 2014. FBI/ICE MoneyPak We saw some frightening improvements with Ransomware this year. FBI/ICE MoneyPak or Win32.Reveton was a huge hit to the PC community. Although first seen in 2012 it wasn’t until 2013 that it was tweaked to be one of the most annoying and difficult Ransomware to remove. Once dropped on your […]
Over the Christmas period, we here at Webroot have noticed a large amount of Zeus infections that are spoofing the Bitdefender name. While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone! The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into […]