Happy New Year, everyone! Despite the lack of blog updates over the Holidays, we continued to intercept malicious campaigns over the same period of time, proving that the bad guys never take holidays. In this post, I’ll profile two prolific, social engineering driven type of malicious spam campaigns that we intercepted over the Holiday season, and naturally (proactively) protected you from.

More details:

The first campaign successfully impersonates Adobe’s License Service Center, in an attempt to trick users into thinking that they’ve successfully purchased a Creative Suite 6 Design Standard software license key.

Sample screenshot of the first spamvertised campaign:

Detection rate for the spamvertised attachment: MD5: 10dbbaaceda4dce944ebb9c777f24066 – detected by 40 out of 48 antivirus scanners as TrojanDownloader:Win32/Kuluoz.D.

The second campaign, attempts to trick users into thinking that they’ve received a notice to appear in court.

Sample screenshot of the spamvertised attachment:

Detection rate for the spamvertised attachment: MD5: c77ca2486d1517b511973ad1c923bb7d – detected by 38 out of 47 antivirus scanners as TrojanDownloader:Win32/Kuluoz.D; Backdoor.Win32.Androm.bket.

Once executed the sample phones back to:
hxxp://109.169.87.141/798475540DFA75FE5945D24FA5CBF9A5578EB29359 (picasa.com.fidelidadeciel0.com is also known to have responded to 200.98.141.0)

Two more MD5s are known to have responded to the same C&C IP in the past, namely:
MD5: c77ca2486d1517b511973ad1c923bb7d
MD5: c1c56f3ae9f9da47e1c0ebdb2cffa2a3

Webroot SecureAnywhere users are protected from these threats.

The post ‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns intercepted in the wild appeared first on Webroot Threat Blog.

First official working week of 2014 and cybercriminals are already busy pushing new releases into the underground marketplace. The goal? Setting up the foundation for successful monetization schemes to be offered through cybercrime-friendly boutique E-shops known for selling access to compromised accounting data obtained through the use of DIY (do-it-yourself) type of services. In this post, I’ll discuss a newly released passwords/game keys stealing tool whose Web-based command and control interface is successfully mimicking Windows 8′s Home Screen, and some of the most common ways through which this very same stolen accounting data would eventually be monetized.

Sample screenshots of the Web based admin interface:

The tool has a handy — from a cybercriminal’s perspective — metrics kind of option, allowing the adversary to assess the security measures in place on the affected victim’s host, such as, for instance, the presence of antivirus/antispyware and host-based firewalls. A logical question emerges. What would a cybercriminal do with all the stolen accounting data? Thanks to the general/commercial availability of standardized E-shops for stolen accounting data, achieving a timely ‘stolen assets liquidity’ — getting rid/monetizing the data before the victim becomes aware of the compromise, thereby undermining its value — is often the most lucrative option a cybercriminal would pursue. Case in point – in a series of blog posts over the last two years, we’ve been successfully profiling the rise of these boutique E-shops for compromised accounting data, in particular ones, exclusively selling access to compromised platform-specific gaming accounting data, leading us to believe that with or without the evident standardization, the scheme is trending.

As always, we’ll be keeping an eye on the future development of the stealing application, and post updates as soon as new developments emerge.

The post New “Windows 8 Home Screen’ themed passwords/game keys stealer spotted in the wild appeared first on Webroot Threat Blog.

Driven by popular demand, the underground market segment for TDoS (Telephony Denial of Service) attacks continues flourishing with established vendors continuing to actively develop and release new DIY (do-it-yourself) type of tools. Next to successfully empowering potential customers with the necessary ‘know-how’ needed to execute such type of attacks, vendors are also directly contributing to the development of the market segment with new market entrants setting up the foundations for their business models, using these very same tools, largely relying on the lack of situational awareness/understanding of the underground market transparency of prospective customers. Positioned in a situation as ‘price takers’, they’d be often willing to pay a premium to gain access to TDoS type of attack capabilities, with the intermediary in a perfect position to command a high profit margin, further improving the market segment’s capitalization.

A well known (Russian) vendor of TDoS products continues ‘innovating’ and utilizing basic customer-ization concepts, thereby introducing new features into well known TDoS ‘releases’, bug fixes, and overly-continuing to actively maintain a decent portfolio of multiple TDoS applications. Let’s take a peek at the most recently updated, 3G USB Modem/GSM/SIM card based of TDoS attack application, dubbed by the vendor as the most effective and cost-effective form of TDoS attack.

Sample screenshots of the 3G USB Modem/GSM/SIM card based TDoS tool:

Sample screenshot of a sample inventory of 3G USB Modems utilized for launching TDoS attacks:

In combination with the commercial availability of non-attributable SIM cards, both TDoS vendors, and customers utilizing the technique in a DIY fashion, would continue taking advantage of the concept, successfully undermining the availability of a victim’s phone/corporate phone system. Moreover, in our “Cybercrime Trends 2013 – Year in Review” analysis, we indicated that the TDoS market segment is gaining the necessary market traction, thanks to, for instance, proven DDoS (Distributed Denial of Service) attacks vendors, ‘vertically integration’ by starting to offer TDoS services next to their portfolio of DDoS type of attacks.

We’ll continue monitoring the TDoS market segment and post updates as soon as new developments emerge.

The post Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool appeared first on Webroot Threat Blog.

In the marketing world, it’s widely known sex sells. This is so true the “adult” industry is a multi-billion dollar industry. This is also why malware authors have long used adult content to attract unwitting victims. Lately, this threat researcher has seen way too much of it. There has been an influx of Trojan-like APKs using adult content to trick users into sending premium SMS messages. Let’s take a deeper look at one of these apps.

When you open the app it displays a page showing “GET IT NOW” in the middle, and “NEXT” at the lower right corner. If you tap “GET IT NOW”, it pops up a message saying “Request sent. Thank You”, and goes to the next screen. If you press “NEXT”, it goes to the next screen without a message. After several screens like this, it eventually gets to the last screen which may or may not have several buttons, but always has “T&C”, which I can only guess means “Terms & Conditions”. This opens up an SMS agreement screen.

Using Google translate, the SMS agreement – which is in Indonesian – roughly translates to this:

Subscribe to a few videos now! Click on the mobile, you will be a customer subscription and retrievable content, cost RM3.00/SMS caj, 1-2 day per SMS (not including GPRS caj so canceled). To deselect, sms STOP conductivity to 39 997. Talian CS: 03-7493 1352 (Isnin to Friday). By concatenated, you agree with the terms and conditions that presented.

Click “OK” and you’ll be charged via premium SMS. So what about the “content” that’s promised? Sorry, not going to happen.

Not all, but quite a few of these apps are using the same package name pattern:

com.<naughty_word>.kma2
com.<naughty_word>.gmb2
com.<naughty_word>.lmt2
com.<naughty_word>.ymb2
com.<naughty_word>.mbf2

When looking for “content” out there, be smart about it. If an app is asking you to agree to subscribe to something via premium SMS messages, think twice. Of course, it always helps to have a malware scanner on your phone, like Webroot SecureAnywhere Mobile, as well.

The post SMS Trojans Using Adult Content On The Rise In Android appeared first on Webroot Threat Blog.

In need of a good example, that malicious adversaries are constantly striving to ‘innovate’, thereby disrupting underground market segments, rebooting TTPs’ (tactics, techniques and procedures) life cycles, standardizing and industrializing their fraudulent/malicious ‘know-how’? We’re about to give you a pretty good one.

Regular readers of Webroot’s Threat Blog, are no strangers to the emerging TDoS (Telephony Denial of Service) underground market segment. Primarily relying on the active abuse of legitimate services, such as, for instance, Skype and ICQ, as well as to the efficient and mass abuse of non-attributable SIM cards, for the purpose of undermining the availability of a victim’s/organization’s mobile/communication’s infrastructure, the market segment continues flourishing. Rather a trend, than a fad, established DDoS (Distributed Denial of Service) for hire vendors, are already busy ‘vertically integrating’ within the underground marketplace, by starting to offer TDoS for hire services, either relying on a partnership with a TDoS vendor, or through the reliance on an in-house built infrastructure, established through the use of public/commercially available TDoS tools.

Back in July, 2012, a relatively unknown underground market entrant, publicly announced his ambitions to build a custom TDoS-ready GSM module, capable of supporting between 100-200 non-attributable SIM cards simultaneously, using custom coded management software. In a true product customer-ization style, he also started soliciting feedback, and touching base with potential customers of the custom module, in between promising them a “democratic” pricing scheme for the upcoming release. Then came the ‘innovation’. In November 2013, he made commercially available, what we believe is the first such public/commercially available TDoS-ready custom GSM module, whose very existence is poised to further fuel the growth of the TDoS market segment, tip potential competitors to the rise of the market segment, and directly contribute to the emergence of new TDoS vendors.

Let’s discuss the custom GSM module’s core functionalities, pricing scheme, and why its vendor can easily claim the market disruptor position in early 2014.

Sample screenshot of the 96 simultaneous SIM cards supporting custom GSM module:

The package contains:
- the actual GSM module, case for the module, USB cable
- Custom coded driver
- Custom coded management software
- Documentation
- Service Guarantee and Maintainance in a true QA (Quality Assurance) fashion
- Free of change customer support

The GSM module is capable of efficiently — through the custom coded software — doing the following:
- Receive SMS messages
- Send SMS messages
- Call any number
- Notification for upcoming calls
- Check SIM card balance etc.

Key differentiation/market disruption  (growth) factors:
- The vendor is offering his ‘know-how’ in the context of building similar SIP/VoIP-based custom modules
- Cybercrime-friendly community members of (community in question) are offered discounts
- The vendor is actively looking for ways to further penetrate the market segment, through affiliate based type of program

The price of the custom GSM module? 59,000 rubles or 1764 USD.

Despite being largely generalized as a widespread ‘unethical competition’ tactic primarily taking place within Russia/Eastern Europe, in 2013, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), issued a rare, eye-opening, TDoS alert, raising awareness on a ransom based type of TDoS campaigns, hitting call centers/emergency phone lines, indicating that the market segment is definitely prone to expand oversees.

We’ll continue to closely monitor the market segment, and post updates as soon as new developments take place.

The post New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor appeared first on Webroot Threat Blog.

Throughout 2013, we not only witnessed the re-emergence of proven mass, efficiency-oriented Web site hacking/exploitation tactics, such as, the reliance on Google Dorks scanning, good old fashioned brute-forcing, but also, the introduction of new concepts, successfully utilizing/standardizing, both, compromised accounting data, and server-farm level access, in an attempt to fraudulently monetize the hijacked traffic from legitimate Web sites.

As we’ve seen on numerous occasions throughout the years, despite sophisticated ‘innovations’, cybercriminals are no strangers to the KISS (Keep It Simple Stupid) principle. Case in point in terms of Content Management Systems (CMSs) is WordPress, whose market share is naturally proportional with attention the platform is receiving from fraudulent/malicious adversaries. In this post, I’ll discuss a DIY type of Python-based mass WordPress scanning/exploiting tool, available on the underground marketplace since July 2013, emphasize on its core features, and overall relevance in a marketplace dominated by competing propositions.

Sample screenshot of the tool in action:

Sample screenshots of the tool’s configuration file:

Sample tool output:

Among the first features worth emphasizing on, is a good old fashioned Russian/Eastern European cybercriminal’s mentality namely the exclusion of Russian/Eastern European traffic from the exploitation process — in direct contradiction with these greed driven underground market propositions — through an option, allowing the tool’s customer to prevent Russian Web sites from being scanned/exploited. In comparison with known tactics relying on the syndication of remotely exploitable vulnerabilities, and utilizing them for scanning/exploitation through the use of botnets, the proxy-supporting DIY tool, has a built-in database of hundreds of publicly available/patched exploits, and is capable of scanning tens of thousands of WordPress installations in a multi-threaded fashion. Relevant examples of such type of mass abuse, include 2010′s mass WordPress exploitation campaigns affecting, GoDaddy and Network Solutions.

Price of the tool? $200.

WordPress user are advised to educate themselves on basic WordPress hardening practices, as well as to inquire whether or not their WordPress hosting provider is issuing security patches in a managed fashion.

The post DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild appeared first on Webroot Threat Blog.

By this point, just about everyone is aware of the major breach of the Target POS systems.  Recent estimates indicate as many as 110 million customers had their card number compromised over the holiday season (including yours truly).  We all know that there was a breach of their network, but so far, no one has shared the method by which the malicious attacker gained access.  Well, with the recent (and terrific) reports from KrebsOnSecurity, we may now have an answer.

The above circled function was located in one of the few malware samples available and that was reportedly used to allow an attacker access to the Target network (MD5: 762ddb31c0a10a54f38c82efa0d0a014 7f1e4548790e7d93611769439a8b39f2). 

This same function was used in the Novell Client 4.91 SP4 (nwfs.sys) Local Privilege Escalation vulnerability and posted as part of the Metasploit Framework on Github.com in June of 2013: https://github.com/rapid7/metasploit-framework/pull/2003

More recently, the code was posted on SecCodes.com in a post which has strangely been removed, yet can still be found in Google’s Cache.

http://webcache.googleusercontent.com/search?q=cache:GgFAv0qeGZMJ:www.seccodes.com/2036-novell-client-491-sp4-nwfssys-local-privilege-escalation.html+&cd=1&hl=en&ct=clnk&gl=us

This particular function can clearly be seen in the Metasploit vulnerability below, and is identical to the function located in the malware sample above.

Searching for this exact string seems to validate the theory that Novell was at least one of the possible attack vectors, as this particular function has never been seen elsewhere.

While we may not know for some time the exact method used to breach the Target network and steal tens of millions of credit card number, this bit of uncovered information may help in understanding some of the possible avenues of the attack against the Target infrastructure and how to mitigate similar attacks in the future.

Without more detailed information regarding the actual attack vectors, or if the reported MD5’s were actually used in the Target breach, or even if Target uses Novell Client 4.91 SP4, it’s almost impossible to claim with 100% accuracy if this was indeed the attack vector uses to gain access to the Target back-end.  But based off the information which has been reported, this remains to be a plausible explanation as to how the thieves gained access and subsequently deployed credit-card stealing malware to the POS machines located throughout the stores.

And even though the following image shows a particular variable name that was not found within any of the examined malware samples, the variable is located within the code of the vulnerability posted online and the irony of the names can’t be overlooked.

The post Could a Novell vulnerability be behind the Target breach? appeared first on Webroot Threat Blog.

It can be easily argued, that CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is the modern day’s ‘guardian of the Web’, in the context of preventing the mass, systematic, and efficient abuse of virtually each and every Web property there is.

Over the years, CAPTCHA developers continued to strike a balance between the actual usability and sophistication/resilience to attacks, while excluding the beneath the radar emergence of a trend, which would later on prove to successfully exploit a fundamental flaw in the very concept of the CAPTCHA process. Namely, the fact that, the very same humans it was meant to differentiate against the automated bots, would start to efficiently monetize the solving process, relying on the ‘human factor’, instead of applying scientific based type of attack methods.

Acquired by Google in 2009, reCAPTCHA, quickly emerged as a market leader in the space, leading to good old fashioned (eventual) exploitation of monocultural type of flaws, applied not just by security researchers, but naturally, by cybercriminals as well. How do cybercriminals bypass the Web’s most popular CAPTCHA? Do they rely on human-factor type of attacks, or continue aiming to scientifically break it, like it is most commonly assumed by CAPTCHA developers? Based on the average response times that we’re aware of, a newly launched CAPTCHA-solving/breaking service, that’s exclusively targeting Google reCAPTCHA, might have actually found a way to automate the process, as we’re firm believers in the fact that, no ‘CAPTCHA solving junkie’, can solve a reCAPTCHA in less than a second. Let’s take a peek inside the service, discuss its relevance in the CAPTCHA-solving/breaking market segment, and why its reliance on an affiliate network type of revenue sharing scheme, is poised to help the service, further acquire high-end customers, namely vendors of blackhat SEO/spam tools.

Despite the numerous and persistent attempts we’ve observed over the years, on behalf of efficiency-oriented cybercriminals, relying on machine-learning CAPTCHA breaking attack scenarios, further fueling growth of the ever-green underground market segment for automatically registered bogus accounting data, in 2014, based on our situational awareness, low-waged human CAPTCHA-solvers, remain the primary attack tactic of choice. A fact which naturally leads to a vibrant fraudulent ecosystem, whose existence continues empowering market leading blackhat SEO (search engine optimization) and spamming tools, with real-time CAPTCHA-solving capabilities, consequently account registration/Web property abuse capabilities. Largely relying on an API-based type of platforms, as well as the non-stop supply of clean IPs through the use of compromised hosts as proxies, the CAPTCHA-solving market segment continues getting populated by new entrants, the bulk of whose CAPTCHA-solving activities, gets outsourced to 24/7/365 operating CAPTCHA-solving farms, like the ones I extensively researched back in 2007, and 2008.

What’s new in 2014? As we’ve been monitoring a newly launched CAPTCHA solving/breaking service for a few days now, it’s time to take a peek inside its customer’s interface, to showcase its unique differentiation factors.

Sample screenshots from within the customer’s interface of the reCAPTCHA solving/breaking service:

Average time for solving a reCAPTCHA using the service:

Related screenshots from within the customer’s panel, demonstration the degree of automation offered to customers:

Sample screenshots confirming the ongoing integration of the managed reCAPTCHA solving/breaking service, within popular blackhat SEO/spamming tools:

Sample percentage statistics for solved/unsolved reCAPTCHAs using the service in action:

We believe that the service is relying on a machine-learning approach — based on the statistics obtained for the average time required to solve/break a reCAPTCHA which in this case is less than second — primarily syndicating clean IPs, through managed services offering an endless supply of malware-infected hosts (Socks4/Socks5), in an attempt to adapt to reCAPTCHAs challenge-response machine learning detection process, which works in a fairly simple way. The higher the probability/indication that a request is made in an automated fashion/bad IP reputation, the harder the CAPTCHA challenge presented to the human/bot. Therefore, we believe, that, it is the overall availability of malware-infected hosts within the underground marketplace, that’s acting as a crucial success factor for the service’s success, which, of course, should not exclude the machine learning approach which we believe is taking place as well.

The key to success embraced by this new CAPTCHA solving/breaking market segment entrant? Not surprisingly, the ubiquitous for the cybercrime ecosystem in terms of proven growth factors, affiliate network based type of revenue sharing schemes. In this particular case, vendors of blackhat SEO/spamming tools are asked to contact the service, in order to get their unique perimeters, with the service offering them 10% for every CAPTCHA solved correctly on behalf of their customers. As always, the logical degree of profitability of the service, will be proportional with its ability to remain online, which sadly, wouldn’t be a problem in an extremely vibrant underground market segment offering bulletproof hosting services.

We’ll continue monitoring the development of the service, and post updates as soon as new developments emerge.

The post Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service appeared first on Webroot Threat Blog.

Operating in a world dominated by millions of malware-infected hosts acting as proxies for the facilitation of fraudulent and malicious activity, the Web’s most popular properties are constantly looking for ways to add additional layers of authentication to the account registration process of prospective users, in an attempt to undermine automatic account registration tactics. With CAPTCHA under automatic fire from newly emerging CAPTCHA solving/breaking services, re-positioning the concept from what was once the primary automatic account registration prevention mechanism, to just being a part of the ‘authentication mix’ these days, in recent years, a new (layered) authentication concept got the attention of the Web’s ‘most popular’. Namely, the introduction of SMS/Mobile number account verification, a direct result of wide adoption of mandatory prepaid SIM card registration internationally, in the context of preventing crime and terrorism.

Naturally, the bad guys quickly adapted to the new authentication mechanism, and in a true ‘malicious economies of scale’ fashion, undermined the concept, successfully continuing to populate any Web property with hundreds of thousands of bogus accounts, degrading the quality of the services offered, as well as directly abusing the one-to-one/one-to-many trust model in place. How do they do it? What type of tactics do they rely on in an attempt to bypass the mantatory prepaid SIM cards registration process, in order to secure a steady flow of tens of thousands of non-attributable SIM cards, at any given moment in time, empowering them to bypass the SMS/Mobile number activation account registration process? Let’s find out.

The practice, largely relying on the notion that, if a potential user would be required to present a valid ID to his/her mobile operator in order to get a SIM card, he/she would think twice before engaging in fraudulent, potentially malicious activities, in combination with limiting the number of SIM cards issued per person (for instance 10 prepaid SIM cards in Singapore, and 18 SIM cards per person in Vietnam), is sadly, fundamentally flawed due to a couple of reasons.

For years, the underground marketplace has been systematically supplying high-quality fake IDs/passports/diplomas/certificates and virtually any other kind of documentation, largely relying on a pool of talented designers, flawed secure printing supply chain logistics in terms of the easy to obtain blank plastics/document templates/holograms, as well as the actual equipment necessary to produce them in batches. This allows a cybercriminal/cybercriminal syndicate, to secure non-attributable access to virtually anything that requires a valid ID as means of authentication. That, ‘naturally’, includes compromised credit card details — sometimes required as an alternative to ID for the purpose of obtaining a SIM card — which in 2014, represents nothing more that a commoditized underground market item, largely due to the oversupply driven by the emergence of sophisticated crimeware releases, the evolution of ATM skimming technologies, and the bypassing of two-factor authentication/OTP, empowering novice cybercriminals with the necessary ‘know-how’ needed to obtain them. Yet another largely overlooked fraudulent tactic used to secure a decent supply of non-attributable SIM cards/mobile numbers, is the reliance on insiders, most commonly dealers of mobile operator services, monetizing the access to the operator’s databases, for fraudulent/malicious purposes.

Sadly, it wouldn’t be fraudulent/malicious operations in 2014 if they didn’t already manage to synchronize all levels of the fraudulent ecosystem, resulting in the commercial availability of APIs-supporting, 100% automated supply of non-attributable mobile numbers in a virtual, Web based environment, for the purpose of automatically bypassing the SMS/Mobile number activation authentication process of Russia’s most popular social networks, as well as the Facebook and Google account activation process. Which is exactly what the service that I’ll discuss in this post, is doing.

In addition to the 100% automation of the SMS/Mobile number activation process, thanks to a steady supply of  non-attributable mobile numbers, and the fact that the service is guaranteeing that the number’s owner can never connect its use with that of the service’s core functionality, the service is also pitching itself as integration-ready with an extremely popular automatic account registration tool that specializes in bypassing the SMS/Mobile number account activation process.

Sample screenshots of the customer’s panel showcasing the automatic SMS/Mobile number activation service’s core features:

The service is already listing tens of thousands of available mobile numbers, to be abused in upcoming SMS/Mobile number account activation campaigns. Thanks to its API, it is also endorsing a DIY automatic account registration tool that’s exclusively specializing in SMS/Mobile number based type of registrations. The actual mobile numbers are Russia, Ukraine and Belarus “based”.

Sample screenshots of the automatic SMS/Mobile number account verification bypassing tool in action, exclusively relying on the service’s API:

Another aspect of the fraudulent/malicious ecosystem behind the rise and commercially availability of this type of service, adapting to current automatic account registration protection mechanisms, is the reliance on insiders (dealers) of mobile operator services, for the purpose of supplying an endless stream of non-attributable mobile numbers. We’re currently aware of such insider activity, and we’re positive that a lot of similar activity is taking place under the radar.

Sample screenshot of the administration panel of a mobile service operator dealer’s admin account, showcased for the purpose of offering anonymous, on demand non-attributable mobile numbers, to assist in fraudulent/malicious activities:

As always, we’re actively monitoring this underground market segment, and will be posting updates, as soon as new developments take place.

The post Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process appeared first on Webroot Threat Blog.

Regular readers of Webroot’s Threat Blog are familiar with our “A Peek Inside a Boutique Cybercrime-Friendly E-shop” series, originally started in 2012, highlighting the trend emerging at the time of boutique based E-shops selling access to compromised/hacked accounts. Popping up on our radars on systematic basis, this maturing market segment is already entering in a new life cycle stage in early 2014. The current stage is the direct result of the ongoing efficiency-oriented mentality applied by cybercriminals over the years in the face of the active implementation of tactics such as, for instance, templatization, ultimately leading to standardization of key cybercrime ecosystem processes, resulting in improved return on investment/stolen assets liquidity for their fraudulent operations.

Among the key enablers for the emergence of the market segment for compromised/hacked accounting data is the general and commercial availability of DIY (do it yourself) malware generating/botnet building tools, empowering novice cybercriminals with ‘know-how’ which was once only available to sophisticated attackers. The direct availability of these tools, in combination with the active data mining performed on behalf of botnet operators for the purpose of intercepting, then monetizing valuable accounting data, further strengthened the long-term potential of the market segment, resulting in what we’re currently observing as professional attempts to standardize the monetization process. Over the years, we’ve also observed the active monetization of compromised/hacked accounting data, with the cybercriminals behind these campaigns either selling access to it to prospective buyers, or directly abusing it for fraudulent/malicious purposes, further highlighting the existence of this ever-green monetization scheme.

A newly launched managed ‘compromised/hacked accounts E-shop hosting as a service’ aims to standardize this very same monetization process by providing virtually anyone wanting to achieve stolen assets liquidity for their compromised/hacked accounting data a DIY, self-service type of automatic E-shop setup service. Thanks to its features, potential cybercriminals looking for efficient ways to monetize the fraudulently obtained data can have a cybercrime-friendly E-shop live in 24 hours, with value-added services including ‘hardened servers’ and anti-DDoS protection. Let’s take a peek inside the service and find out just how easy it is for cybercriminals to monetize compromised/hacked accounting data in 2014, thanks to the ongoing standardization of the process.

Sample screenshots of the managed “compromised/hacked accounts E-shop hosting as a service”:

Sample metrics empowering a potential cybercriminal with statistics for the most popular assets purchased through his managed E-shop:

Sample screenshot of a currently active cybercrime-friendly E-shop, currently listing 115,346 active Twitter accounts offered for sale:

Sample screenshots of the purchasing process — the service supports Webmoney and Yandex payments — :

Sample screenshot of the pricing scheme:

The price for 1 month worth of managed services is 300 rubles ($8.79), 285 rubles ($8.35) for 2 months worth of managed service, and 270 rubles ($7.91) for 6 months worth of service. We expect to continue observing new market entrants, competing with these types of services, eventually leading to their inevitable reliance on the ubiquitous (for the cybercrime ecosystem) bulletproof hosting providers.

We’re constantly monitoring the market segment for compromised/hacked accounting data, and will be naturally posting updates as soon as new developments/trends emerge.

The post Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process appeared first on Webroot Threat Blog.

Driven by the never ending supply of newly released DIY (do it yourself) underground market releases, in combination with the systematically rebooted life cycles of releases currently in circulation, cybercriminals continue actively developing new cybercrime-friendly malware generating/botnet building applications. Motivated by the desire to further continue the monetization of this ever-green market segment, a key driving force behind the consequential rise of E-shops offering access to compromised accounting data like those we’ve extensively profiled at Webroot’s Threat Blog in the past, these cybercriminals continue to ‘innovate’ and reboot the life cycles of known releases through the systematic and persistent introduction of new features.

We’ve recently spotted a newly released, commercially available Web-based DDoS/Passwords stealing-capable DIY type of botnet generating tool, whose general availability is prone to empower potential cybercriminals with DDoS attack capabilities, as well as an efficient platform for the mass harvesting of accounting data, both of which will be inevitably monetized through the usual, now standardized monetization channels. Let’s take a peek inside the tool’s command and control interface, and discuss its key differentiation features in the broader context of their applicability in the overall threat landscape.

Sample screenshots of the Web-based command and control admin interface, detailing the key features of the malware/botnet generating tool:

Types of DDoS attack modes supported:
- HTTP
- Slowloris
- Download
- TCP flood
- UDP flood

Key differentiation features:
- Multi-lingual keylogging capabilities
- Command shell
- File extension based file stealing capabilities
- Loader capabilities
- USB/Archive spreading
- Competing bots killer
- Anti VMWare
- Detection of process monitoring applications
- Bot protection features

Based on the tool’s description, the average size of the binary is 50kb and works on all versions of Windows from XP to 8.1 (x32/64). The price of the full package, including support for unlimited domains, is $250 and $10 for each rebuild, $20 for updates. The price of the actual builder is currently set at $650, with WebMoney as the primary accepted payment method. The commercial availability of these DIY Web-based malware/botnet generating tools is a great example of a cyclical pattern, with the developers periodically introducing new releases on the underground marketplace in an attempt to gain market share through basic branding concepts. Although the proliferation of these “me too” malware/botnet releases lacking key differentiation factors doesn’t necessarily translate into malicious ‘innovation’, their introduction to the underground marketplace automatically generates revenue for the developers, whose releases also gain market share that, in the long term, is proportional to the persistence and sophistication of the features newly introduced by the vendor. In combination with the commercial availability of DIY malware crypting services, and the ubiquitous for the cybercrime ecosystem bulletproof hosting providers, these DIY malware/botnet generating tools represent a key driving force behind the proliferation of new malware families internationally, successfully undermining signature based antivirus scanning.

We’ll continue monitoring the development of the tool.

The post Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild appeared first on Webroot Threat Blog.

In need of a fresh example of penetration pricing, within the cybercrime ecosystem, used by a cybercrime-friendly vendor in an attempt to quickly gain as much market share as possible in the over-supplied market segment for keylogging-specific systems? We’re about to give you a very fresh one.

A newly released, commercially available PHP/MySQL based, keylogging-specific malware/botnet generating system, with full Unicode support, is currently being offered for $5o, with the binary re-build priced at $20, in a clear attempt by the vendor to initiate basic competitive pricing strategies to undermine the market relevance of competing propositions. Just like the Web based DDoS/passwords-stealing tool that we profiled yesterday, this most recently released keylogging system is once again acting as a very decent example of a “me too” type of underground market release, whose overall success in the short term would mostly rely on basic branding, and whose long term success relies on the systematic introduction of new features.

To get a better view of the tool’s core functions, let’s take a peek at its administration panel.

Sample screenshots of the Web based command and control interface:

The vendor behind the release is applying the KISS (Keep It Simple Stupid) strategy, namely relying on good old fashioned keylogging concepts, including the automatic taking of screenshots from the Desktops of infected hosts, as well as the self-destruction option for the keylogger. The actual logs are then stored in text files, which would be later on ‘processed’ by the cyberciminals using log parsing tools popular within the cybercrime ecosystem, ultimately supplying E-shops with a steady flow of compromised accounting data, as well as utilizing it as a foundation to launch related malware disseminating attacks.

As always, we’re closely monitoring the future development of the keylogging system.

Meanwhile, readers interested in knowing more about keyloggers can watch the following video, featuring Grayson Milbourne, Webroot’s Security Intelligence Director, part of the Webroot Threat Vlog series, as well as another informative video demoing what happens when Webroot misses a potentially undetected keylogging application. Hint: we’ve got you covered!

The post Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share appeared first on Webroot Threat Blog.

Since its inception in 1996, Alexa has positioned itself as primary Web metrics data portal, empowering Web masters, potential investors, and marketers with access to free analytics based on data gathered from toolbars installed on millions of PCs across the world. Successfully establishing itself as the most popular, publicly accessible Web site performance benchmarking tool, throughout the years, the Alexa PageRank has acted as a key indicator for the measurement of a Web site’s popularity, growth and overall performance, often used in presentations, competitive intelligence campaigns, and comparative reviews measuring the performance/popularity of particular Web sites.

Operating in a world dominated by millions of malware-infected hosts, converted to Socks4/Socks5 for, both, integration within automatic account registration tools, DoS tools, in between acting as anonymization ‘stepping-stones’, cybercriminals continue utilizing this legitimate, clean IPs-based infrastructure for purely malicious and fraudulent purposes. Their latest target? Utilizing the never-ending supply of malware-infected hosts to influence Alexa’s PageRank system. A newly released, commercially available, DIY tool is pitching itself as being capable of boosting a given domain/list of domains on Alexa’s PageRank, relying on the syndication of Socks4/Socks5 malware-infected/compromised hosts through a popular Russian service.

Sample screenshot of the tool:

The multi-threaded tool, pitched at $100, is capable of supporting HTTP/Socks4/Socks5 malware-infected hosts, and also has the ability to validate the active/non-active state of the proxy in question. Due to Alexa’s popularity, and vast database of domain related data, for years cybercriminals, and spammers in particular, have been abusing the Web site in an attempt to harvest domain lists — which they didn’t manage to obtain through good old school fashioned zone transfer techniques — to later on attempt to launch dictionary harvest attacks in an effort to build spam hitlists.

Sample screenshot of a tool used to harvest domain data through the Alexa service, that we’re aware of:

What would a superficially boosted Alexa PageRank be used for by a cybercriminal? A boosted Alexa PageRank can increase the probability of a successful sale for the given domain, a default feature/commonly accepted practice for the majority of underground market/OTC (over-the-counter) Web shells including E-shop services that we’ve profiled in the past.

We’ll continue monitoring the development of the application.

The post Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application appeared first on Webroot Threat Blog.

Digital security is not the first thing that comes to mind when thinking about during the Sochi Olympics, but should be something that is on your mind when travelling to popular areas.  Just as scams are popular in tourist areas around the world, hacking is on the rise where media professionals, security, and large groups of travelers will be gathering.   In the past, malicious attacks through the digital infrastructure have occurred at the Olympics and other such events, and the Sochi Olympics will not be any different.  So, as you get ready to hit the Russian mountains, here are some tips to keep you and your digital work safe.

Before you head into Olympic Village

• Ask yourself if you really do need that laptop with you.  If not, leave it at home.
• Ensure all your programs are updated to their latest versions including browsers, e-mail, and antivirus.  Double check your drivers as well.
• Backup your full computer onto an external device that is staying home.
• Clear your cache and temporary internet files, and remove all remembered passwords from the browsers.
• Encryption is your friend.  There are many solutions out there that can provide full disk encryption, or even just encryption of vital folders.
• Setup cloud based backup solutions that maintain strong security around login procedure (Webroot/Dropbox/Box).  Backup and save all the files you will be working on while travelling to the cloud server and revert back upon return from the games.

While at the Olympics

• Your Wi-Fi and Bluetooth connections are the fastest and easiest to exploit.  If you do not need to be using these connections, keep them turned off.  This tip goes for phones, tablets, and computers.
• Do not plug any USBs into your computer that you find on the ground or are given to you by people you do not trust.  The largest breach in US National Security occurred from a rogue USB drive, and while your data might not have the same impact, the method of breach is still one of the more common.
• If you can connect to the internet through a wired connection in your room, do so.  This helps keep you off rogue Wi-Fi signals that could gather your data.
• Avoid logging into private websites, banking websites, and any other website where your private information could be compromised.
• If connecting for work, use your VPN to connect and stay secured.

Remember, digital security should not be forgotten when traveling, and hackers are getting increasingly more innovative with each digital advance.  The best security you can provide for your digital work is to leave your laptop at home, but if you insist on bringing it, ensure you remember you are the first line of defense in protecting yourself.

The post Keeping your digital life safe at the Sochi Olympics appeared first on Webroot Threat Blog.

The rise of boutique cybercrime-friendly E-shops, which we’ve extensively profiled in our “A Peek Inside a Boutique Cybercrime-Friendly E-Shop” series, continues further expanding as a market segment within the underground marketplace. Driven by the proliferation of public/commercially obtainable DIY (do it yourself) type of malware/botnet generating tools along side the ongoing standardization of the monetization process offered by opportunistic cybercriminals acting as intermediaries between those possessing the fraudulently obtained assets and their prospective customers, the market segment is prone to expand.

Having already profiled a managed hosting service, empowering novice cybercriminals possessing compromised/hacked accounting information with efficient ways to monetize the stolen data, we continue finding factual evidence that further confirms an ongoing standardization of the monetization process. In this post, I’ll discuss a market leading managed hosting service that is currently hosting 2500+ boutique E-shops offering access to a vast amount of compromised/hacked accounting data, with hosting services, through a convenient Web-based E-shop management interface.

Sample screenshot of the entry page for the managed cybercrime-friendly managed E-shop hosting service:

Sample screenshots of the Web based management interface, that potential cybercriminals get access to for the purpose of configuring their E-shops+sample E-shop:

Next to its core feature, basically consisting of a sub domain based on the cybercriminal’s preferences, the service also allows potential customers to use their own domains, insisting they use a Russian domain registration service and CloudFlare as the DNS provider. The monthly price for hosting an E-shop is 333 rubles ($9.55). The simplistic Web-based interface provides cybercriminals with an easy way to integrate their compromised/hacked accounting data into the service. Not surprisingly, due to the relatively low price, the service has already positioned itself as a market leader in the newly emerging standardized monetization model, having already empowered 2500+ boutique E-shops with the necessary infrastructure. The evident standardization of the monetizing process is a trend aiming to directly/indirectly centralize what was once a largely decentralized market segment, case in point, virtually all the boutique cybercrime-friendly E-shops that we’ve profiled and tracked throughout 2012.

The market leading service discussed in this post is currently relying on CloudFlare’s legitimate infrastructure, something we believe is definitely prone to change over time, largely due to the trade off between centralization and the service’s ability to remain online. As such, we expect them — including the competition — to start exclusively utilizing the ubiquitous for the cybercrime ecosystem, bulletproof hosting providers.

As always, we’re keeping an eye on the future development of the service, the E-shops it’s hosting, and will be posting updates as soon as new developments take place.

The post Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online appeared first on Webroot Threat Blog.

Operational Security (OPSEC) has always been an inseparable part of the cybercrime ecosystem, especially in the context of preventing law enforcement agencies from tracking down the activities of fraudulent and malicious adversaries online. Throughout the years, the industry has witnessed active utilization of malware-infected hosts (Socks4/Socks5) as anonymization ‘stepping stones’ and the use of cybercrime-friendly VPN providers, bypassing internationally accepted data retention regulations, as some of the primary anonymization tactics used by cybercriminals. Nowadays, this set of tactics has evolved into a diversified mix of legitimate and purely malicious infrastructure that provides value-added services such as APIs supporting Socks4/Socks5 services, DIY real-time Socks4/Socks5 syndicating tools, and the development of hybrid based type of anonymous ‘solutions’. These services empower cybercriminals with the necessary ‘know-how’ to  conceal their activities online, and there is a as clear attempt to standardize this ‘know-how’ through the distribution of commercial OPSEC training manuals.

With digital forensics playing a crucial role when assessing cybercrime incidents, in the context of attribution, and ‘case-building’, it shouldn’t be surprising that, for years, sophisticated adversaries have been actively applying off-the-shelf anti-forensics tactics, techniques and procedures (TTPs). The very existence and utilization of these tactics successfully undermines the currently accepted techniques for attributing cybercrime campaigns to the correct parties.

We’ve been tracking an extremely sophisticated — in terms of its potential application when orchestrating fraudulent and malicious campaigns — TeamViewer-based managed service that offers virtual machines pre-loaded with a district set of anti-forensics tools, including many private versions. This service empowers a potential cybercriminal with the necessary point’n'click capabilities to completely anonymize the virtual machine. By modifying the host’s hardware specifications, the service completely anonymizes its interaction with the Internet.  System settings can be set through sophisticated patching/hooking of legitimate applications to mimic any given set of preferences — including the pseudo-random generation of preferences — such as the following:

• Windows ID
• Internet Explorer’s Serial Number
• Windows Media Player’s ID
• Processor’s Name
• Computer’s Identification
• System’s build
• System’s Country Settings
• Language formats
• Keyboard language
• Browser’s language
• Geographical Location
• System’s TimeZone
• System’s Time
• Browser’s Resolution
• Browser’s Language
• Browser’s Version
• Mobile Device’s Version
• Flash Version

Sample screenshots of a sample virtual box accessed through TeamViewer, showcasing the inventory of anti-forensic tools/applications available at the disposal of potential cybercriminals:

Thanks to these virtualized TeamViewer accessed machines, in combination with the utilization of, both, commercially obtainable Virtual Private Network (VPN) software (HMA Pro as showcased by the vendor in this particular case), next to good old fashion cybercrime-friendly Socks4/Socks5 enabled malware-infected hosts for the purpose of ‘proxifying’ the, now, anti-forensics empowered connection (the service showcased by the vendor is already listing 13,527 malware-infected hosts, the majority of which are U.S based), the cybercriminals using the service are now empowered with sophisticated anti-forensics capabilities allowing them to successfully execute fraudulent and malicious campaigns while making attribution virtually impossible.

Go through related posts, detailing the anonymization tactics, techniques and procedures (TTPs) of cybercrimnals, throughout the years:

• The Cost of Anonymizing a Cybercriminal’s Internet Activities
• The Cost of Anonymizing a Cybercriminal’s Internet Activities – Part Two
• The Cost of Anonymizing a Cybercriminal’s Internet Activities – Part Three
• The Cost of Anonymizing a Cybercriminal’s Internet Activities – Part Four

The price? The disturbingly low $35 for a week, with additional ‘rent schedules’, based on negotiations. This service is a great example of the ongoing diversification within, what we can best describe as, the stagnated market segment for bulletproof hosting services. With vendors constantly looking for new ways to differentiate their value-added propositions, now that virtually every cybercriminal can easily purchase access to such type of hosting, in fact, even enjoy a decent degree of underground market transparency, in the context of having a cost-effective choice to pick up from.

As always, we’re keeping an eye on the future development of the service, in particular, the anticipated emergence of competing propositions.

The post Managed TeamViewer based anti-forensics capable virtual machines offered as a service appeared first on Webroot Threat Blog.

In the first ThreatVlog of 2014, Marcus Moreno discusses the increase in Potentially Unwanted Applications/Programs and their impact on machines, productivity, and the user experience. Also in the video is a talk on the wonderful audio ads that have been infecting machines and annoying computer users, discussing how they get into the machine and where to find them. Finally, he talks about Microsoft’s call for all security companies to come together to help end malicious malware families.

The post ThreatVlog Episode 13: Unwanted Applications, Audio Ads, and Microsoft appeared first on Webroot Threat Blog.

In a cybercrime ecosystem populated by commercially available WordPress brute-forcing and mass vulnerable WordPress installation scanning tools, cybercriminals continue actively capitalizing on the platform’s leading market share within the Content Management System’s market segment. Successfully exploiting tens of thousands of installations on a daily basis, for the purpose of utilizing the legitimate infrastructure to achieve their fraudulent/malicious campaign objectives, the tactic is also largely driven by the over-supply of compromised/accounting data, usually embedded within sophisticated Web-based attack platforms like the ones we’ve profiled in the past.

We’ve recently intercepted a malicious campaign exclusively relying on rogue WordPress sites, ultimately serving client-side exploits to users through the Magnitude Web malware exploitation kit. Despite its relatively low profile in terms of proliferation — we believe the campaign is in its early stages — it exposes a pseudo-randomly generated sub-domains based fraudulent infrastructure that is worth keeping an eye on.

Sample rogue WordPress sites participating in the campaign:
hxxp://glinkinart.com/wp-includes/class-wp-ajax.php
hxxp://nextgenerationvcf.com/wp-includes/class-wp-ajax.php
hxxp://gilesbytitle.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://studyithere.com/wp-includes/class-wp-ajax.php
hxxp://virtualpmllc.com/wp-includes/class-wp-ajax.php
hxxp://caretubedin.com/wp-includes/class-wp-ajax.php
hxxp://asiandredgecon.com/wp-includes/class-wp-ajax.php
hxxp://allurearquitetura.com/wp-includes/class-wp-ajax.php
hxxp://fallinshadow.com/wp-includes/class-wp-ajax.php
hxxp://best-luxury-escapes.com/wp-includes/class-wp-ajax.php
hxxp://drmpeter.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://paradigm-markets.com/wp-includes/class-wp-ajax.php
hxxp://balancekw.com/wp-includes/class-wp-ajax.php
hxxp://web-wide-banners.com/wp-includes/class-wp-ajax.php
hxxp://torgtov.com/wp-includes/class-wp-ajax.php
hxxp://theglossproject.com/wp-includes/class-wp-ajax.php
hxxp://sedonawildflowerinn.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://theglossproject.com/wp-includes/class-wp-ajax.php
hxxp://sedonawildflowerinn.com/wp-includes/class-wp-ajax.php
hxxp://glinkinart.com/wp-includes/class-wp-ajax.php
hxxp://topmedigap.com/wp-includes/class-wp-ajax.php
hxxp://torgtov.com/wp-includes/class-wp-ajax.php

Sample exploitation chain: hxxp://glinkinart.com/wp-includes/class-wp-ajax.php -> hxxp://faq-seo.ru/1/a (109.236.87.219) -> hxxp://huatongchuye.com/lang/en/pay/apay.php (128.134.244.74) -> hxxp://ad54.feb5.e12.b1.40ce76b.15d.4b23cc.392.sjtfonaoavll.blowfaster.pw -> hxxp://190.162.183.78:33816/11957/0pyvniriz/index.php

Sample pseudo-randomly generated sub-domains, currently parked within 184.172.109.156; 184.172.109.157 and 66.55.157.197:
hxxp://ad54.feb5.e12.b1.40ce76b.15d.4b23cc.392.sjtfonaoavll.blowfaster.pw
hxxp://19d5.5c5ce0.d91.b32d89b.a1f7.764ca4.d0.aazwmkkekfgm.blowfaster.pw
hxxp://a38363.5f612.76.5245.1b062b8.4b.eb367.c.cakfcdhymp.remainsfilled.pw
hxxp://925164.77.2944.790b6ca.54b9.76e8.d5.b8f.cnsmjkyrjlv.eyesproperties.pw/
hxxp://86c9.b6.4b52b.78.1deb.68.1914308.fdc6c7.myugnpbtpcfq.settledevices.pw

Related domains known to have responded to 109.236.87.219 in the past:
ns3.regdom.name
ns4.regdom.name
faq-seo.ru
nextgenasic.com
masterperevodov.ru
51region.net
adelante-tour.com
advokati24.ru
20asicminersoft.com
atakent.ru
bazagibdd.com
boxinghit.ru
canfamilypharmacy.com
ci.gmfcloan.com
faq-seo.ru
filmgadaika.ru
forumcnc.ru
freetraffcounter.com
gta5new.info
hardwarez.in
hd720pfilm.ru
hyiper.in
jomlajavascript.ru
jqueryjsscript.ru
login-odnoklassniki.ru

Related domains known to have responded to 128.134.244.74 in the past:
bigfish.im
huatongchuye.com
qinghuo.net
quanxiejiu.com
rsjy.org
huatongchuye.com

Detection rate for a sample exploit:
MD5: 03c9f22080a3f8cfbfc80d78483c1e21 – detected by 4 out of 45 antivirus scanners as HEUR:Exploit.Java.Generic

Webroot SecureAnywhere users are proactively protected from these threats.

The post Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit appeared first on Webroot Threat Blog.

In a series of blog posts published throughout 2012, we’ve been highlighting the existence of a vibrant underground market segment, namely, that of ‘hacking for hire’ services, email hacking in particular. Commercially available as a service for years, the practice’s growth was once largely fueled by the release of DIY Web-based popular email provider hacking tools, which once acquired by prospective cybercriminals, quickly became the foundation for a successful business model. How have things changed nowadays, in terms of tactics, techniques and procedures? Profoundly.

Case in point, we’ve been tracking two such ‘hacking for hire’ services, both of which offer a diversified portfolio of malicious services to prospective customers, such as email hacking, Web site hacking, DDoS for hire, DDoS protection, and grade modification. What type of tactics, tools and procedures do they rely on? Let’s find out.

Thanks to the persistent supply of CAPTCHA-solving capable brute-forcing tools, commercially available DIY malware/botnet generating tools, as well as custom coded phishing pages as a service type of underground market propositions, cybercriminals have everything they need at their disposal to monetize their ‘know how’ through this type of service. Among the key success factors for their campaigns, email hacking in particular remains the ‘first hand’ intelligence that they obtain from their prospective customers, in respect to the potential targets, to be later on used in successful social engineering campaigns.

The first ‘hacking for hire’ service charges $50 for a single day of persistent DDoS attack, $300 for a week, and $1000 for a month. Web site hacking is pitched at $500. Email hacking is offered at $200, and $500 for corporate users, followed by $35 for a day worth of DDoS protection, and $150 for a month worth of DDoS protection. The service also offers a free test of its DDoS capabilities. The availability of the rest of the services offered through the portfolio, such as  Web site hacking, is largely made possible due to the public/commercial availability of DIY Web site hacking tools like the ones we’ve extensively profiled in the past. In terms of DDoS for hire, the commercial availability is made possible not just due to the ease of ‘generating’ a botnet in 2014, but also through a cost-effective acquisition approach relying on the outsourcing of the botnet generation process, then monetizing the (outsourced) botnet’s infected population through a variety of schemes, all of which result in the cybercriminals’ successfully ‘breaking-even’ out of their initial investment. We expect that these types of services — email hacking in particular due to its volume-based driven business model — will continue proliferating, with the cybercriminals behind them continuing to professionalize, standardize, and ultimately aiming to further streamline the customer acquisition process.

As always, we’re keeping an eye on this market segment, and will be posting updates as soon as new developments emerge.

The post ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’ appeared first on Webroot Threat Blog.

Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com.  Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case.

Actual URL: hxxp://ad.doubleclick.net/N479/adi/abt.education/education_biology;p=1;svc=;site=biology;t=0;bt=9;bts=0;pc=4;oe=iso-8859-1;auc=1;fd=2;fs=1;sp2=0;go=9;a=;kw=;chan=education;syn=about;tile=1;r=1;dcopt=ist;sz=728×90;u=DBIIS70bOkWAXwch41309;dc_ref=http:/biology.about.com/library/glossary/bldefmenlawia.htm;ord=1DBIIS70bOkWAXwch41309

Malvertising domains/URLs/IPs involved in the campaign:
adservinghost1.com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1.com); 212.124.112.229; 74.50.103.41; 68.233.228.236
ad.onlineadserv.com – 37.59.15.44; 37.59.15.211
hxxp://188.138.90.222/ad.php?id=31984&cuid=55093&vf=240

IP reconnaissance:
188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver.com; notslead.com; adwenia.com – Email: philip.woronoff@yandex.ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia.com)

Based on BrightCloud’s database, not only is adservinghost1.com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec) is known to have phoned back to the same IP as the actual domain, hxxp://212.124.112.232/cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular.

Here comes the interesting part. Apparently, the name servers of adservinghost1.com are currently responding to the same IPs as the name servers of the Epom ad platform.
NS1.ADSERVINGHOST1.COM – 212.124.126.2
NS2.ADSERVINGHOST1.COM – 74.50.103.38

The following domains are also currently responding to 212.124.126.2, further confirming the connection:
ns1.epom.com
ads.epom.com
api.epom.com
directads.epom.com
ns1.adshost1.com
ns1.adshost2.com
ns1.adshost3.com

The following domains are also responding to the same IP as the Epom.com domain at 198.178.124.5:
automob.com
autos.net.ua
epom.com
formanka-masova.cz
ipfire.com – Email: kaandvc@gmail.com; Email: satilikdomain@live.com
smartkevin.com

We’ll be keeping an eye on this beneath the radar malvertising infrastructure, and post updates as soon as new developments emerge.

The post DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure appeared first on Webroot Threat Blog.