Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.

We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.

More details:

Sample screenshot of the spamvertised email:

Sample redirection chain: hxxp://nortonfire.co.uk/1.html (82.165.213.55) -> hxxp://merdekapalace.com/1.txt – 202.71.103.21 -> hxxp://www.shivammehta.com/1.txt – 181.224.129.14 -> hxxp://ypawhygrawhorsemto.ru:8080/z4ql9huka0

Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto.ru:
37.59.36.223
180.244.28.149
140.112.31.129
31.222.178.84
54.254.203.163
78.108.93.186
202.22.156.178
54.254.203.163
78.108.93.186
140.112.31.129
202.22.156.178
31.222.178.84
37.59.36.223
180.244.28.149

Responding to 78.108.93.186, are also the following malicious domains:
ypawhygrawhorsemto.ru – 78.108.93.186
jolygoestobeinvester.ru – 78.108.93.186
afrikanajirafselefant.biz – 78.108.93.186
bakrymseeculsoxeju.ru – 78.108.93.186
ozimtickugryssytchook.org – 78.108.93.186
bydseekampoojopoopuboo.biz – 78.108.93.186

Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto.ru – 173.255.243.199
Name server: ns2.ypawhygrawhorsemto.ru – 119.226.4.149
Name server: ns3.ypawhygrawhorsemto.ru – 192.237.247.65
Name server: ns4.ypawhygrawhorsemto.ru – 204.232.208.115
——————————————-

Second sample redirection chain: hxxp://www.smithpointarchery.com/1.html – 65.61.11.74 -> hxxp://merdekapalace.com/1.txt – 202.71.103.21 -> hxxp://www.shivammehta.com/1.txt – 181.224.129.14 -> hxxp://opheevipshoopsimemu.ru:8080/dp2w4dvhe2 – 31.222.178.84

Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46 

Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu.ru:
31.222.178.84
180.244.28.149
78.108.93.186
140.112.31.129
78.129.184.4
54.254.203.163
202.22.156.178
37.59.36.223

Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu.ru. 173.255.243.199
Name server: ns2.opheevipshoopsimemu.ru. 119.226.4.149
Name server: ns3.opheevipshoopsimemu.ru. 192.237.247.65
Name server: ns4.opheevipshoopsimemu.ru. 204.232.208.115

Webroot SecureAnywhere users are proactively protected from these threats.

The post Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits appeared first on Webroot Threat Blog.

We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick potential botnet victims into thinking that they’ve received a legitimate Voice Message Notification from Skype. In reality though, once socially engineered users click on the malicious link found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Angler exploit kit.

More details:

Sample screenshot of the spamvertised email:

Sample exploitation chain: hxxp://crestspahh.com:80/1.html -> hxxp://merdekapalace.com/1.txt -> hxxp://www.shivammehta.com/1.txt -> hxxp://nedapardaz.com/theme/it/browser/_lzf_.php?source_pid=38896815737B1F0316DB020740&swap_src=7D&theme-lid=1

Malicious domain names reconnaissance:
crestspahh.com – 184.106.55.74
merdekapalace.com – 202.71.103.21
shivammehta.com – 181.224.129.14
nedapardaz.com – 38.69.132.17

Known to have responded to the same IP (38.69.132.17) are also the following malicious domains:
atlasexperts.com
betagroupco.com
emdadimam.ir
farahost.com
mazmaz.org
messinan.com
nedapardaz.com
partonab.com
saragolmakani.com
tcdgroup.ir
tcdgroup.org
valafan.com
ballast.ir
ebara-iran.com
mazmaz.net
mooiran.com
tadarokacc.com
tcdgroup.ir

Detection rate for a sample client-side exploit:
MD5: 48af1ab43fe4ce38c32879bd276d4319 – detected by 2 out of 50 antivirus scanners as JS/Exploit-Blacole.aj

What’s particularly interesting about this campaign is that it shares the same malicious infrastructure (redirectors) as the recently profiled Evernote themed malicious campaign (merdekapalace.com and shivammehta.com in particular). Next to the direct connection between these campaigns, which appear to have been launched by the same gang, we were also able to establish interesting related connections between the malicious infrastructure operating behind the managed spam-ready SMTP servers for rent service which we profiled back in October, 2013, as well as the Rodecap botnet.

Known to have been downloaded from the same IP (38.69.132.17) is also the following malicious MD5: a09dd5c454693a0cc9d877dff371b9fc - Worm.Win32.Cridex.pox. Here comes the interesting part, known to have phoned back to the same IP (38.69.132.17) (on 2013-07-24) is also MD5: bc445781be2960d96b9bcf5d215b1405 - betagroupco.com in particular. The same MD5 is also known to have phoned back to the related C&C, newsleter.org (Rodecap botnet), which we’ve also once observed as a related phone back C&C server used by the related malicious MD5s known to have directly communicated with the same IP (92.53.125.90), back then the responding IP for the Web site of the managed spam-ready SMTPservers for rent service.

Webroot SecureAnywhere users are proactively protected from these threats.

The post Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit appeared first on Webroot Threat Blog.

2013 was not a good year in terms of cyber security. Despite companies spending an increasingly significant percent of revenue on security technology – systems designed to thwart, detect and prevent hackers from gaining access to their networks and sensitive data – attacks continue to succeed.

Recently, the trend has shifted to attacking point of sale (POS) systems. While Target is the largest example, similar attacks have occurred in industries ranging from department stores to hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The focus on POS systems doesn’t come as a surprise. Cybercriminals have always been after money. What is surprising, however, is how long it takes for the attacked to realize they’ve been compromised – and that’s what I’ll discuss in this blog.

I’ve chosen to use Target as an example for two reasons. First, the size and sophistication of the compromise is interesting and ideal for analysis, and the second being that Target’s example is very common to other similar attacks in the scope of realizing an attack has occurred.

So let’s start by reviewing a few facts we now know about the Target breach. While the attack began collecting credit card transaction data on November 27^th, precisely timed with Black Friday to capture as much data as possible, it wasn’t discovered until December 15^th – and it wasn’t Target who made the discovery, rather US law enforcement connected the dots and Target was informed. This is very concerning and, unfortunately, is very much the norm for most compromises. The 2013 Verizon Risk report found that in 62% of breaches, the attack went unnoticed for months or years!

Looking again at Target, we know when the collection of data began, but the initial compromise of their network happened nearly two weeks prior on November 15^th. Apparently, an employee for a HVAC service company fell for a phishing attack which ultimately infected his computer with a password stealing trojan. Target eventually used this company to assess their power and AC consumption and had provided a few employees with credentials to access their network. Once the employee with the infected PC connected to Target’s network, his credentials were stolen and later used in the attack. The big lesson here is that you are only as secure as those you trust with access to your network. In this case, a few clicks by an unsuspecting HVAC employee led to one of the largest credit card data breaches on record.

So how could all this have happened, especially to the #2 US retailer? Why was Target unable to detect the initial compromise of their network, and then unable to identify the attack once it was underway?

To answers to these questions, we first need to understand the Data Security Standards (DSS) which are provided by the Payment Card Industry (PCI) Security Standards Council or more commonly known as PCI DSS 3.0. These standards, of which Target was certified as compliant (though details of the attack show they were clearly not followed), detail 12 specific requirements to protect cardholder data, build and maintain secure networks and systems, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and provide an information security policy. The document is very comprehensive, and PCI DSS 3.0 does a good job of providing a framework to protect against compromise – but compromises still occur.

Some might say that PCI DSS 3.0 is to blame, and that their recommendations are not sufficient to defend against today’s sophisticated attacks – and they might be right – but I think the problem goes beyond that. While I cannot say which specific vendor security solutions were in use at Target, I know they were in place because it is required to be PCI DSS 3.0 compliant. PCI DSS 3.0 does not tell you which vendors to use, just that you must use software to protect systems from malware, or similarly, a firewall to protect your network. Here in lies the real issue – not all vendor security solutions provide the same capability or level of functionality. When considering the fact that most attacks go unnoticed for months if not longer, it seems the focus should be on technology and processes designed to frequently confirm the integrity of all involved systems. This is actually spelled out in PCI DSS 3.0 under sections 10 and 11 but the trouble is that the burden of awareness falls back to the security solution in place. And unfortunately, many endpoint solutions today are not capable of reacting to a missed infection.

So back to my original questions – how could this have happened and why did it take so long to detect?

The answer is twofold. First, Target failed to strictly follow PCI DSS 3.0 standards, especially with respect to tracking and monitoring all access to network resources and systems – and they are not alone. This is one of the more challenging standards to follow, especially for larger retailers with hundreds if not thousands of locations. But the blame isn’t solely on PCI DSS 3.0 or retailers who attempt apply their standards. The second factor is the underlying technology which is trusted and relied upon by retailers. This is a more complex issue. Retailers lack information about the metrics which matter in defending against complex and targeted attacks. Upfront detection rates are meaningless as malware for these attacks is always custom built and specific to the targeted environment. With this fact in mind, what becomes much more important is understanding a solutions ability to react to a missed threat – to understand the reaction time from first observation to identification and notification.

The attack on Target, and analysis from hundreds of other compromises, exposes there is a real weakness with awareness. Companies spend millions on security technology, trusting their investment will prevent a compromise, but the majority of today’s solutions are unable to provided what is needed – the ability to react to something new – something never encountered before.

Webroot is a pioneer in this space and the SecureAnywhere line of products were designed around improving awareness and being able to rapidly identify and instantly protect against emerging and targeted threats. This is accomplished within the Webroot Intelligence Network by focusing on what our users encounter. This approach ensures we have the necessary visibility to identify even the most targeted of attacks and applies to our endpoint, mobile and Web solutions. For more information, feel free to shoot me an email at gmilbourne@webroot.com or visit our website at http://www.webroot.com/.

The post Can Security Survive in an Increasingly Insecure World? appeared first on Webroot Threat Blog.

Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them.

We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application. Let’s assess this campaign and provide actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post.

More details:

Sample screenshot of the landing page:

Sample detection rate for PurpleTech Software Inc’s PC Performer:
MD5: f85a9d94027c2d44f33c153b22a86473 – detected by 10 out of 50 antivirus scanners as PUA.InstallBrain!

Once executed, the sample phones back to:
hxxp://inststats-1582571262.us-east-1.elb.amazonaws.com – 23.21.180.138
hxxp://api.ibario.com – 50.22.175.81
hxxp://107.20.142.228/service/stats.php?sv=1
hxxp://174.36.241.169/events

Domain name reconnaissance:
api.ibario.com – 50.22.175.81; 96.45.82.133; 96.45.82.197; 96.45.82.69; 96.45.82.5
thepcperformer.com – 96.45.82.5; 96.45.82.69; 96.45.82.133; 96.45.82.197

Certificate Serial Number: 043990240F90A4

Known to have responded to the same C&C server (23.21.180.138) are also the following MD5s:
MD5: b800f82c629071204f3b6269d1e0035f
MD5: f52f3aaa4a2110703fb07a116b776500
MD5: 8447db94f58e177f639947498a57d4c5
MD5: 696e77da62c46b21569f44029b32d5e4
MD5: a05d4b59b78754343ea44e10cd8f033c
MD5: d9519e08fce5e4676a18ab8d967e5637
MD5: b2cd692bb0850a9c90686d6268b515fb
MD5: d9519e08fce5e4676a18ab8d967e5637

Known to have phoned back to the same IP (50.22.175.81) are also the following MD5s:
MD5: 929e73980f38e888cd8a6fc8bf47ec27
MD5: 7995c42bb868b2bcf8ba5741a1cb108d
MD5: f9a72d16d8cb4490b3bed9e2559b96da
MD5: 34bfa81f4aee300f64a42e3ff310139f
MD5: 28644086db2b113585e9ed4105913f28
MD5: 414da62a25283c6c970eb9e37d708297
MD5: 790e98e29fa4170a9fe1de7d2379212a
MD5: cf5891ce42879fb3576c2c93513f8ae4
MD5: bd4607cef78cb092752889ea6597dc15
MD5: 0aa60ccb65c57ef4766b653680641c15
MD5: 56ae3dfd1ae0ecfaa439d4e9e87212d1
MD5: fe0aa2dc1038b249da0fd84aa6ab90b6
MD5: 7644a2d6b142417bbc4b7dca8549f408

Webroot SecureAnywhere users are proactively protected from these threats.

The post Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application) appeared first on Webroot Threat Blog.

The threat landscape today is very different from a few years ago. With an increasingly creative number of threat vectors through which to launch an attack, it has never been more challenging to secure our data and devices in all the ways we connect. In today’s hyper-dynamic landscape, well over 8 million malware variants are discovered each month. The majority are financially motivated, very low in volume and very sophisticated. On the mobile front, cybercriminals have shown a clear focus on compromising devices made evident by an explosion in the discovery of malicious mobile apps and websites. Also on the rise are attacks orchestrated by organized cybercrime rings which are now focused on large retail establishments, department stores and hotel chains. And of course, there is the ever persistent battle of state vs. state cyber espionage with hacktivists vying for influence. With such a complex and diverse threat landscape, complicated by a variety of device types and platforms, providing security has only become more challenging.

Companies today struggle digesting data created by various security solutions as they all act independently from one another. For example, the network firewall doesn’t communicate or share data with the endpoint security software. As companies add on layers of protection, they are presented with additional feeds of data which, again, are all independent. This has led to solutions such as Security Information & Event Management (SIEM) systems which aim to correlate data from various independent data feeds. The problem however, is that the sources of data remain independent and unaware of each other. Additionally, data is only correlated within a single environment, unaware of other corporations and their encounters with security events. Ultimately, what this leads to is time wasted by dealing with data collection and correlation when it could be used for incidence response and remediation.

To deal with today’s threats you need the ability to transform data feeds into actionable intelligence. To succeed, you must have the ability to provide context and to show interconnectivity at a granular level, whether it be for internet security, endpoints, or mobile devices – and to do so on a large scale by correlating data from millions of sources across consumer and corporate environments alike. Data does not equal intelligence, and without a way to bring it all together, to break it down and understand it, responding to the threats at hand becomes all the more challenging. Intelligence is making sense of data and working with the results to respond, remediate, and to protect against future attack.

BrightCloud Security Services provide the necessary context, detail and interconnectedness needed to transform data into actionable intelligence.

The post Solving the mystery of incidence response appeared first on Webroot Threat Blog.

Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) - all for the purpose of achieving a positive ROI with each new release.

We’ve recently spotted a newly released, Web-based DNS amplification enabled DDoS bot, and not only managed to connect it to what was once an active DDoS attack, but also, to the abuse of a publicly accessible open DNS resolver which has been set up for research purposes. Let’s discuss some of its features and take a peek at the bot’s Web-based command and control interface.

More details:

Sample screenshots of the administration panel of the Web-based DNS amplification DDoS enabled malware bot:

Just like we’ve seen with previous cybercrime-friendly releases, cybercriminals continue to stick to proven risk-forwarding tactics, consisting of pitching releases ‘for educational purposes only’, with the idea to be only utilized as a tool for performing stress testing scenarios.

Written in C, the bot is relies on its own obfuscation and packing algorithm. Packed, the binary’s size is approximately 30kb. Next to the active use of the Hardware ID licensing system, the bot’s C&C communications are also encrypted by default. It includes a built-in DNS scanner, for finding mis-configured DNS servers, to be used in high-bandwidth powered DNS amplification DDoS attacks which are utilized by a number of threat actors. Priced at $2,500,  the vendor is also applying an additional OPSEC vector to the proposition, in the context of offering the option to host the actual archive, encrypted, on a server of choice based on the customer’s preferences, with the actual passphrase communicated in a secure fashion. It also offers a cybercrime-friendly bulletproof hosting option for hosting of the bot’s C&C. Among the value-added features offered by the vendor, is the ability to access a pre-configured VPN server to be exclusively used when accessing the bot’s interface.

What’s particularly interesting about this bot is the fact that the vendor’s demo included a live demonstration of the abuse of a publicly accessibly open DNS resolver, set up for research purposes. In combination with, both, the built-in mis-configured DNS scanner, high power managed/rented bulletproof server, as well as the active abuse of data obtained from publicly obtainable sources, we’re positive that the bot is poised to quickly gain marker share.

As always, we’ll continue monitoring the development of the tool.

The post Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild appeared first on Webroot Threat Blog.

Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the ‘malicious economies of scale’ concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare.

In a series of blog posts, we’ve been emphasizing on the level of automation and QA (Quality Assurance) applied by vendors of cybercrime-friendly tools and services, compromised/hacked Web shells in particular. Largely utilized for the hosting of fraudulent/malicious content, in addition to acting as stepping stones for the purpose of providing a cybercriminal with the necessary degree of anonymity when launching campaigns, the concept continues representing an inseparable part of the cybercrime ecosystem, due to the ever-green public/OTC (over-the-counter) marketplace for high page-ranked Web shells.

We’ve recently spotted a newly released commercial Windows-based compromised/hacked Web shells management application that empowers potential cybercriminals with the necessary capabilities to maintain and manage their portfolio of Web shells. Let’s take a peek at the application, and discuss some of its features.

More details:

Sample screenshots of the Windows based compromised/hacked Web shells management application:

Some of its core features include:
- Web shell validation
- Signatures-based detection/removal of competing shells
- Domains count on a per compromised/hacked Web shell basis for the purpose of monetizing the data by selling it to prospective buyers
- Removal/modification of .htaccess

Priced at $100, the application’s key differentiation factor is the ability to detect and remove competing shells through a signatures-based process. This once again puts the spotlight on the ‘Tragedy of Commons‘ theory, in the broader context of today’s over-populated underground marketplace, and the flawed notion that specific vendors believe that the more cybercriminals join the ecosystem, the less revenue will flow back their way. Thanks to the ever-green market segment for hacked/compromised Web shells accounting data, as well as the systematic remote exploitation of vulnerable Web applications/CMS (content management systems), cybercriminals remain in a perfect position to continue monetizing these TTPs, for the purpose of launching fraudulent/malicious campaigns.

We’ll continue monitoring the development of the tool.

The post Commercial Windows-based compromised Web shells management application spotted in the wild – part two appeared first on Webroot Threat Blog.

Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications.

We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure.

More details:

Sample screenshots of the landing pages for the rogue casinos:

Spamvertised URLs:
hxxp://bit.ly/1brCoxg
hxxp://bit.ly/1bQRudq
hxxp://bit.ly/1mLQr5I
hxxp://bit.ly/MCOyaL
hxxp://bit.ly/1ec3UMN
hxxp://bit.ly/1hN6Vbd
hxxp://bit.ly/1mQ3XFu
hxxp://bit.ly/17DJ4pZ
hxxp://bit.ly/1ec2JNa
hxxp://bit.ly/1fBY6d5

W32.Casino PUA domains reconnaisance:
hxxp://rubyfortune.com – 78.24.211.177
hxxp://grandparkerpromo.com – 95.215.61.160
hxxp://kingneptunescasino1.com – 67.211.111.169
hxxp://riverbelle1.com – 193.169.206.233
hxxp://europacasino.com – 87.252.217.13
hxxp://vegaspartnerlounge.com – 66.212.242.136

Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c – detected by 3 out of 50 antivirus scanners as as W32/Casino.P.gen!Eldorado
MD5: 8326886267203e07145f63adf2e8f0a1 – detected by 3 out of 50 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 – detected by 3 out of 50 antivirus scanners as W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 – detected by 3 out of 49 antivirus scanners as W32/Casino.P.gen!Eldorado

Once executed the sample phones back to:
clatz.fileslldl.eu – 87.248.203.254

Known to have been downloaded from the same IP (87.248.203.254) are also the following W32/Casonline variants:
MD5: 06c6b0381cde4720a5204ac38a5f22b9
MD5: 1022bef242c7361866f7af512ec893e0
MD5: c1a6055f5d240d3681febc6bd77701eb
MD5: e5fd6aa437b3520f35337d2dd7139f9a
MD5: 6f6713077249800818f26b7469eaf175
MD5: 6ebdf6f7187effe7b52463cf7241297a
MD5: 6ed118798a19a5dbf63a9279f33e0542
MD5: 6b651437a4553b91139178a930247035
MD5: e1beeae4d07942c7fca6eea945c9bdcd
MD5: 6ab968f86300ca677e9700f7c2dee8be
MD5: 6a872111b70e401cf083a7d27b45a74e
MD5: f85fa2bb2dff0333650db371e323e962

Webroot SecureAnywhere users are proactively protected from these threats.

The post Multiple spamvertised bogus online casino themed campaigns intercepted in the wild appeared first on Webroot Threat Blog.

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, I had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. With me on the panel was Alan Murray, Senior VP of Products at Apperian and Erich Stuntebeck, Director of Mobile Security at AirWatch. Fahmida Rashid, Analyst for PC Mag, moderated the event.

Questions initially focused on malicious app behaviors such as accessing private user data, SMS history and GPS tracking as well as spyphone apps, rooting apps and the increased focus on exploiting mobile devices. All panelists agree that obtaining apps from either Google Play or Apple’s Application Store are the safest ways to go, but that there is still risk involved with using any app – especially those which interact with sensitive information.

A great case and point to this is the recent WhatsApp security oversight, detailed in this blog post. Basically another installed app could easily offload and decrypt saved SMS history with only needing two permissions, internet and access to the SD card – both very common to the vast majority of apps. This is especially concerning considering WhatsApp has over 450 million users, many who install apps from 3rd party sources. It also further demonstrates that security is not being prioritized during the app development process. While WhatsApp was using encryption to protect saved SMS history, the use and public availability of a decryption tool made their encryption irrelevant.

Questions also focused on security differences between iOs and Android. There is a widespread belief that iOS is more secure, however the discovery of the SSL ‘gotofail’ exploit has definitely shaken things up. Last year Android suffered a similar critical exploit, known as ‘Master Key,’ which enabled an installed app to replace the code of an existing app and piggyback its permissions. Both of these discoveries will not be the last of their type and are good examples of how difficult it is to design secure systems – even when that is a top priority. Apple does have an advantage with iOS as they manufacture all iOS devices. When a security patch is released, they can quickly update all iPhones and iPads. Google’s Android is in an entirely different boat. While Google does make devices which support Android, they are one of dozens. This has created an uneven landscape where millions of devices are using older, more vulnerable versions of Android which contain many known, and since fixed, exploits. The trouble is, these users lack an easy way to upgrade to the latest and most secure version.

During the course of the panel’s discussion, a few key themes emerged. One is that app developers play a big role in user privacy. They have the ability and technology to handle private data securely – but doing so hasn’t been a priority or focus. The other is that users should not be overly burdened with the responsibility of keeping their private data secure. Encrypting data shouldn’t be a user decision, it should happen, by default, through the application. Authentication is another area in need of improvement. Four digit pins and swipe screens are not sufficient. The panel was optimistic that future biometrics technology will greatly improve authentication and provide a seamless experience without the burden of passwords.

In all, it was a great event and there is a lot of interest in improving data security and privacy on our mobile devices. Continued discussions like this are essential to the advancement of new technology and the mobile security space is ripe for improvements.

The post SXSW Apps Exposed Panel Re-cap (#MobileRisk) appeared first on Webroot Threat Blog.

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile  malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment.

In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and QA (Quality Assurance).

We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status/gender/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware/bot ID.

More details:

Sample screenshot of the 5M+ harvested mobile phone numbers service:

The service’s main URL responds to 91.228.155.210.

Parked on the same IP (91.228.155.210) are also the following fraudulent/cybercrime-friendly domains:
hxxp://instagramm-registration.ru

Related rogue game MD5s known to have been (historically) hosted at the same IP (91.228.155.210):
MD5: 68c1c11d86bc272e9a975400e2991e41
MD5: 3ccf8cfc88d7228e8e4345d389ce56ef
MD5: 6bf0482a0bd8fcf19a88e7a03abd69ef
MD5: 232c501fec973e8923143e41b520f698
MD5: 5601f871f3f1873c1da971358799f088
MD5: 94abca6d4ec24fdbe1ec74f40b4a77cd
MD5: 126bc6cb8e58c7859768d9390c726774
MD5: 966e3bbd0f77463403bb200454544cd4

The following malicious MD5s are also known to have phoned back to the same IP (91.228.155.210):
MD5: 6e6a09ec8235705f314ed2fae8fab01a
MD5: 676dc0a061886bf537e01ddceb6c9230

The existence of the secondary services (segmented mobile phone numbers belonging to Sochi citizens/paid medical leave services), parked on the same IP as the original 5M+ harvested mobile phone numbers offering service, is a decent example of market segmentation in the context of an event-based type of underground market offering targeting the Sochi Olympics. Not surprisingly, cybercriminals have already taken advantage of this segment, and in a true fraudulent/malicious nature, have launched social engineering driven Android-based malware serving SMS spam campaigns (MD5: 361e92c344294d8b4fce0c302f61716a).

Sample screenshot of the fraudulent Instagram site parked on the same IP (91.228.155.210):

Redirection chain for the rogue Instagram app site:
hxxp://instagramm-registration.ru/ -> hxxp://domainusers.biz/?page=lending&type=soft&size=1&ext=rar&link=http://tds-link-asg.biz/?tds=1275&page=search&parent=similar&key=Instagram_registration_(soft).zip&key=programma_instagram_register_PC ->
hxxps://www.tcsbank.ru/credit/form/cash/?utm_source=troywell_apr_cc&utm_medium=aft.apr&utm_content=network&utm_campaign=creditcard&wm=1otx&sid=701411425&prx=701411425

Redirectors domain name reconnaissance:
domainusers.biz – 91.202.63.117
tds-link-asg.biz – 91.202.63.119

Name server reconnaissance for the redirectors:
NS11.LIMONBUCKS.COM – 91.217.85.34 – Email: sevacash@gmail.com – SEVAHOST-AS Seva-Host Ltd (AS49313)
NS12.LIMONBUCKS.COM – 91.217.85.37 – Email: sevacash@gmail.com

Name servers resonnaissance of the rogue/fraudulent mobile apps serving rogue affiliate network operating the redirectors:
ns1.sevadns.com – 91.217.85.35 – hxxp://sevadns.com -> hxxp://seva-hosting.com (91.217.85.35)
ns1.sevadns.com – 91.217.85.36

A peek inside sample statistics from the rogue mobile apps serving affiliate network:

Known to have phoned back to (91.202.63.119; tds-link-asg.biz) is also the following malicious MD5: bf0074d6e2745925ec8ef3225a2052e1. Known C&C – hxxp://91.202.63.119/showthread.php?j6m=452416&nmhn=401c4ab9717ac07af8449176f3b07cfb&o=8,f4aacf34b635ccbe03dcc87bc52e7c49. Responding to the same IP, is also the Web site of the mobile traffic/rogue apps serving affiliate network.

Known C&C domain responding to the same IP: majdong.ru (91.202.63.119)

Related DNS requests performed by the sample (MD5: bf0074d6e2745925ec8ef3225a2052e1):
edreke.ru
edreke.ru.ovh.net

Name servers reconnaissance:
Name server: ns1.zippro.ru – 37.221.164.2
Name server: ns2.zippro.ru – 37.221.164.3

Known to have phoned back to the same C&C server majdong.ru (91.202.63.119) are also the following malicious MD5s:
MD5: 9a05f7572ff50115fb22a4b3841ab137
MD5: 00adadb8e8a1d73c444134f2d1c1fba0
MD5: 651397e89d4b5687d1c8ce4834dc4234
MD5: bf0074d6e2745925ec8ef3225a2052e1

Known to have been downloaded from the same IP (ns1.zippro.ru – 37.221.164.2) are also the following malicious MD5s:
MD5: b58b0539818762becd4f5051a3c81b46
MD5: a385f6362f5ceb69db4c03ed324dfc34

Known to have phoned back to (ns1.zippro.ru – 37.221.164.2) are also the following malicious MD5s:
MD5: c6e5c1508ace1dfed450f8f69b11f1e6
MD5: f5399127b908f5a3ad994ca0e681cb26
MD5: aad3f6de5ae8c595797c55716a83adde

Known to have been downloaded from the same IP (ns2.zippro.ru – 37.221.164.3) are also the following malicious MD5s:
MD5: 522c729109ba4a51b5f361d33b5b3edb
MD5: 243934ec2546c54c1cb6d9309896a035
MD5: 578d5a1f5b968d01e553f7c94e12b235
MD5: b7baa6ccf6d9242b7e5d599830fa12b1

Known to have phoned back to (ns2.zippro.ru – 37.221.164.3) are also the following malicious MD5s:
MD5: ac3477ad87db7cfe4373cb2135eb1387
MD5: be49f224212ac9e05ae6b67b299350f2
MD5: a6f82de33bf03e8cb197cbc426942dca
MD5: 3204e633b6892171830004aedc5b6907
MD5: e31e8f4805768c326e28c68a6f406acc
MD5: d9920001704950e4f4c18d6e2ec30aae
MD5: 132cec7617f656db385d7acf31cd3393
MD5: be49f224212ac9e05ae6b67b299350f2
MD5: a6f82de33bf03e8cb197cbc426942dca
MD5: 93dfb678ecd06d27e59f96f2f30a52d5

Based on our analysis, we were able to successfully identify an identical pseudo-random hardware ID/bot ID, that we were also able to connect to related W32.SMSSend campaigns, further confirming that cybercriminals continue to actively multi-task in 2014.

Related W32.SMSSend hardware ID/bot ID campaigns using the same pseudo-random ID: 401c4ab9717ac07af8449176f3b07cfb

Sample fraudulent W32.SMSSend MD5s relying on the same pseudo-random ID known to have phoned back to 64.120.227.154/185.15.209.17:
MD5: ac3477ad87db7cfe4373cb2135eb1387
MD5: be49f224212ac9e05ae6b67b299350f2
MD5: a6f82de33bf03e8cb197cbc426942dca
MD5: 93dfb678ecd06d27e59f96f2f30a52d5
MD5: 3204e633b6892171830004aedc5b6907
MD5: e31e8f4805768c326e28c68a6f406acc
MD5: d6e06c98db7a0d38440d300accf8c730
MD5: d74528f426054fdcaca65a7e25b0d8dd
MD5: d1aa5e38fabe1811dfa113c6185c665e
MD5: 97141a85483998dff7e4aa04ce39b4f3
MD5: c6f2f67ddb2da9cebd9a669d964df6a7
MD5: 405b25f0834ad6c50ddfa203ac3112b4

Webroot SecureAnywhere users are proactively protected from these threats.

The post 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure appeared first on Webroot Threat Blog.

Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, Grayson Milbourne had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. This is a recap of his time on the panel and his thoughts of mobile security going forward.

You can read the blog here: http://www.webroot.com/blog/2014/03/14/sxsw-apps-exposed-panel-re-cap-mobilerisk/

#SXSW 2014 and the future of digital security – Webroot Threat Blog

The post #SXSW 2014 and the future of digital security appeared first on Webroot Threat Blog.

Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets.

We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 — compromised/hacked hosts as a service. Let’s profile the service, discuss its key differentiation factors, and take a peek inside its Web based interface.

More details:

Sample screenshot of the Socks4/Socks5 cybercrime-friendly service:

Supplying fellow cybercriminals with access to compromised/hacked hosts with clean IP reputations empowers them to further commit fraudulent/malicious activities while risk-forwarding the responsibility for their actions to the hundreds of thousands of gullible and socially engineered users across the globe.  The service currently has an inventory of 13,798 Socks4/Socks5 enabled hosts and is capable of supplying over 10,000 new hosts on a daily basis. The service’s vendor is ‘naturally’ implying that the hosts can be directly utilized for a variety of fraudulent and malicious TTPs (tactics, techniques and procedures). Let’s take a peek at the Web based interface for the affiliate network.

Sample screenshots of the affiliate network’s main site:

Sample screenshots of the Web based affiliate based interface:

Socks4/Socks5 enabled hosts continue to represent a key driving force behind the growth of the cybercrime ecosystem in terms of non-attributable stepping-stones capabilities and clean IP reputation based managed services. These services further empower vendors of automatic account registration tools with the necessary foundation to continue efficiently abusing legitimate Web properties. Based on our observations, the overall supply of Socks4/Socks5 enabled hosts is also contributing to the development of a vibrant market segment with more vendors pushing new Socks4/Socks4-specific releases that utilize this fraudulently generated infrastructure. We expect this market segment will continue flourishing with more vendors/services popping-up on everyone’s radar.

We’ll continue monitoring the development of the service/market segment and post updates as soon as new developments take place.

The post Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme appeared first on Webroot Threat Blog.

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have everything they need to reach an efficient state of fraudulent/malicious operation.

We’ve recently spotted a commercially obtainable modular, Tor C&C enabled, Bitcoin mining malware/botnet generating tool. Let’s discuss its features, key differentiation factors and take a peek inside it’s Web-based command and control interface.

More details:

Sample screenshots of the modular, Tor C&C enabled, Bitcoin mining malware/botnet generating tool’s Web based interface:

Priced at $250, and coded in C, the malware/botnet generating tool supports all Windows versions (XP up to 8.1 on x86/x64 hosts), and possesses the cybercrime ecosystem’s standard anti-debugging features. It also encrypts the plugins (modules), with AES-128-CBC. As a related key differentiation feature, it also applies a decent degree of OPSEC (Operational Security) to the bot’s Web-based command and control interface. A few examples are brute-force protection for the admin’s panel and SQL injection protection for the Web based interface. The OPSEC features introduced by the vendor are an indication for decent situational awareness on behalf of the vendor in terms of the industry’s response to large scale botnet infrastructures over the years.

Not surprisingly, the vendor is also Tor-aware in the context of what we believe is a perceived value-added feature in terms of OPSEC. Compared to alternative competing malware/botnet generating tools/platforms within the cybercrime ecosystem, this bot’s command and control domain structure is generated using a Domain Generation Algorithm (DGA) within the Tor network. While Tor can provide additional protection for domain hosting, it also has flaws. Case in point, the Sefnit botnet, which despite its reliance on Tor for C&C communications which gave it a boost in terms of OPSEC/growing infected population, ironically, also introduced a potentially exploitable third-party software, a vulnerable Tor client in this case.

Featured modules/plugins:
- DDoS bot functionality
- Form grabbing features — tested against major Web properties
- Socks5 module
- Passwords stealing module
- (Experimental) task-capable Bitcoin/Litecoin mining feature

Despite its experimental state, the bot’s vendor is also emphasizing on the fact that the prospective cybercriminal can also take advantage of any of the commercially/publicly obtainable stealth Bitcoin mining tools, like the ones we’ve been extensively profiling in a series of blog posts.

We’ll continue monitoring this bot’s development and will post updates as soon as new developments take place.

The post A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot appeared first on Webroot Threat Blog.

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry.

In a series of blog posts we’ve published throughout 2013, we proactively highlighted the emergence of the TDoS (Telephony Denial of Service) attacks in the context of cybercriminals’ growing non-attributable capabilities to target and exploit (basic) vulnerabilities in telephone/mobile systems internationally. Largely relying on fraudulently obtained SIM cards and compromised accounting data at legitimate VoIP providers, as well as active utilization of purely malicious infrastructure, TDoS vendors constantly seek new tactics to apply to their OPSEC procedures.

Having proactively profiled the TDoS market segment throughout 2013, we’re also keeping eye on value-added services/features, namely, the modification of a mobile device/USB dongle’s International Mobile Station Equipment Identity (IMEI), for the purpose of adding an additional layer of anonymity to the fraudulent/DoS process. Let’s profile several vendors offering IMEI modification services and discuss their relevance within the TDoS market segment.

More details:

Sample screenshots of the IMEI modification process by multiple vendors of the anonymity and non-attribution centered service:

What’s particularly interesting about these services is the fact that they rely on automatically-generated IMEI codes which provide plausible deniability when launching malicious or fraudulent attacks. The services that we’re currently aware of rely on DIY (do-it-yourself) type of valid IMEI generating applications. Priced at $450, a sampled application targets both Windows and Linux users and is exclusively targeting Huawei USB dongles, with the company currently possessing a 55% international market share for datacards. We expect that cybercriminals will start applying this OPSEC tactic to their fraudulently obtained SIM cards/datacards, in an attempt to add an additional layer of OPSEC to their campaigns.

We’ll continue monitoring the TDoS market segment and post updates as soon as new developments take place.

The post Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment appeared first on Webroot Threat Blog.

For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures).  The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime ecosystem which is an indication of an understanding of basic business/economic processes/theories.

We’ve recently spotted a cybercrime-friendly service that’s offering commercial access to 50M+ ccTLD zone transfer domains whose availability could lead to a widespread mass abuse. Let’s profile the service and discuss its relevance/potential for abuse in the overall threat landscape.

More details:

Sample screenshots of the commercial database of 50M+ ccTLZ done transfer domains, spotted in the wild:

The commercially available database currently consists of 52M+ international ccTLD zone transfer domains, empowering cybercriminals with the necessary ‘touch points’ for launching dictionary attacks,  active email and phone number harvesting campaigns, ultimately leading to segmented email/domain/phone databases, resulting in, both, targeted/mass Web site hacking campaigns. Next to the potential for data mining these databases, leading to a higher probability for launching successful APT (advanced persistent threat) type of campaign, potential cybercriminals are also perfectly positioned to exploit the mass reconnaissances process for the purpose of embedding malicious scripts/Web shells/anonymity based gateways, through basic Web server/CMS fingerprinting.

For years, cybercriminals have been actively abusing their (fraudulently) obtained access to compromised/hacked databases, successfully exfiltrating sensitive content, further resulting in the evident rise of services directly contributing to the overall growth of the cybercrime ecosystem. According to Verion’s most recent ‘2013 Data Breach Investigations Report‘, the use of stolen credentials, next to malware campaigns, resulted in the majority of data breaches for the organization’s participating in their sample.

We’ll continue monitoring the development of the service and post updates as soon as new developments/market competitors take place/enter the market.

The post Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild appeared first on Webroot Threat Blog.

Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host.

We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. Let’s profile the campaign, and provide actionable intelligence on the infrastructure behind it.

More details:

Sample screenshot of Adware.Linkular download page:

Sample screenshot of Win32.SpeedUpMyPC.A download page:

Sample redirection chain:
hxxp://ad.propellerads.com/ck.php?oaparams=2__bannerid=91608__zoneid=605__OXLCA=1__cb=__oadest=http%3A%2F%2Fwww.getmyfilesnow.info%2F%3Fpid%3D887%26context%3D%24{SUBID} -> hxxp://www.getmyfilesnow.info/?pid=887&context=4912867270

Domain name reconnaissance:
getmyfilesnow.info – 54.208.165.36
getmyfilesnow.com – 174.142.147.2
coollinks.us – 174.142.147.5
linkular.com – 208.109.216.125

Detection rate for the PUA:
MD5: 0d60941d1ec284cab2e861e05df89511 – detected by 6 out of 51 antivirus scanners as Adware.Linkular

Known to have responded to 54.208.165.36, are also the following PUA samples:
MD5: e3d7a5dda69a83a4dbffb195fe41e68f
MD5: 3f9e510e2ebe20141dbb8b61ea15e21b
MD5: 9a4dd0724d8d241d748c6b2d4658a996
MD5: 567545c3947667913853ab34bdf38e3b
MD5: 83d21d9a6a1df8a4b4beb6190dbe8266
MD5: a08a35a241b0c7aa6ed7dda7ae8bab1e
MD5: 07aae60ce06590a3b8a4e86d0b94335a
MD5: 9ab73e226bfd9393b13423490d3ed77d
MD5: 75ec259b97e67f1174820beee4cafa29

Once executed, the sample phones back to:
hxxp://107.23.152.80/api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768

Known to have been downloaded from the same IP (107.23.152.80) are also the following PUAs:
MD5: a3f2dca9cf2fbf0b6221db476b9d889c
MD5: 8f021a07e83f2b455aad969268fbcba7
MD5: 57d1a9c5de77ac85e79ad675df7753dc

Compete Inc’s Certificate Serial ID: 4A 4A CA E0 72 F8 06 5D 9C 03 E2 A2 24 09 75 B0
AdvanceMark’s Certificate Serial ID: 52 32 D1 95 19 B6 63 90 12 01 63 65 2B E1 E8 9E
Linkular LLC, 2012′s Certificate Serial ID: 27 C7 0F 80 92 79 A3

Responding to 107.23.152.80 is also the rogue mspowerpack.com, which redirects to hxxp://www.uniblue.com/cm/foxlingo/speedupmypc/banner1/download (Win32.SpeedUpMyPC.A).

Known to have been downloaded from the same IP (107.23.152.80) are also the following PUAs:
MD5: a3f2dca9cf2fbf0b6221db476b9d889c
MD5: 8f021a07e83f2b455aad969268fbcba7
MD5: 57d1a9c5de77ac85e79ad675df7753dc

Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
MD5: 0a8ecb11e39db5647dcad9f0cc938c99 – detected by 3 out of 51 antivirus scanners as PUP.Optional.SpeedUpMyPC

Known to have been downloaded from uniblue.com (176.34.125.17; 46.137.104.179; 50.19.240.60; 54.217.212.162; 54.246.105.117) are also the following PUAs:
MD5: 178e9cf3c95c0867104f14310bec10cf
MD5: 573a55f36b0ff521ac5012a7ae935a04
MD5: 3ee4e5cc4ee74b45fbbba507181efaeb
MD5: 563750b3b4a7f00115c83708a7e95d39
MD5: a59e9a0ce57365bbef2042f52d622539
MD5: abc3534ef2b1086330151ef42423d208
MD5: d41ea1f04ef610566b0ad4750b2040e7

Uniblue Systems’s Certificate Serial ID: 38 B5 E3 0A ED 74 F6 CD 05 D8 F2 0F 18 E8 91 E2

Webroot SecureAnywhere users are proactively protected from these PUAs.

The post Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications) appeared first on Webroot Threat Blog.

Cybercriminals continue actively abusing/mixing legitimate and purely malicious infrastructure, on their way to take advantage of clean IP reputation, for the purpose of achieving a positive ROI (return on investment) out of their fraudulent/malicious activities, in terms of attribution and increasing the average lifetime for their campaigns. Acting as intermediaries within the exploitation/social engineering/malware-serving chain, the market segment for this type of cybercrime-friendly services continues flourishing, with more vendors joining it, aiming to differentiate their UVP (unique value proposition) through a variety of ‘value-added’ services.

We’ve recently spotted yet another managed/on demand redirector generating service, that’s empowering potential cybercriminals with the necessary infrastructure for the purpose of launching (layered) fraudulent/malicious (multiple) redirector enabled attacks, capable of bypassing popular Web filtering solutions. Let’s profile the service, discuss its relevance within the cybercrime ecosystem, and provide actionable intelligence on the static redirectors managed by it.

More details:

Among the key differentiation factors of the service —  a market segment standard in 2014 — is the automatic domain reputation checking feature, allowing prospective cybercriminals to quickly increase the average lifetime of their campaigns, as well as the ability to generate new redirectors on demand. The service is currently offering three types of pricing schemes – $50 for thirty thousand redirects as a starting package, $150 for one hundred thousand redirects, followed by a bonus package, offering two hundred thousand redirects for the same price as the starting package.

Priced at $2 for a thousand redirects, $50 for thirty thousand redirects, and $150 for one hundred thousand redirects, the service is perfectly positioned to continue acquiring new customers. Among the most popular TTPs (tactics, techniques and procedures) applied by cybercriminals in 2014 remains the use of layered multiple (bulletproof) redirector enabled malware/exploits serving campaigns, actively seeking to bypass Web/spam filtering solutions.

Sampled cybercrime-friendly redirectors (parked at 178.19.99.72) used by the service:
1000kazino.ru
100kazino.ru
10kazino.ru
24online-zone.ru
2584.ru
4922.ru
4942.ru
4life-24.ru
7448517.ru
absolute-med.ru
ac4u.ru
adapex.ru
adfclan.ru
aion-knight.ru
akcii-forex.ru
alderaan.ru
amyrsk.ru
anika-sh.ru
animeflv.ru
aniramen.ru
annapavlushkova.ru
antisopa.ru
ard26.ru
avtomatigrat.ru
avtomatikazino.ru
avtomatkazino.ru
avtomaty-sloty.ru
avtomatyigrat.ru
avtomatykazinoigrat.ru
avtomatyvegas.ru
azartmaniakazino.ru
azartnyeigry-avtomaty.ru
azartnyeigryavtomaty777.ru
azartnyeigrycasino.ru
azartnyeigrykazino.ru
azartnyeigrysloty.ru
azartnyeslots.ru
azartnyesloty.ru
bablomoney.ru
bananascasino.ru
banda-kino.ru
banda-kinos.ru
bandaikino.ru
bandavkino.ru
banditkinos.ru
basenjist.ru
basicmassag.ru
bastion-mebel.ru
bbi-russia.ru
bc2server.ru
beauty-perfect.ru
belmetal.ru
bereginja-moskow.ru
bertoni-kid.ru
bestbukmekery.ru
bestfx4you.ru
bestinvestsistem.ru
bestkazinos.ru
bestslotscasino.ru
bestslotsgame.ru
betacasino.ru
beznesmans.ru
bigcazinos.ru
bigdengi4.ru
bigforexbinar.ru
bigkazinos.ru
bigrabotat.ru
bigslots.ru
binarnyyforex.ru
bittorrent-x.ru
biznessss.ru
bm-monitor.ru
bokakmv.ru
bukmeker2013.ru
bukmekerskiefany.ru
bukmekerstavki.ru
casino-777slot.ru
casino-cristals.ru
casino-igry777.ru
casino-olimp.ru
casino-planeta.ru
casino777slots.ru
casinoavtomat.ru
casinoazartnyeigry.ru
casinoazartonline.ru
casinobanan.ru
casinobetigry.ru
casinogameslot.ru
casinogamesonlineplay.ru
casinograndevro.ru
casinoigrainternet.ru
casinoigrislot.ru
casinoigryonline.ru
casinoigrysuper.ru
casinolimit.ru
casinomaniasloty.ru
casinomasiny.ru
casinomoskva.ru
casinopiter.ru
casinotvslots.ru
cdtforever.ru
centralplant.ru
chat-portal.ru
chipelectro.ru
classic-oil.ru
clforex.ru
club-asteria.ru
clubbnichka.ru
clubforexinvest.ru
clubinvests.ru
com-inter.ru
compnewsite.ru
coolcasinos.ru
counterstrike-info.ru
cristal-vegas.ru
cristalcasinos.ru
css-servera-cs.ru
da-max.ru
deficit72.ru
deluxe-doodle-jump.ru
dengamoney.ru
dengi-forex-rabota.ru
dengi4you4forex.ru
dengidengi-forex.ru
dengiforex4.ru
dengiforexpro.ru
dengiproforex.ru
dengiru-forex.ru
detalicar.ru
dibars.ru
doktor-fedorov.ru
dolcevio.ru
dom-sun.ru
driftmag.ru
drmilovidova.ru
dsptop.ru
dt-portal.ru
dtuning.ru
dubli-land.ru
dylan-troy.ru
ebay-zakaz.ru
eka-shopping.ru
eurovpn.ru
evgeniebux.ru
expertsever.ru
f4youforex.ru
fa-cs.ru
faktyvideofilm.ru
familkino.ru
fastprivatbank.ru
femmeo.ru
filefileloadloadnet.ru
filmkino-video.ru
filmkinovideo.ru
filmlines.ru
filmoss.ru
filmvideokino.ru
filmyivideo.ru
filmymix.ru
fit-info.ru
forex-bar.ru
forex-chart.ru
forex-gameinvest.ru
forex-gids.ru
forex-mc.ru
forex-ns.ru
forex-xll.ru
forex4com.ru
forex4dengi.ru
forex4moneys.ru
forex4youinvest.ru
forex4youpro.ru
forex4zarabotat.ru
forex7777.ru
forexbinar.ru
forexbinary.ru
forexformat.ru
forexmmm.ru
forexmoneylive.ru
forexnubb.ru
forexpubs.ru
forexrusist.ru
forexsist.ru
forexxxx.ru
format-dom.ru
formatforex.ru
foryoulife.ru
fengiforex.ru
freecasinoplay.ru
freforexmoney.ru
frezag.ru
fse-ok.ru
fx4youinvest.ru
gamekazino.ru
gamepuls.ru
gameslotscasino.ru
gameslotscasinos.ru
gameved.ru
garanzhin.ru
gdevideofilm.ru
gdezarabotatdeneg.ru
gidmoneyforex.ru
glam-wed.ru
goodmoneyday.ru
grandcinemania.ru
grandforexbar.ru
grandinvestmen.ru
grandkazinoevro.ru
grandkinoski.ru
grandvideofilm.ru
grangslots.ru
gs-shopbuilder.ru
gtablack.ru
hardmuza.ru
hatakino.ru
hispeedsite.ru
hockeydaddy.ru
holymix.ru
home-10films.ru
hoteldynamo.ru
hotels-zlatapraga.ru
ic-samara.ru
igranaforexinvest.ru
igratkazinoigry.ru
igratnaforex.ru
igricasinonline.ru
igromaniacasino.ru
igrovye-avtomaty777.ru
igrovyeavtomaty777.ru
igrovyecasino.ru
igrovyekazino.ru
igrovyeslots.ru
igryazartnyecasino.ru
igrycasinoonline.ru
igryforex.ru
igrykazino777.ru
iiijg77.ru
infoam.ru
informkontrol.ru
instruction4you.ru
interesno-kino.ru
interleasing-invest.ru
invest-xxl.ru
investclubx.ru
investforexxx.ru
investgames.ru
investirovaniemoney.ru
investitmen.ru
investmoneysist.ru
investsist.ru
ios-pro.ru
ipoteka-kred.ru
ir-mag.ru
ivanovat.ru
jarmarkakreditov.ru
job-ula.ru
jobkino.ru
jovrent.ru
justcat.ru
justinstructions.ru
kakvkinolive.ru
kazino777slots.ru
kazinoazartmania.ru
kazinobetting.ru
kazinobigslot.ru
kazinoicasino.ru
kazinoigribet.ru
kazinoigriplay.ru
kazinoigrusuper.ru
kazinomonaco.ru
kazinoonlineigry.ru
kazinoslotsfree.ru
kazinoslotsgame.ru
kazinovegas777.ru
kemerovoportal.ru
kia-spectra-club.ru
kiev-review.ru
kinatrix.ru
kino-azart.ru
kino-maniax.ru
kino-matrix.ru
kino-ring.ru
kino1film.ru
kinobanda-net.ru
kinobandaa.ru
kinobandity.ru
kinobbb.ru
kinobombim.ru
kinobomby.ru
kinofilm-video.ru
kinohatka.ru
kinojornal.ru
kinomagi.ru
kinomails.ru
kinomatric.ru
kinomaxim.ru
kinomaxmix.ru
kinoms.ru
kinopocta.ru
kinosvetik.ru
kinotiptoplive.ru
kinotors.ru
kinovideo-film.ru
kinovideofilm.ru
kintor.ru
kis-murys.ru
klubinvest.ru
koleso-gizni.ru
konobandanet.ru
konoparadis.ru
kpk-obzor.ru
ktokrasivee.ru
kujvozi.ru
kuznecdvor.ru
kvc-nsk.ru
l2zz.ru
la2hot.ru
landlinks.ru
lazurniibereg.ru
letanews.ru
linekinofakt.ru
live-videomix.ru
lol-helper.ru
lovinator.ru
luxuryempire.ru
lykoptom.ru
m-sistems.ru
magikino.ru
make-world.ru
manualkinsite.ru
manualovnet.ru
marhi97.ru
marinapilicheva.ru
marketplaneta.ru
markhiev.ru
marvelgift.ru
masterforexsis.ru
maxkinomix.ru
mediaforexpro.ru
metal-history.ru
mexica-resort.ru
michelin-kormoran.ru
mmm-kuzbass.ru
mmm2011msk.ru
mmmforex.ru
mobiklik.ru
mobilru.ru
moi-progi.ru
money-gid.ru
money-xl.ru
money4tebe.ru
moneybigforex.ru
moreforexbiz.ru
morgana-davies.ru
mosgostsert.ru
moypopugaychik.ru
mp3wka.ru
murmanradio.ru
mybestsait.ru
myiforex.ru
mykinobanda.ru
myvdeleinvest.ru
myvforex.ru
myvinvest.ru
myvkinofilmah.ru
myvrabote.ru
mznd.ru
nachalife.ru
nailsgood.ru
natalybeauty.ru
nebesnaya7.ru
nedvizhimostyvsloveniji.ru
neocasinos.ru
newsoftclub.ru
novosibirsk-diplom.ru
novye-tovary.ru
oao-ooo.ru
offrem.ru
oknaidverispb.ru
olgayast.ru
omcon.ru
onlinebux.ru
palomaasia.ru
pantymir.ru
paradisefilm.ru
paravkino.ru
parkland-tula.ru
party-bonus.ru
pauchok2.ru
pbland.ru
pisa-nina.ru
pk-green.ru
pkvlublino.ru
planetakazino.ru
planetscasino.ru
pokavkino.ru
polezniy-sovet.ru
popfilmylive.ru
popkinolive.ru
poranaotdyh.ru
pornolav.ru
portaltuning.ru
portalvideomix.ru
poselok-dubovoe.ru
poselok-mesherskoe.ru
postman-dubna.ru
potkino.ru
pro-1kino.ru
pro100bit.ru
prodengiforex.ru
proforex4you.ru
project-syndicate.ru
pronerv.ru
prophan.ru
prorabotuforex.ru
prostolog.ru
qigong-club.ru
rabotaklub.ru
rabotalandmoney.ru
rabotatlive.ru
raidcallfan.ru
redguild.ru
rek-tiz.ru
religion-science.ru
rtscorp.ru
rubashkimen.ru
rubloges.ru
rudengi-invest.ru
rukazinos.ru
runet-team.ru
rus-referat.ru
rusforexsistem.ru
russian-resource.ru
russkiecasino.ru
s-podkova-poselok.ru
sadisteeg.ru
sale1c.ru
saleberryshop.ru
salon-dom2.ru
sat-cards.ru
sat-manager.ru
school-of-photoshop.ru
sdelkamavro.ru
sdera.ru
se-montazh.ru
secretbooks.ru
seokreativ.ru
sergeynedorub.ru
shizhenskiy.ru
simsimkino.ru
sistemazarabotkamoney.ru
sistemyraboty.ru
skacxshatdvadva.ru
skajatseichasdva.ru
skasjatskyapka.ru
skaxcjatdavdva.ru
skaxxchatdvadva.ru
skill-game.ru
skypedlyandroid.ru
slots777-casino.ru
slotscasinos.ru
slotskazino.ru
smallcasino.ru
smofi.ru
smotretvideoline.ru
smotretvseonlain.ru
smotrim4you.ru
snabprof.ru
sokolkeram.ru
spbmp.ru
spice77.ru
ssportss.ru
starbur.ru
stas-karpov.ru
steklopaketi-msk.ru
stepanovaeva.ru
stokinosek.ru
stomatolog-24.ru
stroymaker.ru
superigrycasino.ru
superigrykazino.ru
svarogavia.ru
svetlanatkachenko.ru
sybseeds.ru
tandem-rd.ru
taunhausfestivalpark.ru
tech-docs.ru
telefon-browser.ru
teso33.ru
ti-russia.ru
tiptopkinos.ru
tno-team.ru
tok-ip.ru
tolivehappy.ru
trans-uni.ru
traveltoeuro.ru
trekino.ru
trizon.ru
turbaza-gornaya.ru
u-spravka.ru
ukr-mmm.ru
utpit-knigi.ru
v-kino-zale.ru
vegas-casinos.ru
vegas-kazinoz.ru
vesicontrol.ru
video-hata.ru
video-kinofilm.ru
video-matrix.ru
video-ring.ru
videobanda.ru
videofilm-kino.ru
videofilmkino.ru
videojornal.ru
videokino-film.ru
videokino-mix.ru
videokinofilm.ru
videolinia.ru
videomafioz.ru
videomagico.ru
videomaty.ru
videomixmax.ru
videomondo.ru
videoprobykino.ru
videotiptop.ru
videotopy.ru
violar.ru
vkforex.ru
vkinoteatremy.ru
vkontakte-noch.ru
vkrabotat.ru
vsekinobanda.ru
vseobizness.ru
vseoforexland.ru
war-bk.ru
webdengiforex.ru
webmoney62.ru
websales2.ru
weddingpix.ru
westsibir.ru
win7xp.ru
winecorks.ru
wmjobs.ru
womanm.ru
wondersnature.ru
work-houms.ru
ws-cool.ru
wwwforexcom.ru
wwwforexru.ru
wwwrabotnik.ru
x-forex-x.ru
xdmail.ru
xforexx.ru
xkaccctxtfileszdes.ru
xotic.ru
xtrazz.ru
yadrin24.ru
yageroi2012.ru
yourget.ru
ystrou.ru
yurivoron.ru
zaberipitomca.ru
zarabotatmoneybystro.ru
zarabotatvinternetemoney.ru
zemlakino.ru
zheltoebezumie.ru

Not surprisingly, in addition to the cybercrime-as-a-service type of managed underground market propositons, the market segment for cybercrime-friendly redirectors is also largely populated by DIY (do-it-yourself) tools, setting up the foundations for competing offers, with new market entrants actively acquiring these commercially/publicly available applications.

Sample screenshot of a DIY cybercrime-friendly redirector generating tool:

We expect that in a post-Black Hole Web malware exploitation kit dominated cybercrime ecosystem, vendors of market leading exploitation kits would continue implementing additional ‘value added’ type of redirector services, further increasing the average life cycle of their customers’ campaigns.

Webroot SecureAnywhere users are proactively protected from these threats.

The post DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two appeared first on Webroot Threat Blog.

With WordPress continuing to lead the CMS market segment, with the biggest proportion of market share, cybercriminals are actively capitalizing on the monocultural insecurities posed by this trend, in an attempt to monetize the ubiquitous (for the cybercrime ecosystem) TTPs (tactics, techniques and procedures). Despite actively seeking new and ‘innovative’ ways to abuse this trend, cybercriminals are also relying on good old fashioned reconnaissance and ‘hitlist’ building tactics, in an attempt to achieve an efficiency-oriented ‘malicious economies of scale’ type of fraudulent/malicious process.

We’ve recently spotted a managed WordPress installations-targeting, XML-RPC API abusing type of DDos (Denial of Service) attack service, whose discovery intersects with a recently launched mass widespread WordPress platform targeting campaign.

Sample screenshot of the managed DDoS WordPress-targeting XML-RCP API abusing service:

In addition to offering a variety of DDoS attack methods, the service is also offering multiple ‘value-added’ features, such as popular hosting/VoIP platforms resolving services. Priced between $4.99 and $99.99 for different packages, it also currently accepts PayPal and Bitcoin, and is capable of delivering over 40 Gbps of DDoS bandwidth. Its key differentiation factors include Source Banner reconnaissance scanning capability, as well as the direct abuse of a well known WordPress platform abuse vector, namely, the XML-RPC API pingback type of DDoS attack vulnerability.

Sample screenshot of a prospective service’s customer Web based interface:

Sample screenshot of the service’s DDoS capabilities:

Related screenshots of the promoted service’s DDoS bandwidth capacity:

Despite the evident malicious ‘innovation’ on behalf of the adversaries behind the XML-RPC API pingback based DDoS attack campaign, on a large scale, cybercriminals continue largely relying on DIY (do-it-yourself) types of DDoS malware/botnet generating tools, successfully leading to the growth of the ever-green market segment for managed DDoS attacks. To mitigate the risk of falling victim to such widespread WordPress CMS targeting campaigns, WordPress owners are advised to go through the official WordPress hardening guide, as well as to take advantage of Sucuri’s free DDoS scanning service.

We’ll continue monitoring the development of the service, and post updates as soon as new developments take place.

The post Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild appeared first on Webroot Threat Blog.

Here at Webroot, we are constantly on the lookout for malevolent Android apps. In most cases, you do something malicious with your app and you get marked accordingly, but it’s not always that simple.

Two weeks ago an app called “Virus Shield” popped up on the Google Play store. Within days, Virus Shield became Google Play’s #1 paid app. With thousands of reviews and a 4.7 star rating, who would question it?  Well, a few people did, the code was looked at, and Google pulled it from the store.  They have even gone as far as to make amends with those scammed in the process.

Here’s the app description previously seen on Virus Shield’s Google Play page:

Virus Shield is an Antivirus that protects you and your personal information from harmful viruses, malware, and spyware.

Improve the speed of your phone with just one click. This app was designed so that anyone can use and protect their phone.

• Prevents harmful apps from being installed on your device.
• Scans apps, settings, files, and media in real time
• Protects your personal information
• Strong antivirus signature detection
• Very low impact on battery life
• Runs in the background
• No, ZERO pesky advertisements

Too bad it doesn’t actually do any of these things. So what about the malicious things it does instead? Well, it doesn’t do anything malicious either. In fact, it has hardly any code at all.

Let’s take a step back to those reviews. How did an app get such a huge amount of good reviews in such a short period? I think that’s where the real deception was happening.

Here are some stipulations for writing reviews on Google Play:

• You must install an app to be able to review it.
• Reviews are tied to your Google Account.
• You can only review any app once per account.

I’m not clear on the exact process, but it seems the author created automation to use fake accounts to install the app, write a review, and then repeat the process continually in order to bust review ratings and download counts.

Suddenly, a no-name app has become Google Play’s top paid app. Other users now see it at the top of the charts, install it for themselves for $3.99, and the author makes a profit.

Although the app itself didn’t have malicious code, there was definitely malicious intent. For this reason, we’ve marked this app as Android.FakeApp in case it ends up on any other Android marketplaces.

The post Fake Reviews Trick Google Play Users appeared first on Webroot Threat Blog.

*Editors Notes:  The purpose of this research was to see exactly how this scam is carried out, and the extent to which it is done.  DO NOT TRY THIS AT HOME. We used a clean machine, off network, to monitor the activity of the scammer.

Have you ever received a phone call from a tech support person claiming to be from Microsoft, and that your Windows based machine has been found to have a virus on it?  These cold calls typically come from loud call centers, and are targeting the uninformed and naïve in hopes of gaining access to their individual machines, and ultimately the victim’s credit cards

While there are many variants of this kind of scam, we recently received one of these phone calls and we decided to see just what happened.  The company that called us, which we later found out to be called Arjun Inc, called claiming they have received notifications that there are errors on the PC and they are calling to help correct those errors.

After playing along, we followed the directions of the agent.  The agent asked us to open the Event Viewer (which typically shows errors) and claims that those errors could cause the computer to crash and they need to fix the issues.  These are not actually critical errors, and as this scam is aimed at less tech savvy users, it can be seen how this is believed.

From this point, our agent asks to Remote Control the PC and instructed us on how to set up the Remote session.  The agent then logged in, looked at a few things, and installs the programs CCCleaner and Advanced Windows Care by Iobit. After this, we were advised that the installed programs will always run and protect the computer.  However, this is not the case as the programs installed don’t have ‘shields’ and thus, no real-time protections. He also says they will protect me from porn sites and potentially dangerous websites, but of course they do not.

At this point, the agent turns into a sales person.  He tells us how much the estimated costs of repairs will be and then proceeds to try and process the transaction through their spicywebtech.com login.  He told me that he had corrected the issues with my PC already via the Advanced Windows Care program, however, it’s plain as day that he never actually clicked the ‘repair’ button and thus never performed the ‘repairs’.

During the call, the agent informs us that their company (Windows Help and Support) is “part of Microsoft”, and I’m also advised that I won’t need to purchase antivirus for my PC any longer.

While the software loaded onto the machine were not malicious, they would not work as advertised by our agent, and could be consider unwanted programming.  By letting a stranger into your machine without verifying beyond reasonable doubt to their identity, you put yourself, your data, and your network at risk.  Never trust cold calls from strangers, and remember, Microsoft will never call you.

We have a full recording of the conversation up and live. If you’re interested in all the steps and how these scammers sound, give it a listen.

The post All About Windows Tech Support Scams appeared first on Webroot Threat Blog.