Articles on this Page
- 02/18/14--13:51: _Spamvertised ‘Image...
- 02/20/14--15:30: _Spamvertised ‘You r...
- 02/21/14--13:15: _Can Security Surviv...
- 03/06/14--08:20: _Deceptive ads expos...
- 03/06/14--16:39: _Solving the mystery...
- 03/07/14--09:14: _Managed Web-based 3...
- 03/13/14--08:46: _Commercial Windows-...
- 03/14/14--09:10: _Multiple spamvertis...
- 03/14/14--14:49: _SXSW Apps Exposed P...
- 03/18/14--08:10: _5M+ harvested Russi...
- 03/18/14--14:36: _#SXSW 2014 and the ...
- 03/19/14--08:10: _Socks4/Socks5 enabl...
- 03/20/14--13:37: _A peek inside a mod...
- 03/21/14--15:06: _Managed anti-forens...
- 03/24/14--13:36: _Commercially availa...
- 03/25/14--09:37: _Deceptive ads expos...
- 03/28/14--09:50: _DIY automatic cyber...
- 03/31/14--07:54: _Managed DDoS WordPr...
- 04/22/14--10:13: _Fake Reviews Trick ...
- 05/01/14--08:26: _All About Windows T...
- 02/21/14--13:15: Can Security Survive in an Increasingly Insecure World?
- 03/06/14--16:39: Solving the mystery of incidence response
- 03/14/14--14:49: SXSW Apps Exposed Panel Re-cap (#MobileRisk)
- 03/18/14--14:36: #SXSW 2014 and the future of digital security
- 03/20/14--13:37: A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot
- 04/22/14--10:13: Fake Reviews Trick Google Play Users
- 05/01/14--08:26: All About Windows Tech Support Scams
Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam. We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails. More details: Sample screenshot of the spamvertised email: Sample redirection chain: hxxp://nortonfire.co.uk/1.html (18.104.22.168) -> hxxp://merdekapalace.com/1.txt – 22.214.171.124 -> hxxp://www.shivammehta.com/1.txt – 126.96.36.199 -> hxxp://ypawhygrawhorsemto.ru:8080/z4ql9huka0 Domain name reconnaissance for the […]
The post Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits appeared first on Webroot Threat Blog.
We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick potential botnet victims into thinking that they’ve received a legitimate Voice Message Notification from Skype. In reality though, once socially engineered users click on the malicious link found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Angler exploit kit. More details: Sample screenshot of the spamvertised email: Sample exploitation chain: hxxp://crestspahh.com:80/1.html -> hxxp://merdekapalace.com/1.txt -> hxxp://www.shivammehta.com/1.txt -> hxxp://nedapardaz.com/theme/it/browser/_lzf_.php?source_pid=38896815737B1F0316DB020740&swap_src=7D&theme-lid=1 Malicious domain names reconnaissance: crestspahh.com – 188.8.131.52 merdekapalace.com – 184.108.40.206 shivammehta.com – 220.127.116.11 nedapardaz.com – 18.104.22.168 Known to have responded to the same IP (22.214.171.124) are […]
2013 was not a good year in terms of cyber security. Despite companies spending an increasingly significant percent of revenue on security technology – systems designed to thwart, detect and prevent hackers from gaining access to their networks and sensitive data – attacks continue to succeed. Recently, the trend has shifted to attacking point of sale (POS) systems. While Target is the largest example, similar attacks have occurred in industries ranging from department stores to hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The focus on POS systems doesn’t come as a surprise. Cybercriminals have always […]
The post Can Security Survive in an Increasingly Insecure World? appeared first on Webroot Threat Blog.
Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them. We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application. Let’s assess this campaign and provide actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the […]
The threat landscape today is very different from a few years ago. With an increasingly creative number of threat vectors through which to launch an attack, it has never been more challenging to secure our data and devices in all the ways we connect. In today’s hyper-dynamic landscape, well over 8 million malware variants are discovered each month. The majority are financially motivated, very low in volume and very sophisticated. On the mobile front, cybercriminals have shown a clear focus on compromising devices made evident by an explosion in the discovery of malicious mobile apps and websites. Also on the […]
Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) - all for the purpose of achieving a positive ROI with each new release. We’ve recently spotted a newly released, Web-based DNS amplification enabled DDoS bot, and not only managed to connect it to what was once an active DDoS attack, but also, to the abuse of a publicly accessible open DNS resolver which has been set up for research purposes. Let’s discuss some of its features and take a peek at the […]
The post Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild appeared first on Webroot Threat Blog.
Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the ‘malicious economies of scale’ concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare. In a series of blog posts, we’ve been emphasizing on the level of automation and QA (Quality Assurance) applied by […]
Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure. More details: Sample screenshots of […]
The post Multiple spamvertised bogus online casino themed campaigns intercepted in the wild appeared first on Webroot Threat Blog.
Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, I had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. With me on the panel was Alan Murray, Senior VP of Products at Apperian and Erich Stuntebeck, Director of Mobile Security at AirWatch. Fahmida Rashid, Analyst for PC Mag, moderated the event. Questions initially focused on malicious app behaviors such as accessing private user data, SMS history and GPS tracking as well as spyphone apps, rooting apps and the increased […]
Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment. In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market […]
The post 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure appeared first on Webroot Threat Blog.
Security and privacy were hot topics at this year’s SXSW Interactive festival, and deservingly so. While at the event in Austin, Grayson Milbourne had the pleasure of participating on a panel discussing malicious mobile apps, mobile device security and user privacy. This is a recap of his time on the panel and his thoughts of mobile security going forward. You can read the blog here: http://www.webroot.com/blog/2014/03/14/sxsw-apps-exposed-panel-re-cap-mobilerisk/ #SXSW 2014 and the future of digital security – Webroot Threat Blog
Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets. We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 […]
Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have […]
The post A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot appeared first on Webroot Threat Blog.
Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry. In a series of blog posts we’ve published throughout 2013, we proactively highlighted […]
For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures). The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime […]
The post Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild appeared first on Webroot Threat Blog.
Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host. We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. […]
Cybercriminals continue actively abusing/mixing legitimate and purely malicious infrastructure, on their way to take advantage of clean IP reputation, for the purpose of achieving a positive ROI (return on investment) out of their fraudulent/malicious activities, in terms of attribution and increasing the average lifetime for their campaigns. Acting as intermediaries within the exploitation/social engineering/malware-serving chain, the market segment for this type of cybercrime-friendly services continues flourishing, with more vendors joining it, aiming to differentiate their UVP (unique value proposition) through a variety of ‘value-added’ services. We’ve recently spotted yet another managed/on demand redirector generating service, that’s empowering potential cybercriminals with the […]
The post DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two appeared first on Webroot Threat Blog.
With WordPress continuing to lead the CMS market segment, with the biggest proportion of market share, cybercriminals are actively capitalizing on the monocultural insecurities posed by this trend, in an attempt to monetize the ubiquitous (for the cybercrime ecosystem) TTPs (tactics, techniques and procedures). Despite actively seeking new and ‘innovative’ ways to abuse this trend, cybercriminals are also relying on good old fashioned reconnaissance and ‘hitlist’ building tactics, in an attempt to achieve an efficiency-oriented ‘malicious economies of scale’ type of fraudulent/malicious process. We’ve recently spotted a managed WordPress installations-targeting, XML-RPC API abusing type of DDos (Denial of Service) attack service, […]
The post Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild appeared first on Webroot Threat Blog.
Here at Webroot, we are constantly on the lookout for malevolent Android apps. In most cases, you do something malicious with your app and you get marked accordingly, but it’s not always that simple. Two weeks ago an app called “Virus Shield” popped up on the Google Play store. Within days, Virus Shield became Google Play’s #1 paid app. With thousands of reviews and a 4.7 star rating, who would question it? Well, a few people did, the code was looked at, and Google pulled it from the store. They have even gone as far as to make amends with those […]
*Editors Notes: The purpose of this research was to see exactly how this scam is carried out, and the extent to which it is done. DO NOT TRY THIS AT HOME. We used a clean machine, off network, to monitor the activity of the scammer. Have you ever received a phone call from a tech support person claiming to be from Microsoft, and that your Windows based machine has been found to have a virus on it? These cold calls typically come from loud call centers, and are targeting the uninformed and naïve in hopes of gaining access to their […]