Category Archives: mal-effects

The malicious effects and consequences of malware

New DIY unsigned malicious Java applet generating tool spotted in the wild

Posted on by

By Dancho Danchev

Just as we anticipated on numerous occassions in our series of blog posts exploring the emerging DIY (do it yourself) trend within the cybercrime ecosystem, novice cybercriminals continue attempting to steal market share from market leaders, in order for them to either gain credibility within a particular cybercrime-friendly community, or secure a revenue stream.

Throughout 2012, we’ve witnessed the emergence of both, publicly obtainable, and commercially available, DIY unsigned Java applet generators. Largely relying on social engineering thanks to their built-in feature allowing them to “clone” any given Web site, these tools remain a popular attack vector in the arsenal of the less sophisticated cybercriminal, looking for ways to build his very own botnet.

In this post, I’ll profile one of the most recently released DIY tools.

More details:

Continue reading

Segmented Russian “spam leads” offered for sale

Posted on by

By Dancho Danchev

What is the Russian underground up to when it comes to ‘spear phishing’ attacks? How prevalent is the tactic among Russian cybercriminals? What “data acquisition tactics” do they rely on, and just how sophisticated are their “data mining” capabilities?

Let’s find out by emphasizing on a recent underground market advertisement offering access to data which can greatly improve the click-through rate for a spear phishing campaign. The irony? It’s being pitched as “spam leads”.

More details:

Continue reading

How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

Posted on by

By Dancho Danchev

Earlier this month, we profiled and exposed a newly launched underground service offering access to tens of thousands of malware-infected hosts, with an emphasis on the fact that U.S.-based hosts were relatively more expensive to acquire, largely due to the fact that U.S.-based users are known to have a higher online purchasing power. How much does it cost to buy 10,000 U.S.-based malware-infected hosts? Let’s find out.

In this post, I’ll profile yet another service offering access to malware-infected hosts internationally, that’s been operating since the middle of 2012, and despite the fact that it’s official Web site is currently offline, remains in operation until present day.

More details:

Continue reading

Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

A cybercriminal/gang of cybercriminals that we’ve been closely monitoring for a while now has just launched yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

In this post, I’ll profile their latest campaign and the dropped malware. I will also establish a direct connection between this and three other previously profiled malicious campaigns, as well as an ongoing money mule campaign, all of which appear to have been launched by the same cybercriminal/gang of cybercriminals.

More details:

Continue reading

Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit

Posted on by

By Dancho Danchev

On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails. Throughout 2012, we intercepted two campaigns pretending to come from the company, followed by another campaign intercepted last month. This tactic largely relies on the life cycle of a particular campaign, intersecting with the publicly generated awareness of its maliciousness.

In this post, I’ll profile one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading

Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

Over the last couple of days, we’ve been monitoring a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes. What all of these campaigns have in common is the fact that they all share the same malicious infrastructure.

Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior.

More details:

Continue reading

Malware propagates through localized Facebook Wall posts

Posted on by

By Dancho Danchev

We’ve recently intercepted a localized — to Bulgarian — malware campaign, that’s propagating through Facebook Wall posts. Basically, a malware-infected user would unknowingly post a link+enticing message, in this case “Check it out!“, on their friend’s Walls, in an attempt to abuse their trusted relationship and provoke them to click on the malicious link. Once users click on the link, they’re exposed to the malicious software.

More details:

Continue reading

Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit

Posted on by

By Dancho Danchev

Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt  to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading

Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading