Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the clicks, users are exposed to the exploits served by the Black Hole web malware exploitation kit.
What’s so special about this campaign? What’s the detection rate of the malware it drops? Where does it phone back once it’s executed? Have we seen additional malware phone back to the same command and control servers, indication a connection between these campaigns? Let’s find out.
American Airlines customers, watch where you click! Cybercriminals are currently spamvertising millions of emails impersonating the company in an attempt to trick end and corporate users into clicking on the malicious links found in the spamvertised email.
Upon execution, the campaign redirects users to a Black Hole exploit kit landing URL, where client-side exploits are served against outdated third-party software and browser plugins.
Cybercriminals are masters of multi-tasking. For instance, whenever a web server gets compromised, they will not only use its clean IP reputation to host phishing, spam and malware samples on it, they will also sell access to the shell allowing other cybercriminals the opportunity to engage in related malicious activities such as, mass scanning of remotely exploitable web application vulnerabilities.
Today, I intercepted a currently active phishing campaign that’s a good example of a popular tactic used by cybercriminal known as ‘campaign optimization’. The reason this campaign is well optimized it due to the fact that as it simultaneously targets Gmail, Yahoo, AOL and Windows Hotmail email users.
Every super hero has an arch nemesis. For a lot of Threat Researchers, including myself, Rogue Security Products, or better known as FakeAV, is theirs. Back in the day when I was primarily a PC malware fighter, FakeAV was a prevalent threat that was always coming up with new ways to infect users nearly every other day. I knew it was only a matter of time that the same malware authors would turn mobile. I am afraid those days are upon us. How could I ever forget such an identifiable logo:
“Android Security Suite Premium”… yeah, right! This spy which is being called Android.FakeSecSuit retrieves incoming sms messages, extracts the phone number and message, and then sends the stolen info off:
As you can see in the GET command from the PCAP, highlighted in blue is the phone number and message I sent to my test phone now being sent off to a site.
Now that the developers of the popular FakeAV malware have entered into the mobile world expect to to see a lot more variations of this… and if they follow the same pattern as they did in the PC world, I mean A LOT! We are seeing it in Torrents and/or alternative markets. Remember, when downloading Android apps choose them wisely and download from a trusted source. Check reviews, research the developer and verify permissions requested before downloading. And of course, scan with Webroot SecureAnywhere Mobile.
End and corporate users, and especially CareerBuilder users, beware!
Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into clicking on client-side exploits serving links.
The current campaign, originally circulating in the wild since 26 Apr, 2012, is a great example of a lack of QA (quality assurance) since they’re spamvertising a binary that’s largely detected by the security community.
End and corporate users (and especially Pizza eaters), beware!
Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made.
What are some of the latest developments in this field?
Meet Sweet Orange, one of the most recently released web malware exploitation kits, available for sale at selected invite-only cybercrime-friendly communities.
What’s so special about Sweet Orange? Does it come with customer support? What client-side exploits is it serving? How are the Russian cybercriminals behind it differentiating their underground market proposition in comparison with competing kits, such as the market leading Black Hole web malware exploitation kit?
The trend is largely driven by what Webroot is observing as an increase in underground market propositions offering managed SMS spamming services to new market entrants not interested in building and maintaining the spamming infrastructure on their own.
In this post, I’ll profile a recently advertised managed service offering SMS spamming capabilities to potential customers, discuss the latest innovations in this field, their impact to mobile security, and what are some of the key factors contributing to the growth of SMS spam.
According to Microsoft, the company has already observed targeted malware attacks taking advantage of the MS12-027 vulnerability. In order to mitigate the risks posed by these currently circulating targeted attacks, the company is advising users to disable the ActiveX controls via the Trust Center Settings > ActiveX Settings, option.