The keys to the virtual kingdom, and the holy grail of Internet thieves.
By Dancho Danchev
Participants in the dynamic cybercrime underground ecosystem are constantly working on new cybercrime-friendly releases in the form of malware bots, Remote Access Tools (RATs) and malware loaders.
Continuing the “A peek inside…” series, in this post I will profile yet another DIY (do-it-yourself) malware bot, available at the disposal of cybercriminals at selected cybercrime-friendly online communities.
By Dancho Danchev
Security researchers from Webroot have intercepted a currently active, client-side exploits-serving malicious campaign that has already managed to infect 18,544 computers across the globe, through the BlackHole web malware exploitation kit.
More details:
By Dancho Danchev
Just like in every other industry, participants in the cybercrime ecosystem are no strangers to the concept of standardization. Standardization results in efficiencies, which on the other hand results in economies of scale. In this case, malicious economies of scale.
Just how easy is it to launch a phishing attack nowadays? What tools, and tactics are at the disposal of phishers aiming to efficiently socially engineer hundreds of thousands of users?
In this post, I will profile the Ninja V0.4 Social Engineering Phishing Framework – an advanced platform for executing phishing attacks in a DIY (do-it-yourself) fashion.
by Dancho Danchev
Just how easy is it to hack someone’s email nowadays? Very easy as the process is offered as a managed service within the cybercrime ecosystem.
Over the past couple of months, I have been monitoring an increase in managed email hacking services. These services basically offered everyone the ability to claim someone else’s email through email hacking performed on behalf of the vendor. Such services have been circulating in the wild since early 2008. Shall we take a peek at their latest market proposition?
Let’s profile a managed email hacking service offering to hack Gmail and Yahoo accounts.
By Andrew Brandt
I’m very pleased to present today the first in a series of videos we’ve produced. The videos have the lofty goal of addressing the most pressing questions relating to malware, cybercrime, and online fraud. We’ll take you behind the scenes at Webroot and introduce you to some of our Threat Research team in the process.
In this first video, Webroot’s Director of Threat Research, Jeff Horne, answers a question submitted to us via Twitter direct message about the motives behind most cybercrime, and whether there are any examples of malware or other types of malicious online activity that have been motivated by anything other than financial gain.
We’re planning to release a new video every other Monday from now on. When you’ve thought of that question you always wanted to know the answer to, tweet @webroot or send an email to blog (at) webroot.com, and we’ll answer the ones about cybercrime. We’ll try not to disappoint, but offer no promises. If you think of questions about something else, send them to Dr. Phil or Craig. We look forward to your letters!
By Andrew Brandt
For a couple of weeks now, I’ve been noticing a curious (and increasingly prevalent) phenomenon: Some of the free Web hosts popular among those who engage in phishing are popping new types of multimedia ads over the tops of the pages they host. Not only does the victim, in this case, risk having their login credentials to banks or social media sites phished, but many of those ads behave almost identically to “missing codec” social engineering scams that have been popular among malware distributors for years.
The ads — and I use the term very loosely, because these contrivances fall well over the shady side of the ethical line for online advertisements — appear in banners or (in the multimedia-heavy version) glide down in front of the page the Web surfer happens to be browsing, annoyingly obscuring the page. In most cases, these “ads” take on the appearance of some sort of media player window that appears to be stuck in a “video loading” loop, but this is a ruse. There is no media player. The Flash animation is designed to look like one, with the goal to convince the viewer to click the fake video player window, which initiates the download of something called XvidSetup.exe from a server on the domain appbundler.net.
That domain, as well as appbundler.com and clickpotato.tv, appear to be owned by a company with a less than stellar online reputation called Pinball Corp. The executables are not malware, but they also don’t entirely do what they say they will, either. And while the programs also distribute an old, outdated version of the XviD codec (in addition to other sponsored apps, more about this below), they do so without the permission of the publisher of that software, and possibly in vi0lation of the GPL software license terms that XviD uses. A new term of art seems to be required to describe this type of advertising; I propose calling the ads scads, a concatenation of scam and ads. Scadware describes the fraudulent software more precisely than the prosaic Potentially Unwanted Application.
The deceptive way in which Pinball Corp’s ad convinces users to download and install the sponsored software certainly leaves a bad taste in my mouth. Read on for the details.
By Ian Moyse, EMEA Channel Director
We seem to take phishing attacks for granted these days, in much the same way that we’ve accepted spam as a natural, and inevitable, by-product of email. Some experts believe that one of the best solutions to thwart phishing attacks is end-user training, but I doubt training alone can be a viable solution. Can we really train every computer user to be sufficiently security literate, such that anyone can distinguish a phishing message from a genuine bank email? I doubt that it is possible, especially given how specific the details in spear phishing (phishing targeted at specific people and/or companies) attacks have become.
It used to be that thieves could satiate their hunger for evil (and money) merely through the emulation of a consumer bank or a PayPal login screen. While those low-hanging-fruit scams show no signs of abating, even following some major busts of phishing rings, we’ve seen new types of phishing attacks that wear the mask of a Web security product, persuading users to follow through on fake spam quarantine messages, or security update alerts, sometimes using the name of real vendors. It’s all very plausible.
Unfortunately, the average user is not a trained security expert—and why should he or she be? Criminals lure us into phishing and email scams in much the same way that street cons lure some people into losing their wallet at Three-card Monte. We let our curiosity get the best of us, and at times can be gullible. Like street hustlers, cybercriminals aren’t afraid to experiment with hacking our inclinations (or, as many security experts call it, social engineering). The volume of phishing attacks has increased, as have their variety and sophistication. Even security experts struggle to identify some of the fakes.
The phishers cast their rods farther and with more efficiency than ever before. They can easily download phishing site creation tools (yes they exist) and produce convincing messages and pages. Expecting an average PC user to beat these guys without any help is tantamount to pitting an average golfer against Tiger Woods (albeit a few years ago; no offense, Tiger). The criminal’s job is to create online scams that work, and the returns on their investments are huge. Why would we expect non-criminally-minded users to be more adept at spotting scams, than scammers are at reeling in the users?
Technology has to step up its game. We need to continue to make it harder and less lucrative for online scammers to do their “jobs.” That’s really the most effective way to stop phishers from attacking our end users.
By Jeff Horne, Director, Threat Research
As tax season rolls around again in the US and UK, it seems like a good time to revisit the perils taxpayers face seemingly every year at around this time.
Phishing attacks against taxpayers are already in full swing — not that they haven’t been going continuously since last year. But this is high season for scams involving Web pages that look like the IRS or HMRC’s own Web site.
Scam messages typically contain dire warnings or outrageously large promises for a refund. The messages often are presented as if they originate from a tax authority, but contain links leading to phishing Web pages, or malicious attached files.
These scam pages typically appear to look exactly like a page on the real IRS or HMRC Web site. If you receive such a message, don’t reply to the sender, don’t email any sensitive information, and don’t follow any link in the message.
The pages promise to automatically transfer a tax refund to the recipient’s bank account, if you only would provide the scam artist with your complete banking, credit card, and personal details.
By Andrew Brandt
With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.
Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.
Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.
Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.
By Gerhard Eschelbeck
As 2010 winds down, I wanted to pull out the crystal ball and talk for a moment about where the security industry seems to be heading in the coming year, and where we anticipate threats and targets.
Mobile platforms: If you’re reading this, there’s a good chance you have either an iPhone, an Android phone, or a Blackberry in your pocket, case, or on your desk right now. If that’s true, then the data on that device is the next big target for criminals, and the newest front in the war on cybercrime. Users have embraced the advantages of mobile platforms, and even though IT admins may officially consider some or all of them “unsupported” in some organizations, you can’t abandon users who will choose convenience over strict IT policy. I predict that mobile platforms will continue to grow at a rapid pace, and we’ll soon reach the threshold level where malware creators start to take notice in significant numbers. IT admins should embrace these new platforms, and take steps to protect users who insist upon having them, even though doing so may make their work harder.
Social engineering: Whether you use a single PC at home, or manage a network of 25,000 laptops and desktops at work, social engineering scams have become so convincing that it’s a wonder IT admins ever get a good night’s rest.
It doesn’t matter how comprehensive your patch and update schedule is — when a sufficiently convincing spam email reaches a gullible employee, all bets are off. With targeted attacks becoming more common, the best defense against this threat continues to be education. Every user, from the newest administrative assistant to the C-level executives, needs training in identifying and avoiding fraudulent email and other messages, harmful file attachments, and Internet behavior that can lead to trouble.
Cloud vs. Desktop: We’ve seen demand for cloud-based services increasing across all segments of the business. In small and medium-sized businesses, we’re continuing to see strong demand for cloud-based solutions, and we expect that to continue next year. Overworked admins like the ease of administration and the performance benefits of cloud security services. And for the first time, we’re seeing consumers getting interested in the advantages the cloud brings to PC protection, including the speed that updates make it to the user of an infected computer.
At the larger end of the enterprise business segment, IT administrators must juggle the requirements of government regulations with the performance advantages that cloud services have to offer. In those cases where security regulations may not permit some kinds of data to move out into the wider Internet, we’ve seen a demand for what we call private cloud architecture — something that offers the performance benefits and features of a cloud solution, within an organization, while, at the same time, satisfying regulatory constraints on how companies move or store data.
We also can see how criminals have developed a taste for the vast volumes of sensitive data stored in the cloud, and anticipate that malware creators and other attackers will try to steal data stored in the cloud with increasing frequency.
Security Updates: More than 60 percent of malware attacks come from known vulnerabilities, so no matter whether you’re a one-person shop, or manage many thousands of desktops, maintaining not only the operating system but also the third party applications on which you (and your organization) depend should be a top priority. Besides office applications, attacks in the past year have focused on programs like Adobe Reader, Java, Flash, AutoCAD, media players, graphic design tools, and various browsers and browser plug-ins. IT departments should never let a new computer get to an employee that has anything older than the very latest build of these critical applications.
Consolidation: While not expressly a security trend, larger companies — some in the security space, and some that have not previously played there — have been augmenting their offerings. Intel’s purchase of McAfee, for example, appears to extend their platform beyond mere chipmaking. Other acquisitions, such as Webroot’s purchase of Brightcloud and Prevx, help companies acquire capabilities that can defend against, or remediate, a specific kind of threat. HP, IBM, and Symantec have done similar things, and with each acquisition, the companies gain another part of a toolkit they can use to respond to emerging threats. We expect to see more companies in this space merge and transform themselves over the next year.
