Tag Archives: vulnerabilities

Cybercriminals release new Java exploits centered exploit kit

Posted on by

By Dancho Danchev

Yesterday, a relatively unknown group of cybercriminals publicly announced the availability of a new Web malware exploitation kit. What’s so special about it is the fact that its current version is entirely based on Java exploits (CVE-2012-1723 and CVE-2013-0431), naturally, with “more exploits to be introduced any time soon”.

Let’s take a peek at the statistics and infection rates produced by this kit, as well as discuss its potential, or lack thereof, to cause widespread damage to endpoints internationally.

More details:

Continue reading

Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

A cybercriminal/gang of cybercriminals that we’ve been closely monitoring for a while now has just launched yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

In this post, I’ll profile their latest campaign and the dropped malware. I will also establish a direct connection between this and three other previously profiled malicious campaigns, as well as an ongoing money mule campaign, all of which appear to have been launched by the same cybercriminal/gang of cybercriminals.

More details:

Continue reading

How do we use, secure, and share the information that surrounds us?

Posted on by

mobilesecurityThe mobile landscape has boomed in the last couple of years mostly in part because of Android devices and social networking. This has opened the door for everyone to have access to a smartphone and have the cyber world at their fingertips. Smartphones have become an extension of us, and we now have our email, banking, social networking, television and internet on the go. We live in a world of instant access.

With this excitement and convenience, we may lose track something we take serious is our privacy and security. Looming in this mobile landscape are people who want benefit from our oversight and continuous usage. Continue reading

Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit

Posted on by

By Dancho Danchev

On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails. Throughout 2012, we intercepted two campaigns pretending to come from the company, followed by another campaign intercepted last month. This tactic largely relies on the life cycle of a particular campaign, intersecting with the publicly generated awareness of its maliciousness.

In this post, I’ll profile one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading

Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

Over the last couple of days, we’ve been monitoring a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes. What all of these campaigns have in common is the fact that they all share the same malicious infrastructure.

Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior.

More details:

Continue reading

Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit

Posted on by

By Dancho Danchev

Its tax season and cybercriminals are mass mailing tens of thousands of IRS (Internal Revenue Service) themed emails in an attempt  to trick users into thinking that their income tax refund has been “turned down”. Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading

Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

Cybercriminals are currently spamvertising two separate campaigns, impersonating Facebook Inc., in an attempt to trick its users into thinking that their Facebook account has been disabled. What these two campaigns have in common is the fact that the client-side exploits serving domains are both parked on the same IP. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading

Android security tips and Windows AutoRun protection

Posted on by

by Armando Orozco

Sick AndroidRecently, two applications designed with malicious intent were discovered within the Google Play application store.  The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers.

The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer.  The malware was designed to record audio through the computer’s microphone.

AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates.

An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security.  With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network.

While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection.  Below, we will highlight the steps you can take to help stay protected from attacks like these.

Android Devices:

  • Ensure the latest version of Webroot SecureAnywhere Mobile is installed from the official Google Play Android app store.

Webroot SecureAnywhere (PC users):

  • Ensure USB shield is enabled (on by default)
    • Steps: Open Webroot > Select PC Security Tab > Select Shields > Slide USB Shield to on (green)
    • Advanced users can modify USB heuristic settings:
      • Steps: Open Webroot > Select PC Security Tab > Select Scan > Select Change Scan Settings > Select Heuristics > Select USB > Select desired protection settings

For all users, we recommend ensuring that AutoRun is disabled on your computer.  Even though Microsoft rolled out updates to disable, it is possible it could be enabled.  Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs.

For more information and to keep up with the conversation, head to our community: http://bit.ly/11RKiFa

Source: SecureList http://www.securelist.com/en/blog/805/Mobile_attacks

‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit

Posted on by

By Dancho Danchev

Kindle owners, watch what you click on!

Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon.com. In reality, when users click on any of the links found in the malicious emails, they’re automatically exposed to the  client-side exploits served by the Black Hole Exploit Kit.

More details:

Continue reading

Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

Posted on by

By Dancho Danchev

In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs.

Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme.

More details:

Continue reading