December 28, 2012 By Dancho Danchev

Webroot’s Threat Blog Most Popular Posts for 2012

It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.

Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?

Let’s find out.

  1. Managed SMS spamming services going mainstream – Have you received SMS spam recently? You’re not the only one. Thanks to managed SMS spamming services available at selected cybercrime-friendly online communities, cybercriminals now have access to millions of verified phone numbers, segmented on a per country/per city basis, allowing them to better tailor their fraudulent, or purely malicious campaign, in a cost-effective manner. What’s worth emphasizing on this emerging market segment is that cybercriminals are already capable of spamvertising malicious MMS attachments to prospective victims of their malicious/fraudulent campaigns. By ensuring that their campaigns possess valid mobile phone numbers before spamvertising them, it’s only a matter of time before we start intercepting malicious campaigns containing legitimately looking messages, and that also includes the attachments.
  2. Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware – Despite the rise of APT (advanced persistent threat) campaigns, most commonly known as targeted attacks, cybercriminals are still purusing the massess. This mass marketing communication model can be best seen in the second most popular post for 2012, the fake ‘Pizzeria Order Details’ emails, that exposed pizza lovers to the client-side exploits served by the Black Hole Exploit Kit.
  3. A peek inside the Darkness (Optima) DDoS Bot – On a periodic basis, cybercriminals looking for new revenue sources and ways to differentiate their underground market proposition, release DIY (do-it-yourself) malware bots/loaders, either re-introducing key features available in competing releases, or actually innovating with new features. The third post popular post for this year, detailed the features of the Darkness (Optima) DIY DDoS Bot.
  4. Millions of harvested U.S government and U.S military email addresses offered for sale – 2012 marked the peak of cyber espionage campaigns launched by multiple characters across the Web. Meanwhile, on a periodic basis, US government released reports blamed China as being the single most persistent cyber espionage player in the world. In fact, a huge percentage of APT campaigns started using spear phishing emails. So it’s not a suprprise that during 2012 we stumbled upon a service offering access to millions of harvested US government and US military emails, which is just the tip of the iceberg.
  5. Poison Ivy trojan spreading across Skype – Thanks to today’s highly modular malware bots/loaders released in a DIY (do-it-yourself) fashion, the entry barriers into the profitable world of cybercrime are getting increasingly lower. What this particular analysis emphasized on, is just how easy is it to launch a malware campaign that’s automatically propagating across Skype, ultimately dropping a copy of a commercially available RAT (Remote Access Tool).
  6. A peek inside a boutique cybercrime-friendly E-shop – The “a peek inside a boutique cybercrime-friendly E-shop” post aimed to showcase the degree of professionalism applied by new market entrants in the world of cybercrime. Their penetration pricing schemes, and just how prevalent their boutique E-shops really are. Consider also going through Part Two, Part Three, Part Four and Part Five of the series.
  7. New underground service offers access to hundreds of hacked PCs – Although these services have been available to cybercriminals for years, in 2012 we once again witnessed an increased growth in their overall availability. Seeking more customers, where the trade off is undermined OPSEC (Operational Security), services that were once exclusively available at invite-only cybercrime-friendly communities, started getting advertised at publicly accessible forums. We expect this trend to continue throughout 2013, with the cybercriminals operating these services proving, that, they can remain anonymous and continue offering them on the public Web.
  8. Tens of thousands of websites affected in ongoing mass SQL injection attack – With hundreds of thousands of websites continuing to run on outdated software, it shouldn’t be surprising that cybercriminals continue to efficiently exploit them in an attempt to target the visitors of these sites. In this analysis, we profiled a mass SQL injection attack, similar to the mass SQL injection attacks we expect to see in 2013, thanks to the freely available bot modules/DIY tools performing search engines’ reconnaissance for vulnerable websites.
  9. DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream – Dislike the competition? Want to directly affect their revenues? It’s never been easier to launch a Distributed Denial of Service (DDoS) attack against them, thanks to an evident increase in the overall availability of DDoS for hire services. Next to the availability, it’s worth emphasizing on the relatively cheap prices for requesting such types of attacks. Thanks to the penetration pricing schemes introduced by novice cybercriminals who want to achieve financial liquidity for their assets (malware infected hosts), before they lose access to them, one way or another. We expect to see a systematic decrease of these prices, next to an increase in the overall number of unique services offering DDoS for hire services.
  10. A peek inside the Cythosia v2 DDoS Bot – The 10th most popular for 2012, offered a detailed overview of yet another released DIY DDoS bot, the Cythosia v2 DDoS bot. It’s a logical progression of the “A peek inside” series. Continue going through related analysis of malware bots/loaders profiled in 2012, such as, uBot, Umbra malware loader, the PickPocket Botnet, the Smoke Malware Loader, the Elite Malware Loader, and the Ann Malware Loader.

Thank you for being a regular blog reader, for sharing this timely and insightful threat intelligence with your friends and colleagues, and for your feedback! Keep it coming, and see you all in 2013!

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
true