It’s that time of the year! The moment when we reflect back on the cybercrime tactics, techniques and procedures (TTPs) that shaped 2013, in order to constructively speculate on what’s to come for 2014 in terms of fraudulent and malicious campaigns, orchestrated by opportunistic cybercriminal adversaries across the globe. Throughout 2013, we continued to observe and profile TTPs, which were crucial for the success, profitability and growth of the cybercrime ecosystem internationally, such as, for instance, widespread proliferation of the campaigns, professionalism and the implementation of basic business/economic/marketing concepts, improved QA (Quality Assurance), vertical integration in an attempt to occupy market share across multiple verticals, as well as the re-emergence of known, and well proven cybercrime-friendly concepts like standardization and DIY (do-it-yourself) type of propositions.
Eager to learn more? Keep reading!
This comprehensive summary will answer the following questions:
- Which were the most prolific malware/client-side exploits serving/social engineering driven campaigns, that popped up on our radar, what exploitation tactics did they rely on, and what made me so successful in the first place?
- Which were the most commonly abused trusted/legitimate/reputable company names throughout 2013?
- Which was the most efficient concept through which cybercriminals monetized their campaigns?
- Why did the bad guys resurrect old school cybercrime-friendly concepts in 2013, and were they successful in their re-implementation?
- Is it easier to become a cybercriminal in 2013, than it was in 2012?
- What were the most noticeable examples of malicious/fraudulent ‘innovation’ introduced by the bad guys in 2013?
Let’s list the cybercrime trends that shaped 2013, and discussing each of them in-depth, to further elaborate on our observations.
Top Cybercrime Trends That Shaped 2013
- The rise and fall of Paunch and the market leading Blackhole Web malware exploitation kit – The Blackhole Web malware exploitation kit, represented the primary growth factor for a huge percentage of the successful client-side exploits serving campaigns throughout 2013, until Paunch — the kit’s author — and his gang got arrested, leading to an evident decline in malicious Web activity, which was once attributed to the sophistication and systematic updates pushed to the kit’s customers. Not only did the Blackhole Web malware exploitation kit occupy the largest share of malicious Web activity, but also, the ‘vertical market integration’ done by Paunch in the face of his managed ‘value-added’ script/iframe crypting sevice, further expanded the kit’s author market share of malicious Web activity throughout the year. Naturally, we’ve kept a decent percentage of these back then circulating in the wild, malicious campaigns, under close monitoring, and successfully profiled and protected against the following campaigns, affecting major trusted/legitimate/reputable brands – two instances of Verizon Wireless themed campaigns, the BBB (Better Business Bureau), rogue bank reports themed campaign, rogue Ebay purchase confirmations, AICPA, U.S Airways, two instances of ADP themed campaigns, EFTPS, Intuit, LinkedIn, PayPal, FedEx, Amazon, Facebook, IRS, two instances of rogue Wire Transfer themed campaigns, Data Processing Service, CNN, and the BBC, were all impersonated to participate in client-side exploits serving and malware-dropping campaigns, relying on the Blackhole Web malware exploitation kit. Despite the existence of competing Web malware exploitation offerings, that continue to receive updates and offer support in 2013, Blackhole Web malware exploitation kit’s leading market share attracted the necessary law enforcement attention, ending an era of a monetized, efficiency-oriented client-side exploitation process that has affected millions of users over the year. Due to the easy to anticipate demand for a quality and sophisticated enough competing offering, we believe it’s only a matter of time that current market segment offerings will either reach the sophisticated of the Blackhole kit, or a new market entrant will once again lead the segment with its leadership market share position in 2014.
- The continued development of the TDoS (Telephony Denial of Service) market segment – 2013 marked an important year in the development of an extremely popular within Russia/Eastern Europe market segment, the TDos (Telephony Denial of Service) market segment. Thanks to a lethal combination of managed services, and commercially available DIY (do-it-yourself) TDoS tools, unethical competition and average cybercriminals continued launching TDoS attacks against the competition, or prospective victims in an attempt to deny them the ability to realize that they’re about to get virtually robbed, with the practice when performed in a ‘perfect timing’ fashion, successfully undermining the phone/SMS based suspicious transaction verification process where applicable. The market further developed thanks to the ‘vertical integration’ applied by DDoS (Distributed Denial of Service) vendors, who also started offering TDoS attack capabilities to prospective customers. With the ease of obtaining compromised SIP accounts at legitimate providers, their lack of implemented self-policing processes, as well as the prevalence of DIY TDoS tools abusing legitimate services such as Skype, ICQ or a mobile carrier’s mail2sms feature, cybercriminals would remain in perfect position to continue launching this type of attacks, in 2014.
- The proliferation of PUAs (Potentially Unwanted Applications), successfully infiltrating major ad networks – Potentially Unwanted Applications (PUAs) continued representing an ever-green market segment, primarily driven by visual social engineering campaigns, in an attempt to trick users into installing privacy-violating applications on their hosts. Throughout 2013, we kept on a short leas, a decent percentage of the most prolific PUA campaigns, whose traffic acquisition tactics relied on unethical use of major ad networks for the purpose of displaying catchy ads. Some notable examples of PUA families that we kept track of, and protected our users against, included, but are not limited to - iLivid’s ‘Searchqu Toolbar/Search Suite’ PUA, the SafeMonitorApp PUA, the KingTranslate PUA, the ‘Oops Video Player’ PUA, two instances of InstallCore PUA pushed campaigns, two instances of Somoto.BetterInstaller PUA, the InstallBrain PUA, the Bundlore PUA, the Mipony/FunMoods Toolbar PUA, the EzDownloaderpro PUA, the SpyAlertApp PUA, and the BubbleDock/Downware/DownloadWare PUA.
- Managed cybercrime services continued professionalizing and implementing basic business concepts in order to attract new customers – Throughout 2013, we continued to observe an increase in managed cybercrime-as-a-service type of propositions, with the vendors behind the services, ‘innovating’ by filling in market niches, and consequently developing new market segments that we’ll continue to closely monitor in 2014, due to the natural competition that will arise from the existence of these newly launched services. Next to ubiquitous for the cybercrime ecosystem managed services like script/iframe crypting, DIY (do-it-yourself) Web based malware crypting as as service, or the recently emerged ‘bulletproof botnet hosting+setting up‘ type of services targeting primarily novice cybercriminals, the bad guys also ‘innovated’ in the context of launching never before (publicly) released managed self-service type of products/services such as, for instance – managed ransomware services, DIY automatic Web site hacking services, hacked/compromised shells as a service, cybercrime-friendly redirectors generating as a service, as well as Operational Security (OPSEC) oriented propositions for non-attributable SIM cards, whose destruction once utilized for fraudulent/malicious activity could be requested as a service.
- Evident increase in cybercrime-friendly affiliate networks for cross-mobile-operating-system (OS) malware - In 2013, we observed a logical development within the cybercrime ecosystem, namely, the general availability of affiliate networks for mobile malware, as a way for cybercriminals to create a win-win-lose scenario for them, the network’s participants, an the prospective victims. Taking into consideration efficiency, sophistication, and revenue-sharing schemes, we expect to continue observing an increase in such type of affiliate networks, monetizing malware infected mobile devices, like the one we profiled earlier this year.
- The re-emergence of cybercrime-friendly traffic exchanges, now exclusively supplying ‘mobile traffic’ for malware conversion – Underground market traffic exchanges have always been an inseparable part of the traffic acquisition of the modern cybercriminal. However, thanks to the fact that over the last couple of years, these very same cybercriminals started specializing in related traffic acqusition tactics such as malvertising, RFI (Remote File Inclusion)/SQL injections, blackhat SEO (search engine optimization), direct compromise of high-trafficked Web sites, and social engineering driven spam campaigns, resulted in a modest decline of sophisticated traffic exchanges like the ones we “got used to” to observe over the years. It didn’t take long for the concept to re-emerge, with an interesting twist. In 2013, we not just observed an increase in the public availability of such traffic exchanges/marketplaces, but also, the direct offering of ‘mobile traffic’ to be later on converted to infected mobile devices, by exposing them to malicious/fraudulent content tailed to mobile users only.
- Mobile spammers continued developing new cybercrime-friendly tools, signaling that the market segment is alive and well – With SMS increasing, a logical question emerges in the mind of the targeted recipient – how do the spammers know my mobile number? Throughout 2013, we continued to actively monitor this market segment, providing factual evidence on the prevalence of DIY mobile number harvesting tools, DIY tools for cost-effective validation that these numbers actually work, as well as managed services capable of supplying spammers with geolocated mobile numbers, potentially improving the success of their campaigns, thanks to the basic targeted marketing that could be applied to them. Thanks to the general/commercial availability of these tools, mobile spammers would continue to be in a perfect position to launch successful social engineering driven SMS/MMS based campaigns.
- Cybercriminals ‘innovated’ within the flourishing market segment for fake IDs, passports, utility bills, certificates and diplomas - The demand and supply for fake IDs, passports, utility bills, certificates and diplomas, continued to grow throughout the year, with the cybercriminals behind this ever-green cybercrime ecosystem market segment, actually ‘innovating’ with efficiency-oriented mentality in mind. Case in point – a service for fake scanned documents, that possess a database of passport-sized photos of real people, that fully randomizes the scanned output from a technical perspective, in an attempt to prevent the detection of an entire set of automatically, on-the-fly generated fake documents while using it. The concept marked a new milestone in the market segment, thanks to the utilization of the ecosystem-wide, efficiency-oriented tactic, with QA (Quality Assurance) elements in place. From a unique value proposition (UVP) in 2013, the concept will inevitably get widespread adoption across competing services, further undermining the remote authentication process relying on scanned documents as the primary means of verifying the identity of a user/customer.
- Facebook themed malicious campaigns, including the ubiquitous “Who’s Viewed Your Profile” privacy-invading campaign, exposed millions of users to rogue applications, privacy-violating browser extensions, Android/Windows adware/malware – Popularity has always been proportional with a decent degree of brand-associated malicious and fraudulent activity online. In 2013, cybercriminals systematically and efficiently targeted Facebook users, with multiple campaigns, exposing them to a cocktail of malicious/privacy-violating cross-platform ‘releases’. Multiple campaigns were launched, and naturally profiled and disrupted. For instance, the fraudulent ‘Facebook Profile Spy’ themed campaign, the fraudulent ‘Rihanna & Chris Brown S3X Video’ campaign, the spamvertised ”Friend Confirmation Request’ campaign, followed by yet another spamvertised “You have friend suggestions, friend requests, and photo tags’ themed campaign, and the massive ‘Who’s Viewed Your Facebook Profile’ campaigns, that exposed over 1 million of Facebook’s users to fraudulent and malicious content.
- Hacked accounts and compromised-hosts-as-a-service type of underground market propositions, continued proliferating – The steady supply of hacked-PCs-as-a-service and compromised-accounts-as-a-service, that we observed in 2013, continues to result in the inevitable commoditization of these underground market items . We attribute this trend, to the general availability of DIY/public/leaked and, of course, affordable commercially available malware/botnet generating tools, empowering novice cybercriminals, who’d later on seek profitable ways to monetize the fraudulently obtained accounting data/actual access to hacked/compromised hosts. Naturally, this ongoing commoditization is poised to lower down the prices of these items, with only a small number of vendor commanding high prices, largely relying on the customer’s understanding/situational awareness in terms of the undergound market’s transparency model.
- Gamers got targeted through several cybercrime-friendly tools and services selling direct access to their data mined/brute-forced accounting data – Throughout 2013, gamers were the targets of cybercriminals empowering fellow cybercriminals, not just with DIY brute-forcing/spamming tools, but also, actual access to compromised accounting data for the most popular gaming platforms. The niche market segment, gained the attention of cybercriminals, who relying on basic marketing concepts such as segmentation, started monetizing it, while relying on proven TTPs, such as platform/Web site specific data harvesting, brute-forcing, or plain simple data mining of a botnet’s ‘infected population’ for accounting data.
- ‘Routine’ spam campaigns with malicious attachments systematically rotating the impersonated brands, were an every day reality – In 2013, we intercepted tens of millions of purely malicious emails, whose reliance on good old fashioned social engineering tactics, in combination with the systematic rotation of the impersonated trusted and legitimate brands, empowered cybercriminals with the necessary ‘infection rates’ to maintain their botnets fully operational. Which brands got impersonated in these campaigns? FedEx, two instances of BofA themed campaigns, ADP, American Airlines, DHL, FedWire, two instances of Citibank themed campaigns, Vodafone, NYC’s DMV, three instances of Vodafone U.K themed campaigns, Westminster Hotel, iGO4, two instances of iPhone themed campaigns, O2, two instances of T-Mobile themed campaigns, Xerox, two instances of WhatsApp themed campaigns, HSBC, T-Mobile U.K, as well as multiple generic spamvertised malware campaigns – Changelog themed campaign, Helicopter Order themed campaign, Magic Malwaware spam run, Export License Payment, Unsuccessful Fax Transmission, Export License Invoice, FW:File themed campaign, Important Company Reports, Annual Form STD-261 themed campaign, and an instance of the October’s Billing BAC themed campaign.
- Money mule recruiters continued ‘innovating’ – With risk-forwarding still representing an inseparable part of the cybercrime ecosystem even in 2013, throughout the year we observed one interesting ‘innovation’, once again, efficiency-driven cybercriminal’s concept related to the processing of Western Union themed transfers, followed by another interesting, this time, a very persistent and prolific high-profit margins oriented money mule recruitment campaign, targeting company owners. These cases lead us to believe that the ubiquitous risk-forwarding practie relying on gullible mules, will continue to mature in terms of new value-added service by major money mule recruitment syndicates, whereas they’d still rely on legitimate cross-country based hosting infrastructure for the actual recruitment pages/management interfaces.
- Spam-friendly bulletproof SMTP servers made a comeback – Yet another trend that we observed in 2013, was the re-emergence of the bulletproof cybercrime-friendly SMTP server as a service, a surprising resurrection of an old, but proven tactic applied by cybercriminals who’d want to establish ‘touch points’ with prospective victims through email messages. Not only were vendors filling in the re-emerging market niche, but also, some were vertically integrating/adding related value-added services, in an attempt to either position themselves as one-stop-Eshops or occupy a bigger market share within the entire market segment.
- DIY automatic account registration tools continued attracting the attention of vendors filling in the niche market segment – The automatic generation of rogue/bogus/fake accounts continued representing, continued representing a growing market segment, with multiple tools getting released during the year, affecting popular Web properties, such as, for instance, Youtube, Tumblr, Instagram, Russian and major international free email service providers. The continued development of this market segment, naturally, resulted in an anticipated increase in cybercrime-friendly ‘social media boost’ type of propositions, largely relying on a combination of, both, legitimate/compromised accounts, as well as automatically registered ones.
- Event-based social engineering campaigns materialized in the face of the Boston Marathon Explosion, the Fertilizer plant explosion in Texas, as well as the an UNHCR-themed fraudulent campaigns – Cybercriminals have never been strangers to the concept of event-based social engineering attacks, in an attempt to increase the click-through rates of their fraudulent and malicious campaigns. On several occasions throughout 2013, we profiled such type of campaigns, that were basically a timely response to a major, newsworthy event, or a geopolitical situation. Case in point are the Boston Marathon Explosion, the Fertilizer plant explosion in Texas themed campaign, as well as the Syrian/UNHCR themed fraudulent campaign.
- Blackhat SEO (search engine optimization) continued getting the necessary ‘innovation boost’ to remain a profitable cybercriminal’s endavour – In 2013, blackhat SEO (search engine optimization) continued representing a maturing market segment within the ecosystem, with more products and services getting released by cybercrime-friendly vendors. Still relying on an ever-green market segment, namely, the market segment for hacked/compromised shells as a service, blackhat SEO still represented a major traffic acquisition tactic in the arsenal of the average cybercriminal, looking for efficient ways to abuse the World’s major search engines. From the commercial availability of managed blackhat SEO services, the release of features-rich Web-based DIY doorways management platforms, Windows based hacked/compromised shells management tools, hacked/compromised shells interaction tools, to the QA (Quality Assurance) oriented released aiming to get rid of competing Web shells that could be located on the same host, that the cybercriminal is using, the market segment would continue flourishing in 2014, as well.
- A market segment for stealth, subscription-based, commercially available Bitcoin/Litecoin mining tools, emerged – 2013 marked an important year in terms of the market valuation, and the natural response courtesy of the cybercrime ecosystem, of the popular P2P based E-currency, Bitcoin. Keeping a close eye on the developing market segment, we profiled some of the market leading, stealth Bitcoin miners, offering an inside peek through the eyes of the prospective cybercriminal, on this way to monetize hosts he has access to, by converting them into Bitcoin mining zombies. The market is poised to continue expanding, with more vendors, and subscription-based services continuing to pop-up on our radar, and we expect the practice to get an even wider cybercrime ecosystem adoption, in 2014.
- Targeted attacks continued taking place, with prospective NATO job applicants as the primary target in a sampled campaign - Targeted attacks continued taking place in 2013, with multiple high-profile targets, being the victim of specifically crafted emails targeting current/potential employees of these organizations/companies. Case in point, is a NATO (North Atlantic Treaty Organization) sensitive information soliciting campaign, which we connected to historical Black Hole Exploit Kit malicious Web activity, indicating that the cybercriminals behind it were either multi-tasking, or used to share the same infrastructure during both campaigns.
- The DDoS for hire market segment continued maturing, with vendors starting the ‘vertically integrate’ by also offering TDoS services – In between the multiple “DDoS for hire” services that we were tracking during the year, one made a largely anticipated vertical integration move, namely, it added TDoS services to its portfolio, in an attempt to position itself as one-stop-Eshop for a Denial of Service Attacks. Driven by a decent supply of DIY malware/botnet generating tools, possessing the standard/modular DDoS functionality, we anticipate that DDoS for hire and TDoS would continue proliferating in 2014.
- Cybercriminals innovated in the form of sophisticated server-based mass iframe embedding platforms – In 2013, cybercriminals demonstrated their ambitions to ‘go after the server’ instead of ‘going after the Web site’, by releasing two platform-based type of cybercrime-friendly releases, namely, an iframe embedding stealth Apache 2 module, as well as compromised FTP/SSH account privilege-escalating mass iFrame embedding platform. Despite the platforms’ evident sophistication, and potential to cause efficient, widespread damage, the general availability of Google Dorks based type of mass Web site hacking/compromise based type of tools, will continue contributing to the active exploitation of the “Long Tail’ of the Web, resulting in an extremely favorable, choice/preferences driven type of market segment, allowing cybercriminals to quick scale their attempts to compromise as many Web sites, as possible.
- Pharmaceutical scammers continued impersonating major trusted, legitimate, and reputable brands – From Facebook, to GMail and WhatsApp, in 2013, pharmaceutical scammers continued enticing users into clicking on the fraudulent links found in spam emails, exposing them to (supposedly) exclusive bargain deals, whereas in reality, the customer is actually bargaining with his health, as it’s counterfeit pharmaceutical items, that the cybercriminals are trying to sell. Despite the numerous take down operations of pharmaceutical scam Web sites throughout the year, performed by law enforcement across the World, cybercriminals continue to enjoy a bulletproof type of hosting infrastructure for their fraudulent propositions, largely made possible thanks to the services of bulletproof hosting providers, some of which have been operating within the cybercrime ecosystem, for over a decade.
- Rogue online casinos represented a decent proportion of spam campaigns aiming to trick users into installing Potentially Unwanted Applications (PUAs) on their hosts – Throughout the year, we continued intercepted hundreds of thousands of emails, enticing users into into joining rogue online casinos, by offering them discounts, or entry bonuses. Naturally, the fraudsters behind these campaigns, were tricking them into installing W32/Casonline, a well known family of PUAs (Potentially Unwanted Applications), that we’ve also extensively profiled in the past.
- The Android OS was under fire from DIY mobile malware binding/generating tools that leaked into the wild, next to the commercially available Android malware bots released in 2013 – Cybercriminals were busy releasing DIY mobile malware binding/generating tools, sensitive information stealers, and Android-compatible botnet operating tools, further fueling malicious mobile malware activity. With these tools, being the tip of the iceberg in an ecosystem dominated by cybercrime-friendly underground marker traffic exchanges, offering exclusive access to mobile traffic only, in combination with proprietary mobile malware releases, and social engineering campaigns at Google Play, relying on data mined accounting data, cybercriminals are perfectly positioned to continue capitalizing on Android’s growing market share.
- Greed-driven cybercriminals continued selling access to Russian/Eastern European malware-infected hosts – What was once considered a virtually impossible scenario, namely Russian/Eastern European cybercriminals, selling access to Russian/Eastern European malware-infected hosts, is today’s reality, with several services that we’re currently aware of, doing exactly the same. We expect that more cybercriminals will attempt to achieve fraudulent assets liquidity, namely, attempt to monetize the access to these hosts as quickly as possible, leading to more such services in 2014.
- The bulletproof cybercrime-friendly hosting market segment continued growing to meet the never-ending demand – Thanks to a mix of a purely malicious bulletproof hosting infrastructure, in a combination with legitimate infrastructure, the market segment for bulletproof hosting services, continues maturing, even in a post-Russian Business Network world, with the market segment poised to grow, with the vendors continuing to add related ‘valued-added’ features within their portfolios.
- 419 advance fee scammers remained pretty active - Two of the most interesting cases of 419 advance fee fraudsters that we intercepted throughout 2013, were the abuse of CNN’s ‘Email This’ feature, a practice conducted by 419-ers in the past, case in point, the abuse of Dilbert.com and NYTimes.com, as well as ‘clever’ tactic to pop-up on an Android user’s Calendar app.
- Mass iframe injections continued taking place, with government Web sites internationally falling victim to the efficiency-oriented attacks – The good old fashioned mentality “Who’ll bother attacking my low profile Web site?” has become totally irrelevant in 2013, with cybercriminals relying on DIY based type of mass Web site exploitation tools, or on sophisticated platforms. Throughout 2013, we intercepted a variety of client-side exploits serving Web sites, a trend we expect to continue observing in 2014, in particular high-page ranked/high-profile Web sites.