Posts Categorized: Threat Research


Cybercriminals sell access to tens of thousands of malware-infected Russian hosts

by

Today’s modern cybercrime ecosystem offers everything a novice cybercriminal would need to quickly catch up with fellow/sophisticated cybercriminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem. Among the most popular questions the general public often asks in terms of cybercrime, what else, besides money, acts as key driving force behind their malicious and fraudulent activities? That’s plain and simple greed, especially in those […]

Continue Reading »

Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool

by

Based on historical evidence gathered during some of the major ‘opt-in botnet’ type of crowdsourced DDoS (distributed denial of service) attack campaigns that took place over the last couple of years, the distribution of point’n’click DIY DoS (denial of service attack) tools continues representing a major driving force behind the success of these campaigns. A newly released DIY DoS tool aims to empower technically unsophisticated users with the necessary expertise to launch DDoS attacks by simultaneously utilizing an unlimited number of publicly/commercially obtainable Socks4/Socks5/HTTP-based malware-infected hosts, most commonly known as proxies.

Continue Reading »

Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds of compromised hosts spotted in the wild

by

The general availability of DIY malware generating tools continues to contribute to the growth of the ‘malware-infected hosts as anonymization stepping stones‘ Socks4/Socks5/HTTP type of services, with new market entrants entering this largely commoditized market segment on a daily basis. Thanks to the virtually non-attributable campaigns that could be launched through the use of malware-infected hosts, the cybercrime underground continues to seek innovative and efficient ways to integrate the inventories of these services within the market leading fraudulent/malicious campaigns managing/launching tools and platforms. Let’s take a peek at one of the most recently launched services offering automatic access to hundreds of […]

Continue Reading »

Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request

by

For years, cybercriminals have been abusing a rather popular, personally identifiable practice, namely, the activation of an online account for a particular service through SMS. Relying on the basic logic that a potential service user would not abuse its ToS (Terms of Service) for fraudulent or malicious purposes. Now that it associates a mobile with the account, the service continues ignoring the fact the SIM cards can be obtained by providing fake IDs, resulting in the increased probability for direct abuse of the service in a fraudulent/malicious fashion. What are cybercriminals up to in terms of anonymous SIM cards these days? Differentiating […]

Continue Reading »

How to avoid unwanted software

by

We’ve all seen it; maybe it’s on your own computer, or that of a friend, your spouse, child, or parent. Your home page has been changed to some search engine you’ve never heard of, there’s a new, annoying toolbar in your browser. Maybe you’re getting popup ads or have a rogue security product claiming you’re infected and asking you to buy the program to remove the infection. Even worse, you don’t know how it got there! Welcome to the world of Potentially Unwanted Applications (PUAs.) Chances are that these programs were inadvertently installed while installing software from sites that use […]

Continue Reading »

Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps

by

Affiliate networks are an inseparable part of the cybercrime ecosystem. Largely based on their win-win revenue sharing model, throughout the years, they’ve successfully established themselves as a crucial part of the cybercrime growth model, further ensuring that a cybercriminal will indeed receive a financial incentive for his fraudulent/malicious activities online. From pharmaceutical affiliate networks, iPhone selling affiliate networks, to affiliate networks for pirated music and OEM (Original Equipment Manufacturer) software, cybercriminals continue to professionally monetize each and every aspect of the underground marketplace, on their way to harness the experience, know-how and traffic acquisitions capabilities of fellow cybercriminals. In this […]

Continue Reading »

Managed Malicious Java Applets Hosting Service Spotted in the Wild

by

In a series of blog posts, we’ve been profiling the tactics and DIY tools of novice cybercriminals, whose malicious campaigns tend to largely rely on social engineering techniques, on their way to trick users into thinking that they’ve been exposed to a legitimate Java applet window. These very same malicious Java applets, continue representing a popular infection vector among novice cybercriminals, who remain the primary customers of the DIY tools/attack platforms that we’ve been profiling. In this post, I’ll discuss a popular service, that’s exclusively offering hosting services for malicious Java applets.

Continue Reading »

Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild

by

The idea of controlling multiple, high-bandwidth empowered servers for launching DDoS attacks, compared to, for instance, controlling hundreds of thousands of malware-infected hosts, has always tempted cybercriminals to ‘innovate’ and seek pragmatic ‘solutions’ in order to achieve this particular objective. Among the most recent high profile example utilizing this server-based DDoS attack tactic is Operation Ababil, or Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters attacks against major U.S financial institutions, where the use of high-bandwidth servers was utilized by the attackers. This indicates that wishful thinking often tends to materialize. In this post, we’ll take a peek inside what appears to […]

Continue Reading »

DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild

by

Back in June, 2013, we offered a peek inside a DIY Android .apk decompiler/injector that was not only capable of ‘binding’ malicious Android malware to virtually any legitimate app, but also, was developed to work exclusively with a publicly obtainable Android-based trojan horse. In this post, I’ll profile a similar, recently released cybercrime-friendly Windows-based tool that’s capable of generating malicious ‘sensitive information stealing’ Android .apk apps, emphasize on its core features, and most importantly, discuss in depth the implications this type of tool could have on the overall state of the Android malware market. More details:

Continue Reading »

Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two

by

The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem. Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or direct impersonation of popular brands in spam/phishing campaigns tactics, on a daily basis, traffic is sold and resold for achieving a customer’s or a seller’s fraudulent/malicious objectives, and is then most commonly converted to malware-infected hosts. In this post, I’ll profile two cybercrime-friendly iFrame traffic exchanges, with the […]

Continue Reading »