Posts Categorized: Threat Research


Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two

by

Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side […]

Continue Reading »

ThreatVlog Episode 11: Staying safe while doing holiday shopping online

by

In this edition of the Webroot ThreatVlog, Grayson Milbourne talks about the threats that exist online in the holiday shopping craze. As more and more money is spent online, criminals are becoming more skilled at stealing all sorts of personal information, from credit card numbers to identifying credentials. As with all shopping, common sense is necessary, and with the tips and tricks provided, you will be even more protected while finding that perfect gift online.

Continue Reading »

Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”

by

We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware.

Continue Reading »

Today’s “massive” password breach: a Webroot perspective

by

First, this is not a blog about a big corporate breach, or a massive new discovery.  Rather, the researchers at Trustwave gained access to a botnet controller interface (the C&C element of a botnet) known as Pony and revealed the data within. Not surprisingly, as the vast majority of botnets target user credentials, this controller had a good deal of data related to passwords. While 2 million passwords might seem like a lot, it is really a drop in the bucket compared to many recent breaches. Think about Adobe who lost a minimum of 28 million, but is rumored to […]

Continue Reading »

Commercial Windows-based compromised Web shells management application spotted in the wild

by

For years, whenever I needed a fresh sample of pharmaceutical scams, I always sampled the Web sites of major educational institutions, where a thriving ecosystem relying on compromised Web shells, continues to enjoy the high page ranks of the affected Web sites for blackhat SEO (search engine optimization) purposes. How are cybercriminals managing these campaigns? What type of tools and tactics do they use? In a cybercrime ecosystem that has logically migrated to Web-based platforms for a variety of reasons over the last couple of years, there are still those who’re keeping it old school, by releasing host-based DIY cybercrime-friendly […]

Continue Reading »

Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’

by

We’ve recently spotted a multi-hop Russian cybercrime-friendly VPN service provider — ad featured not syndicated at a well known cybercrime-friendly community – that is relying on fake celebrity endorsement on its way to attract new customers, in this particular case, it’s pitching itself as being recommended by ex-NSA contractor Edward Snowden. How have anonymization tactics evolved over the last couple of years? Have the bad guys been ‘innovating’ on their way to cover the malicious/fraudulent online activity orchestrated by them? Let’d discuss some of the current trends in this ever-green market segment within the cybercrime ecosystem.

Continue Reading »

Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

by

Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned ‘casual social engineering’ campaigns.

Continue Reading »

Rogue antivirus that takes webcam pictures of you

by

Recently we heard of a rogue fake antivirus that takes screenshots and webcam images in an attempt to further scare you into succumbing to it’s scam. We gathered a sample and sure enough, given some time it will indeed use the webcam and take a picture of what’s in front of the camera at that time. This variant is called “Antivirus Security Pro” and it’s as nasty as you can get. The rogue locks down any of the Advanced Boot Options: Safe Mode, Safe mode with Networking, Safe mode with Command prompt, directory services restore mode, ect. As soon as […]

Continue Reading »

Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware

by

Over the last two months, we’ve been closely monitoring — and proactively protecting from — the malicious campaigns launched by cybercriminals who are no strangers to the concept of social engineering topic rotation. Their purpose is to extend a campaign’s life cycle, or to generally increase a botnet’s infected population by spamming out tens of thousands of fake emails, exposing users to malicious software. The most recent campaign launched by the same cybercriminal(s), is once again impersonating T-Mobile U.K in an attempt to trick mobile users into thinking that they’ve received a legitimate MMS Gallery notification. In reality though, once the […]

Continue Reading »

Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware

by

HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.

Continue Reading »