Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits

Sharing is caring. In this post, I’ll put the spotlight on a currently circulating, massive — thousands of sites affected — malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. Ultimately hijacking the legitimate traffic hitting them and  successfully undermining the confidentiality and integrity of the affected users’ hosts.

read more…

Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player

Our sensors just picked up an interesting Web site infection that’s primarily targeting Brazilian users. It appears that the Web site of the Brazilian Jaqueira prefecture has been compromised, and is exposing users to a localized (to Portuguese) Web page enticing them into installing a malicious version of Adobe’s Flash player. Not surprisingly, we’ve also managed to identify approximately 63 more Brazilian Web sites that are victims to the same infection.

read more…

Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application)

A typical campaign attempting to trick users into installing Potentially Unwanted Software (PUA), would usually consist of a single social engineering vector, which on the majority of cases would represent something in the lines of a catchy “Play Now/Missing Video Plugin” type of advertisement. Not the one we’ll discuss in this blog post. Relying on deceptive “visual social engineering” practices, a popular French torrent portal is knowingly — the actual directory structure explicitly says /fakeplayer — enticing users into installing the BubbleDock/Downware/DownloadWare PUA. What kind of social engineering tactics is the portal relying on? Let’s find out.

read more…

Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild

We’ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that’s interestingly part of the very same infrastructure from May, 2013’s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that’s offline. Let’s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.

read more…

Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity

In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market — largely thanks to improved social networking courtesy of the reputation-aware cybercriminals wanting to establish themselves as serious vendors — certain newly joining vendors continue being a victim of their market-irrelevant ‘biased exclusiveness’ in terms of the unique value propositon (UVP) presented to the community members. Moreover, in combination with the over-supply of DIY malware/botnet generating tools, next to the release of leaked/cracked source code, positions them in a situation where they can no longer command the high prices for their products/service, like they once did. That’s mainly because the competition is so fierce, that it inevitably results in the commodinitization of these underground market items.

What happens when this commoditization takes place? What are cybercriminals doing with the leaked/cracked source code for sophisticated malware/botnet generating tools? Why would a cybercriminal purposely offer the source code of his malware ‘release’ for sale, especially given that he can continue enjoying its proprietary nature, meaning, a supposedly lower detection rate? Let’s discuss these scenarios through the prism of a recently offered source code of a proprietary spam bot written in Delphi. The bot relies primarily on compromised/automatically registered email accounts as the primary propagation vector for upcoming (malicious) spam campaigns.

read more…

New vendor of ‘professional DDoS for hire service’ spotted in the wild

In a series of blog posts, we’ve highlighted the emergence of easy to use, publicly obtainable, cracked or leaked, DIY (Do It Yourself) DDoS (Distributed Denial of Service) attack tools. These services empower novice cybercriminals with easy to use tools, enabling them to monetize in the form of ‘vendor’ type propositions for DDoS for hire services. Not surprisingly, we continue to observe the growth of this emerging (international) market segment, with its participants continuing to professionalize, while pitching their services to virtually anyone who’s willing to pay for them. However, among the most common differences between the international underground marketplace and, for instance, the Russian/Easter European one, remain the OPSEC (Operational Security) applied — if any — by the market participants knowingly or unknowingly realizing its potential as key differentiation factor for their own market propositions.

Case in point, yet another newly launched DDoS for hire service, that despite the fact that it’s pitching itself as anonymity and privacy aware, is failing to differentiate its unique value proposition (UVP) in terms of OPSEC.
read more…

Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’

From Bitcoin accepting services offering access to compromised malware infected hosts and vertical integration to occupy a larger market share, to services charging based on malware executions, we’ve seen multiple attempts by novice cybercriminals to introduce unique value propositions (UVP). These are centered on differentiating their offering in an over-supplied cybercrime-friendly market segment. And that’s just for starters. A newly launched service is offering access to malware infecting hosts, DDoS for hire/on demand, as well as crypting malware before the campaign is launched. All in an effort to differentiate its unique value proposition not only by vertically integrating, but also emphasizing on the prevalence of ‘female bot slaves’ with webcams.

read more…

Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)

Whenever a user gets socially engineered, they unknowingly undermine the confidentiality and integrity of their system, as well as any proactive protection they have in place, in exchange for quick gratification or whatever it is they are seeking. This is exactly how unethical companies entice unsuspecting victims to download their new “unheard of” applications. They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs or Potentially Unwanted Applications.

read more…

Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity

Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web site that’s online automatically becomes a potential target. They also act as a driving force the ongoing data mining to accounting data to be later on added to some of the market leading malicious iFrame embedding platforms.

Let’s take a look at a DIY (do it yourself) type of mass Web site hacking tool, to showcase just how easy it is to efficiently compromise tens of thousands of Web sites that have been indexed by the World’s most popular search engine.

read more…

Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

WhatsApp users, watch out! The cybercriminal(s) behind the most recently profiled campaigns impersonating T-Mobile, and Sky, have just launched yet another malicious spam campaign, this time targeting WhatsApp users with fake “Voice Message Notification/1 New Voicemail” themed emails. Once unsuspecting users execute the fake voice mail attachment, their PCs will attempt to drop additional malware on the hosts. The good news? We’ve got you (proactively) covered.

read more…

Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot

Thanks to the growing adoption of mobile banking, in combination with the utilization of mobile devices to conduct financial transactions, opportunistic cybercriminals are quickly capitalizing on this emerging market segment.  Made evident by the release of Android/BlackBerry compatible mobile malware bots. This site is empowering potential cybercriminals with the necessary ‘know-how’ when it comes to ‘cashing out’ compromised accounts of E-banking victims who have opted-in to receive SMS notifications/phone verification, whenever a particular set of financial events take place on their bank accounts.

A new commercially available Android, BlackBerry (work in progress) — supporting mobile malware bot is being pitched by its vendor, with a specific emphasis on its potential to undermine modern E-banking security processes, like for instance, SMS alerts. Let’s discuss some of its core features and emphasize on an emerging trend within the cybercrime ecosystem, namely the ‘infiltration’ of Google Play as a service.

read more…

Fake ‘Important: Company Reports’ themed emails lead to malware

A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.

read more…