Posts Tagged: security


Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild

by

For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures).  The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime […]

Continue Reading »

Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment

by

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry. In a series of blog posts we’ve published throughout 2013, we proactively highlighted […]

Continue Reading »

A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot

by

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have […]

Continue Reading »

Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme

by

Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets. We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 […]

Continue Reading »

5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure

by

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile  malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment. In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market […]

Continue Reading »

Multiple spamvertised bogus online casino themed campaigns intercepted in the wild

by

Regular readers of Webroot’s Threat Blog are familiar with our series of posts detailing the proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants. Let’s profile the campaigns, provide actionable intelligence on the rogue domains involved in the campaigns, as well as related MD5s known to have interacted with the same rogue infrastructure. More details:

Continue Reading »

Commercial Windows-based compromised Web shells management application spotted in the wild – part two

by

Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the ‘malicious economies of scale’ concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare. In a series of blog posts, we’ve been emphasizing on the level of automation and QA (Quality Assurance) applied by […]

Continue Reading »

Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild

by

Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) - all for the purpose of achieving a positive ROI with each new release. We’ve recently spotted a newly released, Web-based DNS amplification enabled DDoS bot, and not only managed to connect it to what was once an active DDoS attack, but also, to the abuse of a publicly accessible open DNS resolver which has been set up for research purposes. Let’s discuss some of its features and take a peek at the […]

Continue Reading »

Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)

by

Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them. We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application. Let’s assess this campaign and provide actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the […]

Continue Reading »