Industry Intel

Deceptive vendors of PUAs (Potentially Unwanted Applications) continue relying on a multitude of traffic acquisition tactics, which in combination with the ubiquitous for the market segment ‘visual social engineering‘, continue tricking tens of thousands of users into installing the privacy-violating applications. With the majority of PUA campaigns, utilizing legitimately looking Web sites, as well as deceptive EULAs (End User License Agreements), in 2014, the risk-forwarding practice for the actual privacy-violation, continues getting forwarded to the socially engineered end user.

We’ve recently intercepted a rogue portfolio consisting of hundreds of thousands of blackhat SEO friendly, legitimate applications, successfully exposing users to the Sevas-S PUA, through a layered monetization relying on OpenCandy/Conduit affiliate based revenue sharing networks.

More details:

read more…

*Editors Notes:  The purpose of this research was to see exactly how this scam is carried out, and the extent to which it is done.  DO NOT TRY THIS AT HOME. We used a clean machine, off network, to monitor the activity of the scammer.

Have you ever received a phone call from a tech support person claiming to be from Microsoft, and that your Windows based machine has been found to have a virus on it?  These cold calls typically come from loud call centers, and are targeting the uninformed and naïve in hopes of gaining access to their individual machines, and ultimately the victim’s credit cards

While there are many variants of this kind of scam, we recently received one of these phone calls and we decided to see just what happened.  The company that called us, which we later found out to be called Arjun Inc, called claiming they have received notifications that there are errors on the PC and they are calling to help correct those errors.

After playing along, we followed the directions of the agent.  The agent asked us to open the Event Viewer (which typically shows errors) and claims that those errors could cause the computer to crash and they need to fix the issues.  These are not actually critical errors, and as this scam is aimed at less tech savvy users, it can be seen how this is believed.

From this point, our agent asks to Remote Control the PC and instructed us on how to set up the Remote session.  The agent then logged in, looked at a few things, and installs the programs CCCleaner and Advanced Windows Care by Iobit. After this, we were advised that the installed programs will always run and protect the computer.  However, this is not the case as the programs installed don’t have ‘shields’ and thus, no real-time protections. He also says they will protect me from porn sites and potentially dangerous websites, but of course they do not.

At this point, the agent turns into a sales person.  He tells us how much the estimated costs of repairs will be and then proceeds to try and process the transaction through their spicywebtech.com login.  He told me that he had corrected the issues with my PC already via the Advanced Windows Care program, however, it’s plain as day that he never actually clicked the ‘repair’ button and thus never performed the ‘repairs’.

During the call, the agent informs us that their company (Windows Help and Support) is “part of Microsoft”, and I’m also advised that I won’t need to purchase antivirus for my PC any longer.

While the software loaded onto the machine were not malicious, they would not work as advertised by our agent, and could be consider unwanted programming.  By letting a stranger into your machine without verifying beyond reasonable doubt to their identity, you put yourself, your data, and your network at risk.  Never trust cold calls from strangers, and remember, Microsoft will never call you.

We have a full recording of the conversation up and live. If you’re interested in all the steps and how these scammers sound, give it a listen.

Here at Webroot, we are constantly on the lookout for malevolent Android apps. In most cases, you do something malicious with your app and you get marked accordingly, but it’s not always that simple.

Two weeks ago an app called “Virus Shield” popped up on the Google Play store. Within days, Virus Shield became Google Play’s #1 paid app. With thousands of reviews and a 4.7 star rating, who would question it?  Well, a few people did, the code was looked at, and Google pulled it from the store.  They have even gone as far as to make amends with those scammed in the process.

Here’s the app description previously seen on Virus Shield’s Google Play page:

Virus Shield is an Antivirus that protects you and your personal information from harmful viruses, malware, and spyware.

Improve the speed of your phone with just one click. This app was designed so that anyone can use and protect their phone.

• Prevents harmful apps from being installed on your device.
• Scans apps, settings, files, and media in real time
• Protects your personal information
• Strong antivirus signature detection
• Very low impact on battery life
• Runs in the background
• No, ZERO pesky advertisements

Too bad it doesn’t actually do any of these things. So what about the malicious things it does instead? Well, it doesn’t do anything malicious either. In fact, it has hardly any code at all.

Let’s take a step back to those reviews. How did an app get such a huge amount of good reviews in such a short period? I think that’s where the real deception was happening.

Here are some stipulations for writing reviews on Google Play:

• You must install an app to be able to review it.
• Reviews are tied to your Google Account.
• You can only review any app once per account.

I’m not clear on the exact process, but it seems the author created automation to use fake accounts to install the app, write a review, and then repeat the process continually in order to bust review ratings and download counts.

Suddenly, a no-name app has become Google Play’s top paid app. Other users now see it at the top of the charts, install it for themselves for $3.99, and the author makes a profit.

Although the app itself didn’t have malicious code, there was definitely malicious intent. For this reason, we’ve marked this app as Android.FakeApp in case it ends up on any other Android marketplaces.

With WordPress continuing to lead the CMS market segment, with the biggest proportion of market share, cybercriminals are actively capitalizing on the monocultural insecurities posed by this trend, in an attempt to monetize the ubiquitous (for the cybercrime ecosystem) TTPs (tactics, techniques and procedures). Despite actively seeking new and ‘innovative’ ways to abuse this trend, cybercriminals are also relying on good old fashioned reconnaissance and ‘hitlist’ building tactics, in an attempt to achieve an efficiency-oriented ‘malicious economies of scale’ type of fraudulent/malicious process.

We’ve recently spotted a managed WordPress installations-targeting, XML-RPC API abusing type of DDos (Denial of Service) attack service, whose discovery intersects with a recently launched mass widespread WordPress platform targeting campaign.

read more…

Cybercriminals continue actively abusing/mixing legitimate and purely malicious infrastructure, on their way to take advantage of clean IP reputation, for the purpose of achieving a positive ROI (return on investment) out of their fraudulent/malicious activities, in terms of attribution and increasing the average lifetime for their campaigns. Acting as intermediaries within the exploitation/social engineering/malware-serving chain, the market segment for this type of cybercrime-friendly services continues flourishing, with more vendors joining it, aiming to differentiate their UVP (unique value proposition) through a variety of ‘value-added’ services.

We’ve recently spotted yet another managed/on demand redirector generating service, that’s empowering potential cybercriminals with the necessary infrastructure for the purpose of launching (layered) fraudulent/malicious (multiple) redirector enabled attacks, capable of bypassing popular Web filtering solutions. Let’s profile the service, discuss its relevance within the cybercrime ecosystem, and provide actionable intelligence on the static redirectors managed by it.

More details:

read more…

Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host.

We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. Let’s profile the campaign, and provide actionable intelligence on the infrastructure behind it.

More details:

read more…

For years, cybercriminals have been building ‘hit lists’of potential targets through automated and efficiency-oriented reconnaissance TTPs (tactics, techniques and procedures).  The aim is to fraudulently/maliciously capitalize on these databases consisting of both corporate and government users. Seeking a positive return on their fraudulent/malicious activities, cybercriminals also actively apply basic QA (Quality Assurance) processes, standardization, systematic releasing of DIY (do-it-yourself) cybercrime-friendly applications – all to further ensure a profitable outcome for their campaigns. Thanks to the active implementation of these TTPs, in 2014, the market segments for spam-ready managed services/blackhat SEO (search engine optimization) continue to flourish with experienced vendors starting to ‘vertically integrate’ within the cybercrime ecosystem which is an indication of an understanding of basic business/economic processes/theories.

We’ve recently spotted a cybercrime-friendly service that’s offering commercial access to 50M+ ccTLD zone transfer domains whose availability could lead to a widespread mass abuse. Let’s profile the service and discuss its relevance/potential for abuse in the overall threat landscape.

More details:

read more…

Everyday cybercriminals actively take advantage of basic OPSEC (Operational Security) tactics, aiming to risk-forward their fraudulent/malicious online activity to a third-party, while continuously seeking to launching their malicious/fraudulent campaigns in an anonymous fashion. Having successfully matured from, what was once a largely immature market segment to today’s growing market segment, in terms of active implementation of OPSEC concepts, the blackhat market is prone to continue expanding, further providing malicious and fraudulent adversaries with the necessary capabilities to remain beneath the radar of law enforcement and the security industry.

In a series of blog posts we’ve published throughout 2013, we proactively highlighted the emergence of the TDoS (Telephony Denial of Service) attacks in the context of cybercriminals’ growing non-attributable capabilities to target and exploit (basic) vulnerabilities in telephone/mobile systems internationally. Largely relying on fraudulently obtained SIM cards and compromised accounting data at legitimate VoIP providers, as well as active utilization of purely malicious infrastructure, TDoS vendors constantly seek new tactics to apply to their OPSEC procedures.

Having proactively profiled the TDoS market segment throughout 2013, we’re also keeping eye on value-added services/features, namely, the modification of a mobile device/USB dongle’s International Mobile Station Equipment Identity (IMEI), for the purpose of adding an additional layer of anonymity to the fraudulent/DoS process. Let’s profile several vendors offering IMEI modification services and discuss their relevance within the TDoS market segment.

More details:

read more…

Cybercriminals continue to maliciously ‘innovate’, further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends – 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of ‘malicious economies of scale, type of economically efficient model, successfully contributing to international widespread financial and intellectual property theft. Thanks to basic cybercrime disruption concepts, such as modular DIY (do-it-yourself) commercial and publicly obtainable malware/botnet generating tools. In 2014, both sophisticated and novice cybercriminals have everything they need to reach an efficient state of fraudulent/malicious operation.

We’ve recently spotted a commercially obtainable modular, Tor C&C enabled, Bitcoin mining malware/botnet generating tool. Let’s discuss its features, key differentiation factors and take a peek inside it’s Web-based command and control interface.

More details:

read more…

Thanks to the commercial and public availability of DIY (do-it-yourself) modular malware/botnet generating tools, the diverse market segment for Web malware exploitating kits, as well as traffic acquiring/distributing cybercrime-friendly traffic exchanges, cybercriminals continue populating the cybercrime ecosystem with newly launched services offering API-enabled access to Socks4/Socks5 compromised/hacked hosts. Largely relying on the ubiquitous affiliate network revenue sharing/risk-forwarding scheme, vendors of these services, as well as products with built-in Socks4/Socks5 enabled features, continue acquiring new customers and gaining market share to further capitalize on their maliciously obtained assets.

We’ve recently spotted a newly launched affiliate network for a long-run — since 2004 — compromised/hacked hosts as a service. Let’s profile the service, discuss its key differentiation factors, and take a peek inside its Web based interface.

More details:

read more…

Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile  malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment.

In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and QA (Quality Assurance).

We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status/gender/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware/bot ID.

More details:

read more…