Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool

Jan 15, 2013 | Industry Intel, Threat Lab

For years, thanks to the currently mature human-driven ecosystem offering CAPTCHA-solving as a service, cybercriminals have been persistently and automatically abusing major Web properties by undermining the “chain of trust” that these properties rely on so extensively.

Still living in a world supposedly dominated by malware-infected bots, this myopia has resulted in the rise of these managed services, rendering any recent CAPTCHA “innovations” useless since they continue relying on humans – the very species that CAPTCHA is supposed to be recognizable by in the first place.

Just how easy is it to automatically register tens of thousands of bogus accounts at, let’s say, YouTube? In this post I’ll profile a recently released tool that’s relying on API keys offered by a CAPTCHA-solving services, automating the account registration process in combination with the use of malware-infected hosts as proxies.

More details:

Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware

Jan 14, 2013 | Industry Intel, Threat Lab

Over the past week, cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422, affecting the latest version of Java.

With no fix for this vulnerability currently available, users are advised to disable Java immediately.

More details:

Malicious DIY Java applet distribution platforms going mainstream

Jan 11, 2013 | Industry Intel, Threat Lab

Despite the fact that on the majority of occasions cybercriminals tend to rely on efficient and automated exploitation techniques like the ones utilized by the market leading Black Hole Exploit Kit, they are no strangers to good old fashioned ‘visual social engineering’ tricks. Throughout 2012, we emphasized on the emerging trend of using malicious DIY Java applet distribution tools for use in targeted attacks, or widespread campaigns.

Is this still an emerging trend? Let’s find out. In this post, I’ll profile one of the most recently released DIY Java applet distribution platforms, both version 1.0 and version 2.0.

More details:

‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit

Jan 10, 2013 | Industry Intel, Threat Lab

In 2012, fake flight reservation confirmations and bogus E-ticket verifications were a popular social engineering theme for cybercriminals. On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways.

More details:

Spamvertised AICPA themed emails serve client-side exploits and malware

Jan 9, 2013 | Industry Intel, Threat Lab

Certified Public Accountants (CPAs) are a common target for cybercriminals. Throughout 2012, we intercepted several campaigns directly targeting CPAs in an attempt to trick them into clicking on the malicious links found in the emails. Once they click on any of the links, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

In this post, I’ll analyze one of the most recently spamvertised campaigns impersonating the American Institute of Certified Public Accountants, also known as AICPA.

More details:

Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity

Jan 8, 2013 | Industry Intel, Threat Lab

Historical cybercrime performance activity of multiple gangs and individuals has shown us that, in order for them to secure multiple revenue streams, they have the tendency to multi-task on multiple fronts while operating and serving the needs of customers within different cybercrime-friendly market segments.

A logical question emerges in the context of the fact that 99% of all the spamvertised campaigns we’re currently intercepting rely on the latest version of the Black Hole Exploit Kit – is Paunch, the author of the kit, multi-tasking as well? What’s the overall impact of his ‘vertical market integration‘ practices across the Web beyond maintaining the largest market share of malicious activity in regard to Web malware exploitation kits?

Let’s find out by discussing two of his well known revenue sources and sample a campaign that’s relying on the managed iFrame/Javascript crypting/obfuscating service that he’s also operating.

More details:

Novel Approach to Malware Discovery in today’s Threat Landscape

Jan 7, 2013 | Industry Intel, Threat Lab

There are a number of similarities between biological viruses and those which infect our PC’s. For one, both types of infections rely on mutations to evade detection and survive. The faster the mutations, the more difficult an infection is to combat. This is because those who spend their time and effort fighting such infections are likely to miss a mutation and therefor lack the chance to create a cure. This point is especially true with traditional antivirus technology where discovery and detection techniques have not kept up with the rapid pace of mutations common in today’s threat landscape. The recent NY Times article ‘Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt’ reported that, “On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses.”

Meet the Webroot Intelligence Network (WIN), a novel new approach to malware intelligence, discovery, detection and protection which scales with the pace of the malware industry. How did we do it? By first creating the most powerful threat intelligence engine the world has ever seen. A cloud hosted engine which correlates live data from millions of user endpoints, honeypots, and sensor networks from around the globe, all in real-time. This engine has populated the Webroot Intelligence Network with detailed data on millions of malicious programs, is aware of over 8.7 billion URL’s, 550 million IP addresses and 2 million mobile applications. WIN provides the necessary visibility into a rapidly mutating and evolving threat landscape to provide Webroot products the intelligence needed to keep users secure.

One key element to the success of WIN has been leveraging the power of our users. By turning every customer endpoint into a malware discovery node capable of sending newly discovered file data to WIN, Webroot researchers around the world are able to analyze and classify incoming data in real time. When a new malicious program, URL or IP is discovered, the entire user-base is immediately protected; no definition updates required. There are a number of benefits to this approach; one of the biggest being that malware variants don’t slip through the cracks. If a Webroot user is the first to see a new infection, it is only a matter of minutes before a researcher discovers the infection and creates a rule to detect and protect the entire user-base. Compare this to traditional signature based AV’s which must first collect the sample (if they can find it – in many cases samples are missed due to the intentionally short lifespan of today’s malware variants), analyze it, and finally release a new detection signature which lastly has to be sent to the endpoint. As the NY Times article mentions, “Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its “signature” — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years.” Most often, by the time a new signature is released, the malware variant it is designed to detect is no longer relevant.

The strength of a security solution is directly related to the quality of its intelligence. By enabling our products to participate in the discovery of new infections, WIN ensures our researchers have the visibility needed to keep up with a malware landscape which relies heavily upon flooding the market with newly compiled infections designed specifically to evade traditional AV methodologies. In many ways, the AV industry is responsible for the current day problem. The lack of innovation and adaptation to the problem created an easy out for malware authors. Webroot aims to change this paradigm by including the force of its entire user-base to combat the problem. It has long been said that the AV industry is at a disadvantage because for every security researcher fighting these infections, there were certainly 100 if not 1,000 hackers creating such infections. Webroot has upped the ante by recruiting its millions of users to help in the fight to keep our personal data and online activities secure. Malware has nowhere to hide when up against the Webroot Intelligence Network.

A peek inside a boutique cybercrime-friendly E-shop – part six

Jan 7, 2013 | Industry Intel, Threat Lab

In 2012, we started the “A Peek Inside a Boutique Cybercrime-Friendly E-shop” series, in response to the emerging market segment largely driven by novice cybercriminals relying on ubiquitous E-shop templates to sell their fraudulently obtained assets.

In this post, I’ll profile one of the most diversified (in terms of quantity and type of fraudulently obtained assets) boutique cybercrime-friendly E-shops I’ve come across since the launch of the series.

More details:

Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware

Jan 4, 2013 | Industry Intel, Threat Lab

Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, this time impersonating both eBay and PayPal, in an attempt to trick their users into clicking on the client-side exploits and malware serving links found in the malicious emails.

More details:

‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit

Jan 3, 2013 | Industry Intel, Threat Lab

Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document.

Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit

Jan 2, 2013 | Industry Intel, Threat Lab

Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau).

Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit kit.

More details:

Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware

Jan 1, 2013 | Industry Intel, Threat Lab

Throughout 2012, we intercepted two malicious campaigns impersonating Verizon Wireless in an attempt to trick its customers into clicking on links pointing to fake eBills.

It appears that cybercriminals are back in the game, with yet another Verizon Wireless themed malicious campaign, enticing users to click on the malicious link found in the email. Once users click on the link, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details: