Malicious ‘FW: File’ themed emails lead to malware
Think someone forwarded you an important attachment? Think twice. Cybercriminals are currently mass mailing tens of thousands of malicious emails attempting to trick the recipient into thinking that someone has forwarded a file to them. In reality, once socially engineered users execute the malicious attachments, their PCs automatically become part of the botnet operated by the cybercriminals behind the campaign, allowing them to gain complete control over the affected PCs, and consequently abuse the access for related fraudulent purposes.
Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild
The never-ending supply of access to compromised/hacked PCs — the direct result of the general availability of DIY/cracked/leaked malware/botnet generating tools — continues to grow in terms of the number and variety of such type of underground market propositions. With more cybercriminals entering this lucrative market segment, on their way to apply well proven and efficient monetization schemes to these hacked PCs, cybercrime-friendly affiliate networks naturally capitalize on the momentum, ensuring a win-win business process for the participants and the actual owners of the network.
In this post, I’ll highlight yet another newly launched such E-shop, currently possessing access to over 30,000 malware-infected hosts.
Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message.
Novice cyberciminals offer commercial access to five mini botnets
With the increased public availability of leaked/cracked DIY malware/botnet generating tools, cybercriminals continue practically generating new botnets on the fly, in order to monetize the process by offering access to these very same botnets at a later stage in the botnet generation process. In addition to monetizing the actual process of setting up and hosting the botnet’s C&C (command and control) servers, novice cybercriminals continue selling direct access to their newly generated botnets, empowering other novice cybercriminals with the foundations for further disseminating and later on monetizing other pieces of malicious software, part of their own arsenal of fraudulent/malicious tools.
Let’s discuss one such sample service run by novice cybercriminals, once again targeting cybercriminals, that’s selling direct access to mini botnets generated using what appears to be a cracked version of a popular DIY malware/botnet generating kit, and emphasize on the service’s potential in the broader context of today’s highly professionalized cybercrime ecosystem.
ThreatVlog Episode 8: DNS hijack through phishing and the Adobe breach
In this episode of the ThreatVlog, Marcus talks about the DNS hijack that took down a slew of popular websites, including WhatsApp, AVG, and Avira. These accounts were all compromised through one simple phishing scheme going after the Network Solutions accounts. Marcus also discusses the basics of the Adobe hack.
http://youtu.be/QIPX4r3NygQ
Compromised Turkish Government Web site leads to malware
Our sensors just picked up an interesting Web site infection, this time affecting a Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake ‘DivX plug-in Required!” Facebook-themed Web page. Once socially engineered users execute the malware variant, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.
Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams
Pharmaceutical scammers are currently mass mailing tens of thousands of fake emails, impersonating Google’s GMail in an attempt to trick its users into clicking on the links found in the spamvertised emails. Once users click on them, they’re automatically exposed to counterfeit pharmaceutical items, with the scammers behind the campaign attempting to capitalize on the ‘impulsive purchase’ type of social engineering tactic typical for this kind of campaign.
Sample screenshot of the spamvertised email:
Sample screenshot of the landing pharmacautical scams page:
Landing URL: shirazrx.com – 85.95.236.188 – Email: ganzhorn@shirazrx.com
The following pharmaceutical scam domains also respond to the same IP:
asqrtplc.com
pharmlevitrafitch.com
myprescriptionhealth.com
viagrasequester.com
rxjeanstra.at
medoverdose.at
rxtreatments.ru
The following pharmaceutical scam domains are also known to have responded to the same IP (85.95.236.188):
albertapharm.com
albertapharm.net
antacid.fatwelnessdiet.com
anticlockwise.medwelopioid.com
antiquarianism.medwelopioid.com
assignment.healthcareviagrabiotech.com
canadaprescriptioninc.at
carburettors.opioidsalemeds.com
debars.dentalcarepharmacy.com
deliquescent.homemedicalrx.com
dipoles.fatdietpharm.com
drughealthcareprescription.com
drugstoreabortion.com
drugstorepharmetro.com
heads.fatpillsdiet.com
hebalk.ru
herbalviagrasildenafil.com
inflammatory.patientsprescriptionmedical.com
levitrachrome.at
levitrapillkorsinsky.com
This isn’t the first, and definitely not the last time pharmaceutical scammers brand-jack reputable brands in order to trick users into clicking on the links found in the fake emails, as we’ve already seen them brand-jack Facebook’s Notification System, YouTube, as well as the non-existent Google Pharmacy. Thanks to the (natural) existence of affiliate networks for pharmaceutical items, we expect that users will continue falling victim to these pseudo-bargain deals, fueling the the growth of the cybercrime economy and the need for more cybersecurity awareness.
Our advice? Never bargain with your health, spot the scam and report it.
Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity
Realizing the market segment potential of bulletproof hosting services in a post-Russian Business Network (RBN) world — although it can be easily argued that as long as its operators are at large they will remain in business — cybercriminals continue supplying the cybercrime ecosystem with market-relevant propositions. It empowers anyone with the ability to host fraudulent and malicious content online. A newly launched Virtual Dedicated Server (VDS) type of bulletproof hosting vendor is pitching itself to prospective cybercriminals, offering them hosting services for spam, malware, brute-forcing tools, blackhat SEO tools, C&C (command and control) servers, exploit kits and warez. In addition to offering the “standard cybercrime-friendly” bulletproof hosting package, the vendor is also excelling in terms of the hardware it relies on for providing the infrastructure to its customers.
Let’s take a peek inside the infrastructure ‘facility’, and discuss the vendor’s business model in the over-populated market segment for bulletproof hosting services, currently available to prospective cybercriminals.
Cybercriminals offer spam-friendly SMTP servers for rent – part two
We continue to spot new cybercrime ecosystem propositions for spam-ready, cybercrime-friendly SMTP (Simple Mail Transfer Protocol) targeting QA (Quality Assurance) aware cybercriminals looking to gain access to dedicated mail servers with clean IP reputation, ensuring that their campaigns will reach the recipient’s Inbox. Relying on ‘in-house’ built infrastructure or direct outsourcing to bulletproof hosting providers, these services continue empowering prospective customers with managed, popular spam software compatible services, potentially exposing millions of users to fraudulent or malicious email campaigns.
Let’s discuss yet another managed service offering spam-ready SMTP servers, and connect it to malicious campaigns that have directly interacted with the same infrastructure it’s currently hosted on, indicating that it’s already “in business”.
New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild
Thanks to the free, commercial availability of mass Web site hacking tools, in combination with hundreds of thousands of misconfigured and unpatched Web sites, blogs and forums currently susceptible to exploitation, cybercriminals are successfully monetizing the compromise process. They are setting up iFrame based traffic E-shops and offering access to hijacked legitimate traffic to be later on converted to malware-infected hosts.
Despite the fact that the iFrame traffic E-shop that I’ll discuss in this post is pitching itself as a “legitimate traffic service”, it’s also explicitly emphasizing on the fact that iFrame based traffic is perfectly suitable to be used for Web malware exploitation kits. Let’s take a closer look at the actual (international) underground market ad, and discuss the relevance of these E-shops in today’s modern cybercrime ecosystem.
Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild
Standardization is the cybercrime ecosystem’s efficiency-oriented mentality to the general business ‘threat’ posed by inefficiencies and lack of near real-time capitalization on (fraudulent/malicious) business opportunities. Ever since the first (public) discovery of managed spam appliances back in 2007, it has become evident that cybercriminals are no strangers to basic market penetration/market growth/market development business concepts. Whether it’s the template-ization of malware-serving sites, money mule recruitment, spamming or blackhat SEO, this efficiency-oriented mentality can be observed in virtually each and every market segment of the ecosystem.
In this post, I’ll discuss a recent example of standardization, in particular, a blackhat SEO friendly VPS (Virtual Private Server) that comes with over a dozen multi-blackhat-seo-friendly product licenses from third-party products integrated. It empowers potential customers new to this unethical and potentially fraudulent/malicious practice with everything they need to hijack legitimate traffic from major search engines internationally.
DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities
DDoS for hire has always been an inseparable part of the portfolio of services offered by the cybercrime ecosystem. With DDoS extortion continuing to go largely under-reported, throughout the last couple of years — mainly due to the inefficiencies in the business model — the practice also matured into a ‘value-added’ service offered to cybercriminals who’d do their best to distract the attention of a financial institution they’re about to (virtually) rob.
Operating online — under both private and public form — since 2008, the DDoS for hire service that I’ll discuss in the this post is not just offering DDoS attack and Anti-DDoS protection capabilities to potential customers, but also, is ‘vertically integrating’ within the ecosystem by starting to offer TDoS (Telephony Denial of Service Attack) services to prospective customers.