Summarizing Webroot's Threat Blog Posts for April

The following is a brief summary of all of my posts at Webroot's Threat Blog for April, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. DIY Java-based RAT (Remote Access Tool) spotted in the wild
02. Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware
03. Cybercrime-friendly service offers access to tens of thousands of compromised accounts
04. Madi/Mahdi/Flashback OS X connected malware spreading through Skype
05. Cybercriminals selling valid ‘business card’ data of company executives across multiple verticals
06. A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit
07. DIY Skype ring flooder offered for sale
08. Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware
09. A peek inside a ‘life cycle aware’ underground market ad for a private keylogger
10. American Airlines ‘You can download your ticket’ themed emails lead to malware
11. Cybercriminals offer spam-friendly SMTP servers for rent
12. How mobile spammers verify the validity of harvested phone numbers – part two
13. A peek inside a (cracked) commercially available RAT (Remote Access Tool)
14. DIY Russian mobile number harvesting tool spotted in the wild
15. DIY SIP-based TDoS tool/number validity checker offered for sale
16. CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime
17. Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed malware campaigns
18. Fake ‘DHL Delivery Report’ themed emails lead to malware
19. Cybercriminals impersonate Bank of America (BofA), serve malware
20. How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators
21. Managed ‘Russian ransomware’ as a service spotted in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

What's the ROI on Going to a Virtual Blackhat SEO School?

For years, fraudulent or purely malicious actors have been abusing the online advertising market, by directly hijacking and redirecting the revenue flow, or by successfully and efficiently hijacking as much percentage of legitimate search traffic as possible, and monetizing it through the use of blackhat SEO (search engine optimization) tactics/shady affiliate networks.

Monetizing the very monetization process? Standardizing the revenue generation, and knowledge spreading streams, achieving efficiencies in the process, and directly contributing to a new, this time better trained/educated generation of Blackhat SEO-ers? Someone he's knowingly or unknowingly on a mission. A mission with a brand.

In this post, I'll profile a highly successful blackhat SEO 'school" that promises the Moon, but asks for nothing except $1,000 for the training course, which will turn you into a sophisticated blackhat SEO expert, netting you huge amounts of money.

Operating in the open since 2010, the service is currently (2013) asking for $350, presumably to keep the new customers flow going. Since it's initial launch data, the business model has been relying on a loyal set of people who already "took" the course, and continue making money up to present day. A loyalty and happy customer "feedback" best demonstrated by featuring exclusive screenshots courtesy of the happy customers.

Initial forum advertisement:
Welcome to the forum millionaires! So, I decided, now I will welcome the new students.

And you know why?

My course, and our forum for more than two years, and during that time has accumulated a huge pile of reviews with the statistics. Wondered how many of my students have earned over 2 years on my course?

And it turned out that except cars, apartments, purely according to PP, pupils together earned 17 million rubles! And it is only those who have shown their statistics. And I think in 2 years they could make a few more millions. (Figure is slightly inaccurate to 9 lines in a notebook I got tired and started to round + decided not to take into account the 3,000,000 earnings per pupil)

In two years, we have made dozens of millionaires in Russia, Ukraine and Belarus Their lives changed immediately, as soon as they hit the family. People sitting in debt in a few months to buy a new car.

People are sitting at their desks yesterday brought home two monthly salaries parents, and explained that it is unashamedly from the Internet, it is their earnings!

People who are already my course have been very successful become even more successful. The forum is stable enough people who earn a day 50-60 thousand rubles. This is not theoretical, not uncle in suits, this is the same young guys like you or me.

Although I must admit, the forum is and uncle in suits for 30-40 years, primarily to get through doorways capital to support their business.

And all these people realize that they are family, friends, and they willingly associate, dividing their experiences, secrets! Access to the course - it is a unique opportunity to touch the thought of successful people, to breathe the same air with them, get their energy and join the ranks of millionaires.

As early as the year, the forum has two tech support, and username, people are few easy counseled hundreds of students and even if they did not do dory - would know what the perfect doorway.

BUT! They do work, make Dora always advise how to make your doorway even better answer the most stupid question, and will lead to the most stable earnings.

Now, if you are reading these lines and think that $ 1000 for access and the opportunity to become a millionaire in 24\7 support from a support, for the opportunity to be in the new family is expensive, I never selling you access.

We need people who value themselves, their money and time. If $ 1,000 seems to you a great price, then you will never become a millionaire from the internet and you simply do not want my family.

Imagine you paid $ 1,000 in the bank say, come back every day to ask questions and get a month - $ 100,000, it is tempting? Here's a bank - this is our forum. And 80 pages of reviews stands surety for this bank.

You may think, but what for me is all good topic no one will sell!

And I grieve you, it's not the topic, not the scheme, not the holy grail, it's work. Work by a support forum and make it so simple that you will forget the times when you have not worked with doorways.
A successful guys will charge you so much energy that the work will be for you the best thing in life. You're going to sleep at 4:00, waking up in the middle of the night with burning eyes, watch as your dorveychiki live there, and how many thousands have already dripped while you were sleeping.
Through it all the disciples, and I think they would give, and 10 and 100 thousand dollars to get through it again.

But there is a dump in a Public Forum, everything is - you say.

And I'll tell you the story of how one day I lost the backup of offline and restored the forum 15 minutes ago from what it was last time. And it was a huge mistake! Lost about 50 messages, 12 topics and 5-6 blog posts! The disciples were indignant. On our forum mad update rate, and dump the last year and the relevance of information out there already in negative degrees and I am afraid that only harms doorways.

But I can learn myself! Yes you can, spend a few years on independent learning.

And you can put a time out and spend $ 1000 on an active training week and immediately makes the doorways correctly. Once again, we are waiting for our club anonymous millionaires of people who know the value of money and his own time, who want to invest in yourself, earn, and not break your head against the wall, when there are people who will show how to get around.

Course can be purchased on the preliminary interview in ICQ price - $ 1000.

And remember, we are, we need special people, very few of them, they are people who are willing to invest in yourself and do not try to save yourself cheaply though. So I throw in ICQ to ignore anyone who asks me for a discount or credit. I understand that in spite of the 80-page review, you may be unsure if it will work with you. Therefore, we give a new guarantee manibeka. If two weeks you feel - that doorway - it's not yours, we will refund the money and pay the top 5 million rubles, for what you have spent your time!

Frequently Asked Questions (FAQ)
Good day, and now its time to answer all the questions a novice who wants to buy a course to dot the i, made to understand that he buys, he will get what may dobitsya.Nus's begin.

1.Chem we do?

Black seo.Dorvei.Dory are very flexible and tenacious tool for earnings, its flexibility due to the variety of topics and types of monetization, and vitality - the existence of PS, and how long will exist as long as the search engines will be using dory. We produce traffic, ie the users, ie the people, the traffic is the blood in the veins of the internet, and this is the main advantage that dorveyschik unlike white SEOs can in a short time to break a lot more traffa a completely different subjects and to merge it back where it needs . in a simple version of all is:
1.Registriruemsya an affiliate program, it gives you the choice of partner sites of some topics (topics vary from porn and finishing all kinds of divination), statistics (to track kollvo coming to your site, paid for kollvo, Colva who have come again).
2.Delaem doorway, we find:
- Thematic traffistye quality keys (which are appropriate to the site subject we took from PP)
- Template
- Text
All this is described in detail in the course and on the forum.
3.Zalivaem doorway to shell
4.Zhdem 4.3 apa (an - update Yandex search results, also known as SERP, quite by chance, usually up to one week, sometimes more)
5.Poluchaem traff and accordingly money.
Well this is just a simple and obvious option, work with SMS affiliate, to start - the fact that many small minded people to talk about the thousandth time of death doorways as income, just because of the changes in the SMS payment, it's wrong, it's stupid, it's self-deception to deceive drugih.I as, say, we have learned to produce traffic, our traffic started to give Dora and now we have to redirect it somewhere ie merge and convert / convert into money, a lot of options:
1.Partnerki with sms payment, the most obvious and as I wrote the best option to start.
2.Partnerki pay-per-download and install the file, such PP a lot, and they are all different, from the fact that you are paying for the jump and the malicious Trojan or whether something like that, to quite formal type of games WORLD of-tanks, Yandex bars etc. and tp.Imeya large amounts of traffic (which is the second task dorveyschika, increase the volume of traffic) in the first and in the second option holders PP will take you with open arms and make bonuses.
3.Svoi online shopping and platniki.V this topic a little feedback from these guys, as many prefer to work with SMS and other PP, but byvali.Odin met some of the students at comrade serche, he did an Internet jewelry store and the problem was my student in the production of traffic, he quickly picked up, done and grabbed a piece of the profit.
All that I wrote just for you to understand, I teach mine traffic, targeted traffic from search engines, I would suggest the best methods of monetization, by which usually fight off the course, but never forget that you have a great opportunity to go and grab a piece of the traffa on desired topics with Yandex and merge where necessary.

2.Navernoe topic died, bought her so much, so long existed, much is competition?

I am for all the time of sale of the course has experienced the death of a thousand and one as the reward scheme, but that's amazing, for some reason all those who want to - successfully earn dorah.Chto for competition - in dorah very high turnover, namely Dora always fly into the index ( Yandex search) and flew over, it's all backed by the characteristic features of the behavior dorveyschika and dorveyschik often tasting dough, he realized how easily make dory, does pack and walk yourself getting denyuzhki, leaving room for other results.

3.Zachem you sell?

That's what I do - called infobiznesom admit, when all this started, I such a word and znal.Est two concepts, with which you can ever accurately explain the infobiznesa, information and insider information autsayder.Kogda-long ago, when I was dramas and gathering information about them bit by bit on various forums - I was an outsider, I was not available methods that can quickly lead to success, and everything had to be found by experiment, my first income from went after 3 months and a naked enthusiasm nadezhdy.Pokupaya course you get insider information, which is called the bat, straight to the kitchen where everything is cooked, I do not sell super flow sheet, I only give an opportunity and take it for a fee, sell their time and, in recent years, more and more nerves, which is why, in order to maintain this non-renewable resource, and I wrote it, do not be lazy, read.

4.Kak guarantee that I Otobaya course?

No! Absolutely! Absolutely no, When we first started selling rate - while I was still able to provide guarantees to score reviews, to prove to everyone that the theme works, but now - no, no way! Your warranty - you, your desire, hard work , commitment - that guarantee it, I can not guarantee anything I can not and will not, often when a person writes me word guarantee, he wants me to take responsibility for his lazy ass over - No, I'm sorry.

5.Malenky advice, how to effectively master the course and see if it fits you at all.

My experience learning heaps different people, still divided them into two types, this is a huge difference, the gap between the two approaches to learning, results in a huge gap in the success of these students.
The first type: people with pure slave mentality, they need to stick, do not explain, do not need to seek understanding, just poke, push there, click here.
How he thinks: Suppose we make a template for Dora, and we need to write deksripshen, deskripshen - description of the site which comes out at the bottom under the link, his task - to give information about the page and encourage people to move to tyknut ie sayt.On asks me what write here, I explain what it is and I say write something that would please you, and you would make pereyti.On in a stupor, he can not think and can not even offer the option, he just wants me to tell him that there napisat.Eto not right!
The second type: The second type is often trying to organize all the information in the first place to understand how things work, and there are already having a solid foundation and framework - to batter me with questions and to increase their knowledge, for example of the first type, the second type, after hearing deskripshen what and why it is, would compare with my examples and offered his variant.Vot so you have to be, if you're so - I'll be glad to have you in the ranks of students.

6.Tsena huge! Tc asshole, the course did not buy, but it's an asshole! Reviews delete it!

Do not like the price - do not buy it, no one vparivaet, there is no hint of the imposition of the course, under the gun more so no one makes pokupat.Golye hit and conclusions about the course of those who did not buy it - please do not post, I immediately call the moderators, all is removed, how can you talk about the course, not having been on FSU How we can talk about what you do not know, if you were not in the motivation section on the forum where dozens of success stories of students? I bought the course, learned, wrote otzyv.Ya a moderator section only CEO and section on "Work" where this topic - I can not moderate.

7.What I receive after payment?

Education - after payment receive video / txt + access to the forum, watch / read / do, have questions - ask, discuss - send to the forum, no - rasskazyvayu.Esli you read the topic that many people write that the chip in the forum, unnecessarily there is a lot of relevant info and all you happy pomoch.Ves free software data - paid counterparts shown in forume.Dostup forum and consultations Asik - unlimited.

8.Skolko need to successfully quick Start?

Then (in a week or another) will need $ 10-20 for vpn (both analog proxy / socks or Dedicated Server) and 200-300 rubles for glanders.

9.Kak Otobaya fast I / osvoyu course?

Everything is individual, calculate and even about to say (to you) this time period may depend both on the human factor (your knowledge, experience) and on Yandex, which is quite nepredskazuem.Osnovyvayas on the experience of previous students gives dor $ 200 4 up to 30 days after the publication of indeks.3-4 apa usually climbs Dor ups are completely random, look here http://seobudget.ru/updates labeled SERP.

10.Rynok forum.

In our forum, which you can access after purchase - there is a market, as in any other forum, it is an integral part of the forum who wants to live, and in the end we are all in this forum for one reason - we all want to make money someone else has earned, someone just nachinaet.V Unlike other forums - the market for FSU controlling me, he monopolizirovan. Kursy of its kind in the forum - I only sell and no other, their commercial activities in the forum - with me coordinate is not necessary, but if it is removed - so she does not belong here.

Screenshots provided by actual customers of the service, featuring its primary ICQ contact point:

Blackhat SEO - it doesn't just pay the bills.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Historical OSINT - The "BadB International" Cybercrime Enterprise

BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who eventually got busted in France in 2010. This month, he was sentenced to serve 88 months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of supervised release.

In the wake of these events, I decided to release some raw OSINT data regarding BadB's official Web site, hxxp://badb.biz.

Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name
Emails: badb4cc@yahoo.com; metaksa_s@yahoo.com; support@agava.com; admin@agava.com; admin@carderplanet.biz
ICQ: 49162552
Phone number: +19522325532 (Working according to BadB in 2009)

IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP change detected to a new IP):
217.107.212.115 -> 64.202.167.129
64.202.167.129 -> 217.107.212.115
217.107.212.115 -> 217.107.212.9
217.107.212.9 -> 89.108.66.104
89.108.66.104 -> 68.178.232.99
68.178.232.99 -> 89.108.66.104
216.8.177.23 -> 78.109.18.150
78.109.18.150 -> 196.32.222.9
89.108.73.117 - >94.75.221.75
94.75.221.75 -> 92.241.164.92

Sample Abous Us section description from badb.biz:
We are independent e-commerce security investigation group. We are help e-commerce organisations such as Visa, Mastercard, regional processings and other e-commerce structures to understand how vulnerable they are. We are not connected to any crimminal structures, not performing any outlaw actions by ourselves, not selling drugs, not sendinding any spam, not connected to any child porno, not supporting terrorists itselves nor terrorist organisations. If you received any spam from us - this is a fake of our enemies we are never use spam to promote our site. All information you can read here provided "As Is" and only for educational purposes. All articles are copyrighted. If you wish to take any part of information from here - please reffer to origination site. All we do - is we have for sale some dumps, cvvs and cobs - just for experemental purposes of our custommers ;-) We listen and effectively respond to your needs and those of your clients. We are experts at translating those needs into marketing solutions that work, look great and communicate well. Each day brings increased opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without BadB, the market for stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we witnessed two law enforcement operations, courtesy of SOCA, and the FBI. However, despite these efforts, the market for stolen credit cards data remains as vibrant as always.

Thanks to the standardization taking place in respect to the money mule recruitment process, as well as the nearly identical online shops for stolen credit cards data, those who cannot "cash out" the balances of the credit cards, will choose to risk-forward the selling process to the buyers of the stolen data. The rest, will basically continue looking for more efficient, automatic, and anonymous ways to get access to the stolen money, continuing to rely on money mules of virtual currencies.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Webroot's Threat Blog Posts for March

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. New DIY IRC-based DDoS bot spotted in the wild
02. Cybercriminals release new Java exploits centered exploit kit
03. Segmented Russian “spam leads” offered for sale
04. New DIY hacked email account content grabbing tool facilitates cyber espionage on a mass scale
05. New DIY unsigned malicious Java applet generating tool spotted in the wild
06. Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent campaigns
07. Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware
08. Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit
09. New ZeuS source code based rootkit available for purchase on the underground market
10. Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware
11. Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the wild
12. Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004
13. Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit
14. Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
15. Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit
16. ‘ADP Payroll Invoice’ themed emails lead to malware
17. ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit
18. New DIY RDP-based botnet generating tool leaks in the wild
19. A peek inside the EgyPack Web malware exploitation kit

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

Oops, they did it again!

The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)

Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info

Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181

The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Webroot's Threat Blog Posts for February

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

 
01. Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
02. Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
03. ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
04. New DIY HTTP-based botnet tool spotted in the wild
05. Mobile spammers release DIY phone number harvesting tool
06. New underground service offers access to thousands of malware-infected hosts
07. Targeted ‘phone ring flooding’ attacks as a service going mainstream
08. Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
09. Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit
10. Malware propagates through localized Facebook Wall posts
11. Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware
12. New underground E-shop offers access to hundreds of hacked PayPal accounts
13. Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit
14. DIY malware cryptor as a Web service spotted in the wild
15. Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware
16. How mobile spammers verify the validity of harvested phone numbers
17. How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to trick their users/customers into clicking on links found in hundreds of thousands of spamvertised emails pretending to come from the companies.

Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.

Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php

Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf

Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.

Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96

Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.

Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com

mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info

Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.

umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.

Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.

Someone's multi-tasking. That's for sure.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Historical OSINT - Hacked Databases Offered for Sale

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.

In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.

Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451

During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.

We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP (74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.

The following MD5s are known to have phoned back to the same IP (74.54.82.209):
MD5: d48a7ae9934745964951a704bcc70fe9
MD5: 4626de911152ae7618c9936d8d258577
MD5: ca4b79a33ea6e311eafa59a6c3fffee2
MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4

As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.

The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows: 

 
Job/CV Databases:
jobsbazaar.*
availablejobs.*
ecarers.*
fecareers.*
healthmeet.*
youths.*
jobpilot.*
thecareerengineer.*
iauk.*
jobboerse.*
creativepool.*
jobsinkent.*
jobsinthemoney.*
jobup.*
rxcareercenter.* 

 
Dating Databases:
freedating.*
singles-bar.*
muenchner-singles.*
dateclub.*
websingles.*
find-you.*
fitness-singles.*
houstonconnect.*
datingz.*
loveandfriends.*
lovebyrd.*
mydatingplacephx.*
cozydating.*
singletreffen.*
datearea.*
endless-fantasy.* 

 
Financial Databases:
importers.*
money.*
pcquote.*
investorvillage.*
gurufocus.*
individual.*
arabianbusiness.*
ecademy.* 

 
Other Databases:
pokersourceonline.*
wickedcolors.*
salespider.*
busytrade.*
funky.*

Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.

For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Webroot's Threat Blog Posts for January

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware
02. Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit
03. ‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit
04. Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware
05. A peek inside a boutique cybercrime-friendly E-shop – part six
06. Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity
07. Spamvertised AICPA themed emails serve client-side exploits and malware
08. ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
09. Malicious DIY Java applet distribution platforms going mainstream
10. Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware
11. Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool
12. ‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit
13. Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails, serve malware
14. Leaked DIY malware generating tool spotted in the wild
15. Email hacking for hire going mainstream – part three
16. Android malware spreads through compromised legitimate Web sites
17. Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
18. Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
19. Novice cybercriminals experiment with DIY ransomware tools
20. Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit
21. Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
22. A peek inside a DIY password stealing malware
23. Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for January

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2013. You can subscribe to Zero Day's main feed, or follow me on Twitter:

01. Dutch security researchers dissect the Pobelka botnet
02. ESPN's ScoreCenter for iOS sends passwords in clear-text, susceptible to XSS flaw
03. Report: AutoRun malware infections continue topping the charts
04. Comparative review: Opera leads in browser anti-phishing protection
05. Italian-language page at MSN redirects to Cool Exploit Kit, serves ransomware
06. WordPress releases version 3.5.1, fixes 3 security issues
07. Targeted attack against UAE activist utilizes CVE-2013-0422, drops malware
 
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Webroot's Threat Blog Posts for December

The following is a brief summary of all of my posts at Webroot's Threat Blog for December, 2012. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. DIY malicious domain name registering service spotted in the wild
02. Fake ‘FedEx Tracking Number’ themed emails lead to malware
03. Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side exploits and malware
04. Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit
05. A peek inside a boutique cybercrime-friendly E-shop – part five
06. Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit
07. Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
08. Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware
09. Cybercriminals entice potential cybercriminals into purchasing bogus credit cards data
10. Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
11. Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
12. Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild
13. Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit drugs
14. Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve malware
15. Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit
16. Webroot’s Threat Blog Most Popular Posts for 2012

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.