Historical OSINT: OPSEC-Aware Money Mule Recruiters Hire, Host Crimeware and Malvertisements

In the following intelligence brief, I will perform an analysis of the cybercriminal operations involving a group of individuals that operated successfully though 2009/2010, recruiting money mules, hosting ZeuS crimeware, and participating in a malvertising campaign.

Compared to a previous analysis where I profiled the offensive client-side exploitation campaigns launched by money mule recruiters, in this analysis I'll emphasize on yet another OPSEC-aware (Operational Security) gang of cybercriminals, this time blocking access to Google and anti-money laundering Web sites/research, in an attempt to trick the newly recruited mules into thinking that they're working for a legitimate company, preventing them from obtaining info on their new "employer".

Key summary points:

• The group originally launched its operations in 2009, primary focusing on highly targeted money mule recruitment campaigns
• Only two of the malicious domains involved in the 2009/2010's campaigns are still active, with the first serving adult content, and the second offering name server services to pharmaceutical scams, indicating they're didn't quite left the cybercrime ecosystem just yet
• The cybercriminals behind the campaign impersonated the legitimate Sprott Asset Management company, and blocked access to its official site on mule's PCs that executed the malicious SSL Certificate supplied to them as a requirement for joining the fake company
• Upon execution, the bogus SSL Certificate executable modified the HOSTS file on the affected hosts, blocking access to ddanchev.blogspot.com and to bobbear.co.uk to prevent potential money mules from reaching my "Keeping Money Mule Recruiters on a Short Leash" series, and bobbear's vast archive of collected intelligence on money mule recruitment campaigns
• The group hosted multiple ZeuS crimeware variants using the same infrastructure as the money mule recruitment campaigns, and also participated in a malvertising campaign
• Although their initial 2009 operations were launched from (AS39134), they later on migrated to a Kazakhstan-based bulletproof hosting provider (AS50793) that's no longer in operation, although there's a high probability that the Kazakhstan hosting service was part of a franchise, and is currently operating in another part of the world. The Web site of the bulletproof hosting provider was hosted in Ukraine (AS6714), an AS also known to have participated in numerous crimeware campaigns
• The malicious activity (besides their operation) was found for (AS39134) indicating that they probably got kicked out of the hosting provider for their attempts to recruit money mules
• The domain name of the Kazakhstan-based bulletproof hosting provider (AS50793) was registered using a GMail account in 2010
• The Kazakhstan-based bulletproof ISP's domain name is currently registered to an Iranian citizen, two years after the malicious activities took place, with no signs of malicious activity currently taking place there

a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dancho Danchev's Blog Most Popular Posts for 2012

The time has come to reflect on this year's most popular posts, and emphasize on the key points about what made them special.

1. Who's Behind the Koobface Botnet? - An OSINT Analysis - Indisputably, the exposing of Koobface botnet master KrotReal is this year's most popular blog post. The release of the post, and the New York Times article discussing the case, immediately resulted in the shut down of the Koobface botnet.
2. Exposing the Market for Stolen Credit Cards Data - Although the post was originally published in 2011, it's the second most popular for 2012, proving that factually presenting the existence of a growing trend, inevitably reaches a wider audience.
3. Dissecting 'Operation Ababil' - an OSINT Analysis - The OSINT analysis of 'Operation Ababil' is this year's third most popular post. The analysis correctly identified a key participant in certain parts of the campaign, although it explicitly emphasized on the fact just how easy is it to launch a cyber false flag operation online.
4. Profiling a Vendor of Visa/Mastercard Plastics and Holograms - The main purpose of this post, was to shed more light into the increasing availability of "blank plastic" services, whose QA (Quality Assurance) processes sometimes outpace the OPSEC (Operational Security) efforts put in place by the targeted companies.
5. Pricing Scheme for a DDoS Extortion Attack - This post highlighted a bold, but obtained from "in the wild" DDoS extortion letter, indicating the degree of flexibility and professionalism applied by the cybercriminals behind it.
6. A Peek Inside the Vertex Net Loader - This post summarized the key features of the Vertex Net Loader, and emphasized on the systematic release of related DIY malware loaders/bots within the cybercrime ecosystem.
7. Dissecting the Ongoing Mass SQL Injection Attack - Regular readers of my personal blog are used to getting the latest threat intelligence regarding a particular widespread campaign, virtually in real-time. That was the main objective of this analysis, fortunately, successfully achieved.
8. Dissecting the Massive SQL Injection Attack Serving Scareware - An ever-green analysis demonstrating monetization of hijacked Web traffic through a scareware affiliate program.
9. Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product - The second post in the series profiling ex-Koobface botnet master KrotReal's cybercrime-friendly operations, also gained a lot of attention, and proved that the lack of prosecution in this case, can, and will, ultimately lead to more cybercrime-friendly activities.
10. Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two - With 'Operation Ababil' still an open question to many of the major media outlets, the second part of the analysis discussed another tool used in the campaign, with the idea to raise more awareness on the tools and techniques used by the attackers behind the campaign.

Thank you all for being regular blog readers! The best is yet to come! See you all in 2013!

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Upcoming Portfolio of Commercially Available CYBERINT Reports

Valued blog readers,

Over the years, you've been exposed to insightful, in-depth, "God Eye's View" of some of the most prolific, targeted, and trending cyber attacks/cybercriminal schemes, that shaped the way we fight and anticipate cybercrime campaigns throughout the years.

Although the production of such publicly available and socially oriented content at this blog will continue, it's time to raise the stakes even higher - in 2013, I'll be systematically making available commercially available CYBERINT assessments on multiple aspects of the cybercrime ecosystem. It's the stuff that will help your decision-making process, it's the data to help you prosecute those behind these fraudulent operations, it's the tactics and trends you don't get to read about anywhere online.

Please, take 1 second of your precious time, and participate in the voting poll on the right side of the blog.

Enjoy the holidays, and see you all in 2013!

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing Webroot's Threat Blog Posts for November

The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware
02. ‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit
03. USPS ‘Postal Notification’ themed emails lead to malware
04. ‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
05. ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
06. ‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit
07. ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware
08. Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders
09. ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit
10. Bogus Better Business Bureau themed notifications serve client-side exploits and malware
11. Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants
12. Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware
13. ‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
14. Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware
15. Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
16. Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
17. Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules
18. Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
19. Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware
20. Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve malware
21. Bogus DHL ‘Express Delivery Notifications’ serve malware
22. Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications
23. Cybercriminals impersonate T-Mobile U.K, serve malware
24. Bogus ‘Meeting Reminder” themed emails serve malware
25. Bogus 'Intuit Software Order Confirmations' lead to Black Hole Exploit Kit
26. Bogus 'End of August Invoices' themed emails serve malware and client-side exploits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for November

The following is a brief summary of all of my posts at ZDNet's Zero Day for November, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:

01. Opera for Mac OS X patches six security vulnerabilities
02. Cybercriminals start spamvertising Xmas themed scams and malware campaigns
03. Apple releases QuickTime 7.7.3 for Windows, patches critical security vulnerabilities
04. Active XSS flaw discovered on eBay
05. A patched browser - false feeling of security or a security utopia that actually exists?

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:

• A Black Hat (SEO) Search Engine Optimization related service/product
• Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware

Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com

How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.

Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru

Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.

Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:

Second screenshot of a sample page displayed to affected U.K users:

Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:

Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:

• A Black Hat (SEO) Search Engine Optimization related service/product
• Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware

Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com

How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.

Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru

Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.

Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:

Second screenshot of a sample page displayed to affected U.K users:

Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:

Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input. Continue reading →

Managed Embedding of Malicious iFrames Through Compromised Accounts as a Service

a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing Webroot's Threat Blog Posts for October

The following is a brief summary of all of my posts at Webroot's Threat Blog for October, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

 
01. Russian cybercriminals release new DIY SMS flooder
02. Upcoming Webroot presentation on Cyber Jihad and Cyberterrorism at RSA Europe 2012
03. Recently launched E-shop sells access to hundreds of hacked PayPal accounts
04. New Russian service sells access to compromised Steam accounts
05. ‘Vodafone Europe: Your Account Balance’ themed emails serve malware
06. Cybercriminals impersonate UPS, serve client-side exploits and malware
07. ‘Your video may have illegal content’ themed emails serve malware
08. Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware
09. American Airlines themed emails lead to the Black Hole Exploit Kit
10. Bogus Facebook notifications lead to malware
11. Spamvertised ‘KLM E-ticket’ themed emails serve malware
12. ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
13. Malware campaign spreading via Facebook direct messages spotted in the wild
14. ‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit
15. Russian cybercriminals release new DIY DDoS malware loader
16. PayPal ‘Notification of payment received’ themed emails serve malware
17. Cybercriminals impersonate Delta Airlines, serve malware
18. ‘Your UPS Invoice is Ready’ themed emails serve malware
19. Bogus Skype ‘Password successfully changed’ notifications lead to malware
20. RSA Conference Europe 2012 – recap
21. Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware
22. Spamvertised ‘BT Business Direct Order’ themed emails lead to malware
23. Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve malware
24. Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware
25. Nuclear Exploit Pack goes 2.0

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for October

The following is a brief summary of all of my posts at ZDNet's Zero Day for October, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:

01. Report: Large US bank hit by 20 different crimeware families
02. Localized Dorkbot malware variant spreading across Skype
03. Sopelka botnet drops Citadel, Feodo, and Tatanga crimeware variants
04. Adobe patches 6 critical security flaws in Shockwave

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.

Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:

With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.

Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:

With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for September

The following is a brief summary of all of my posts at Webroot's Threat Blog for September, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit
02. Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
03. Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware
04. Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders
05. New Russian service sells access to thousands of automatically registered accounts
06. Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit
07. New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild
08. Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware
09. Cybercriminals impersonate FDIC, serve client-side exploits and malware
10. Managed Ransomware-as-a-Service spotted in the wild
11. A peek inside a boutique cybercrime-friendly E-shop – part four
12. New E-shop selling stolen credit cards data spotted in the wild
13. From Russia with iPhone selling affiliate networks
14. New Russian DIY DDoS bot spotted in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing Webroot's Threat Blog Posts for August

The following is a brief summary of all of my posts at Webroot's Threat Blog for August, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Spamvertised AICPA themed emails lead to Black Hole exploit kit
02. Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit
03. Ongoing spam campaign impersonates LinkedIn, serves exploits and malware
04. Millions of spamvertised emails lead to W32/Casonline
05. Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware
06. IRS themed spam campaign leads to Black Hole exploit kit
07. Cybercriminals spamvertise bogus greeting cards, serve exploits and malware
08. Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit
09. Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit
10. Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware
11. Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
12. Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware
13. Cybercriminals impersonate UPS, serve malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Posts for August

The following is a brief summary of all of my posts at ZDNet's Zero Day for August, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:

 
01. BlackBerry users targeted with malware-serving email campaign
02. Java zero day vulnerability actively used in targeted attacks
03. Loozfon Android malware targets Japanese female users
04. Researcher reports a CSRF vulnerability in Facebook's App Center, earns $5,000
05. Cybercriminals impersonate popular security vendors, serve malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →