Historical OSINT - Summarizing 2 Years of Webroot's Threat Blog Posts Research

It's been several years since I last posted a quality update at the industry's leading threat-intelligence gathering Webroot's Threat Blog following a successful career as lead security blogger and threat-intelligence analyst throughout 2012-2014.

In this post I'll summarize two years worth of Webroot's Threat Blog research with the idea to provide readers with the necessary data information and knowledge to stay ahead of current and emerging threats.

01. January - 2012

• Cybercriminals generate malicious Java applets using DIY tools
• A peek inside the uBot malware bot
• Researchers intercept a client-side exploits serving malware campaign
• How phishers launch phishing attacks
• A peek inside the Umbra malware loader
• How malware authors evade antivirus detection
• Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
• Zappos.com hacked, 24 million users affected
• Inside a clickjacking/likejacking scam distribution platform for Facebook
• A peek inside the Cythosia v2 DDoS Bot
• A peek inside the PickPocket Botnet
• Mass SQL injection attack affects over 200,000 URLs
• Email hacking for hire going mainstream
• Millions of harvested emails offered for sale

02. February - 2012

• Research: Google’s reCAPTCHA under fire
• Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceutical scams
• A peek inside the Smoke Malware Loader
• Researchers spot Citadel, a ZeuS crimeware variant
• Researchers intercept two client-side exploits serving malware campaigns
• Pharmaceutical scammers launch their own Web contest
• The United Nations hacked, Team Poison claims responsibility
• Report: Internet Explorer 9 leads in socially-engineered malware protection
• Twitter adds HTTPS support by default
• Spamvertised “Hallmark ecard” campaign leads to malware
• Report: 3,325% increase in malware targeting the Android OS
• Why relying on antivirus signatures is simply not enough anymore
• Researchers intercept malvertising campaign using Yahoo’s ad network
• A peek inside the Ann Malware Loader
• Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits
• How cybercriminals monetize malware-infected hosts
• A peek inside the Elite Malware Loader
• BlackHole exploit kits gets updated with new features

03. March - 2012

• New service converts malware-infected hosts into anonymization proxies
• Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing emails
• A peek inside the Darkness (Optima) DDoS Bot
• Research: proper screening could have prevented 67% of abusive domain registrations
• Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side exploits and malware
• Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams
• Research: U.S accounts for 72% of fraudulent pharmaceutical orders
• Millions of harvested U.S government and U.S military email addresses offered for sale
• Trojan Downloaders actively utilizing Dropbox for malware distribution
• Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware
• Malicious USPS-themed emails circulating in the wild
• Spamvertised LinkedIn notifications serving client-side exploits and malware
• Tens of thousands of web sites affected in ongoing mass SQL injection attack
• Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware
• Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

04. April - 2012

• Email hacking for hire going mainstream – part two
• Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware
• New underground service offers access to hundreds of hacked PCs
• New DIY email harvester released in the wild

05. May - 2012

• Managed SMS spamming services going mainstream
• A peek inside a boutique cybercrime-friendly E-shop
• Cybercriminals release ‘Sweet Orange’ – new web malware exploitation kit
• Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware
• Poison Ivy trojan spreading across Skype
• A peek inside a managed spam service
• Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware
• Spamvertised bogus online casino themed emails serving adware
• Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to pharmaceutical scams
• A peek inside a boutique cybercrime-friendly E-shop – part two
• Spamvertised CareerBuilder themed emails serving client-side exploits and malware
• Pop-ups at popular torrent trackers serving W32/Casonline adware
• ‘Windstream bill’ themed emails serving client-side exploits and malware

06. June - 2012

• Cybercriminals infiltrate the music industry by offering full newly released albums for just $1
• A peek inside a boutique cybercrime-friendly E-shop – part three
• DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream
• Skype propagating Trojan targets Syrian activists
• Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and malware
• Spamvertised ‘DHL Package delivery report’ emails serving malware
• Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware
• Cybercriminals populate Scribd with bogus adult content, spread malware using Comodo Backup
• Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware
• ‘Create a Cartoon of You” ads serving MyWebSearch toolbar
• Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware
• Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites
• Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware
• Spamvertised bogus online casino themed emails serving W32/Casonline

07. July - 2012

• Cybercriminals launch managed SMS flooding services
• 117,000 unique U.S visitors offered for malware conversion
• Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail spotted in the wild
• What’s the underground market’s going rate for a thousand U.S based malware infected hosts?
• Spamvertised American Airlines themed emails lead to Black Hole exploit kit
• Online dating scam campaign currently circulating in the wild
• New Russian service sells access to compromised social networking accounts
• Cybercriminals impersonate UPS in client-side exploits and malware serving spam campaign
• Russian Ask.fm spamming tool spotted in the wild
• Spamvertised Intuit themed emails lead to Black Hole exploit kit
• Cybercriminals impersonate Booking.com, serve malware using bogus ‘Hotel Reservation Confirmation’ themed emails
• Spamvertised Craigslist themed emails lead to Black Hole exploit kit
• Cybercriminals impersonate law enforcement, spamvertise malware-serving ‘Speeding Ticket’ themed emails
• Spamvertised ‘Download your USPS Label’ themed emails serve malware
• Cybercriminals target Twitter, spread thousands of exploits and malware serving tweets
• Russian spammers release Skype spamming tool
• Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit

08. August - 2012

• Spamvertised AICPA themed emails lead to Black Hole exploit kit
• Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit
• Ongoing spam campaign impersonates LinkedIn, serves exploits and malware
• Millions of spamvertised emails lead to W32/Casonline
• Cybercriminals impersonate AT&T’s Billing Service, serve exploits and malware
• IRS themed spam campaign leads to Black Hole exploit kit
• Cybercriminals spamvertise bogus greeting cards, serve exploits and malware
• Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit
• Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit
• Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware
• Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
• Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware
• Cybercriminals impersonate UPS, serve malware

09. September - 2012

• Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit
• Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit
• Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware
• Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders
• New Russian service sells access to thousands of automatically registered accounts
• Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit
• New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild
• Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware
• Cybercriminals impersonate FDIC, serve client-side exploits and malware
• Managed Ransomware-as-a-Service spotted in the wild
• A peek inside a boutique cybercrime-friendly E-shop – part four
• New E-shop selling stolen credit cards data spotted in the wild
• From Russia with iPhone selling affiliate networks
• New Russian DIY DDoS bot spotted in the wild

10. October - 2012

• New Russian DIY DDoS bot spotted in the wild
• Recently launched E-shop sells access to hundreds of hacked PayPal accounts
• New Russian service sells access to compromised Steam accounts
• ‘Vodafone Europe: Your Account Balance’ themed emails serve malware
• Cybercriminals impersonate UPS, serve client-side exploits and malware
• ‘Your video may have illegal content’ themed emails serve malware
• Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and malware
• American Airlines themed emails lead to the Black Hole Exploit Kit
• Bogus Facebook notifications lead to malware
• Spamvertised ‘KLM E-ticket’ themed emails serve malware
• ‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit
• Malware campaign spreading via Facebook direct messages spotted in the wild
• ‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit
• Russian cybercriminals release new DIY DDoS malware loader
• PayPal ‘Notification of payment received’ themed emails serve malware
• Cybercriminals impersonate Delta Airlines, serve malware
• ‘Your UPS Invoice is Ready’ themed emails serve malware
• Bogus Skype ‘Password successfully changed’ notifications lead to malware
• Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware
• Spamvertised ‘BT Business Direct Order’ themed emails lead to malware
• Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve malware
• Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware
• Nuclear Exploit Pack goes 2.0

11. November - 2012

• BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware
• ‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit
• USPS ‘Postal Notification’ themed emails lead to malware
• ‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
• ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
• ‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit
• ‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware
• Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders
• ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit
• Bogus Better Business Bureau themed notifications serve client-side exploits and malware
• Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants
• Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware
• ‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
• Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware
• Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
• Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
• Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules
• Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
• Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware
• Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve malware
• Bogus DHL ‘Express Delivery Notifications’ serve malware
• Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications
• Cybercriminals impersonate T-Mobile U.K, serve malware
• Bogus ‘Meeting Reminder” themed emails serve malware
• Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit
• Bogus ‘End of August Invoices’ themed emails serve malware and client-side exploits

12. December - 2012

• DIY malicious domain name registering service spotted in the wild
• Fake ‘FedEx Tracking Number’ themed emails lead to malware
• Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side exploits and malware
• Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit
• A peek inside a boutique cybercrime-friendly E-shop – part five
• Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit
• Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
• Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware
• Cybercriminals entice potential cybercriminals into purchasing bogus credit cards data
• Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
• Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
• Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild
• Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit drugs
• Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve malware
• Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit

12. January - 2013

• Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware
• Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit
• ‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit
• Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware
• A peek inside a boutique cybercrime-friendly E-shop – part six
• Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity
• Spamvertised AICPA themed emails serve client-side exploits and malware
• ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
• Malicious DIY Java applet distribution platforms going mainstream
• Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware
• Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool
• ‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit
• Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails, serve malware
• Leaked DIY malware generating tool spotted in the wild
• Email hacking for hire going mainstream – part three
• Android malware spreads through compromised legitimate Web sites
• Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
• Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
• Novice cybercriminals experiment with DIY ransomware tools
• Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit
• Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
• A peek inside a DIY password stealing malware
• Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

12. February - 2013

• Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
• Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
• ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
• New DIY HTTP-based botnet tool spotted in the wild
• Mobile spammers release DIY phone number harvesting tool
• New underground service offers access to thousands of malware-infected hosts
• Targeted ‘phone ring flooding’ attacks as a service going mainstream
• Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
• Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit
• Malware propagates through localized Facebook Wall posts
• Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware
• New underground E-shop offers access to hundreds of hacked PayPal accounts
• Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit
• DIY malware cryptor as a Web service spotted in the wild
• Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware
• How mobile spammers verify the validity of harvested phone numbers
• How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

13. March - 2013

• New DIY IRC-based DDoS bot spotted in the wild
• Cybercriminals release new Java exploits centered exploit kit
• Segmented Russian “spam leads” offered for sale
• New DIY hacked email account content grabbing tool facilitates cyber espionage on a mass scale
• New DIY unsigned malicious Java applet generating tool spotted in the wild
• Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent campaigns
• Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware
• Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit
• New ZeuS source code based rootkit available for purchase on the underground market
• Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware
• ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit
• Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the wild
• Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004
• Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit
• Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
• Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit
• ‘ADP Payroll Invoice’ themed emails lead to malware
• ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit
• New DIY RDP-based botnet generating tool leaks in the wild
• A peek inside the EgyPack Web malware exploitation kit

14. April - 2013

• DIY Java-based RAT (Remote Access Tool) spotted in the wild
• Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware
• Cybercrime-friendly service offers access to tens of thousands of compromised accounts
• Madi/Mahdi/Flashback OS X connected malware spreading through Skype
• Cybercriminals selling valid ‘business card’ data of company executives across multiple verticals
• A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit
• DIY Skype ring flooder offered for sale
• Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware
• A peek inside a ‘life cycle aware’ underground market ad for a private keylogger
• American Airlines ‘You can download your ticket’ themed emails lead to malware
• Cybercriminals offer spam-friendly SMTP servers for rent
• How mobile spammers verify the validity of harvested phone numbers – part two
• A peek inside a (cracked) commercially available RAT (Remote Access Tool)
• DIY Russian mobile number harvesting tool spotted in the wild
• DIY SIP-based TDoS tool/number validity checker offered for sale
• CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime
• Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed malware campaigns
• Fake ‘DHL Delivery Report’ themed emails lead to malware
• Cybercriminals impersonate Bank of America (BofA), serve malware
• How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators
• Managed ‘Russian ransomware’ as a service spotted in the wild

15. May - 2013

• FedWire ‘Your Wire Transfer’ themed emails lead to malware
• A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool
• New IRC/HTTP based DDoS bot wipes out competing malware
• New version of DIY Google Dorks based mass website hacking tool spotted in the wild
• Citibank ‘Merchant Billing Statement’ themed emails lead to malware
• Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead to client-side exploits and malware
• Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), serve malware
• Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin
• Newly launched E-shop for hacked PCs charges based on malware ‘executions’
• New subscription-based ‘stealth Bitcoin miner’ spotted in the wild
• Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement
• New versatile and remote-controlled “Android.MouaBot” malware found in the wild
• Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages
• Commercial ‘form grabbing’ rootkit spotted in the wild
• DIY malware cryptor as a Web service spotted in the wild – part two
• CVs and sensitive info soliciting email campaign impersonates NATO
• New commercially available DIY invisible Bitcoin miner spotted in the wild
• Fake ‘Export License/Payment Invoice’ themed emails lead to malware
• Compromised Indian government Web site leads to Black Hole Exploit Kit
• Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve malware
• Marijuana-themed DDoS for hire service spotted in the wild
• Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

16. June - 2013

• Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace
• New E-shop sells access to thousands of hacked PCs, accepts Bitcoin
• Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs
• iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)
• Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale
• Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details
• Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware
• Tens of thousands of spamvertised emails lead to W32/Casonline
• Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)
• How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them
• Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the KingTranslate PUA
• New boutique iFrame crypting service spotted in the wild
• Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe Flash Player’s installation process
• New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin
• New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool spotted in the wild
• Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)
• SIP-based API-supporting fake caller ID/SMS number supporting DIY Russian service spotted in the wild
• Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)
• Self-propagating ZeuS-based source code/binaries offered for sale
• How cybercriminals create and operate Android-based botnets

17. July - 2013

• Cybercriminals experiment with Tor-based C&C, ring-3-rootkit empowered, SPDY form grabbing malware bot
• Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Potentially Unwanted Application (PUA)
• Newly launched underground market service harvests mobile phone numbers on demand
• Novel ransomware tactic locks users’ PCs, demands that they participate in a survey to get the unlock code
• Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware
• Cybercriminals spamvertise tens of thousands of fake ‘Your Booking Reservation at Westminster Hotel’ themed emails, serve malware
• New commercially available mass FTP-based proxy-supporting doorway/malicious script uploading application spotted in the wild
• Fake ‘iGO4 Private Car Insurance Policy Amendment Certificate’ themed emails lead to malware
• Tens of thousands of spamvertised emails lead to the Win32/PrimeCasino PUA (Potentially Unwanted Application)
• Spamvertised ‘Vodafone U.K MMS ID/Fake Sage 50 Payroll’ themed emails lead to (identical) malware
• New commercially available Web-based WordPress/Joomla brute-forcing tool spotted in the wild
• Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Unwanted Application)
• Yet another commercially available stealth Bitcoin/Litecoin mining tool spotted in the wild
• Protected: Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video Downloader/Bundlore’ Potentially Unwanted Application (PUA)
• Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities
• Fake ‘Copy of Vodafone U.K Contract/Your Monthly Vodafone Bill is Ready/New MMS Received’ themed emails lead to malware
• Rogue ads lead to the ‘Free Player’ Win32/Somoto Potentially Unwanted Application (PUA)
• How much does it cost to buy one thousand Russian/Eastern European based malware-infected hosts?
• Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going mainstream
• DIY commercially-available ‘automatic Web site hacking as a service’ spotted in the wild

18. August - 2013

• ‘Malware-infected hosts as stepping stones’ service offers access to hundreds of compromised U.S based hosts
• New ‘Hacked shells as a service’ empowers cybercriminals with access to high page rank-ed Web sites
• Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware
• Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to client-side exploits and malware
• Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware
• One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers
• Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware
• Newly launched managed ‘malware dropping’ service spotted in the wild
• Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity
• From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers and DIY spamming tools
• DIY Craigslist email collecting tools empower spammers with access to fresh/valid email addresses
• Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open since 2009
• DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the wild
• Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase
• Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two

19. September - 2013

• DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild
• Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild
• Managed Malicious Java Applets Hosting Service Spotted in the Wild
• Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps
• 419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams
• Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request
• Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds of compromised hosts spotted in the wild
• Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool
• Cybercriminals sell access to tens of thousands of malware-infected Russian hosts
• Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware
• Cybercriminals experiment with Android compatible, Python-based SQL injecting releases
• Newly launched E-shop offers access to hundreds of thousands of compromised accounts
• DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008
• Yet another subscription-based stealth Bitcoin mining tool spotted in the wild

20. October - 2013

• A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform
• Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part two
• ‘T-Mobile MMS message has arrived’ themed emails lead to malware
• DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities
• Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted in the wild
• New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild
• Cybercriminals offer spam-friendly SMTP servers for rent – part two
• Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity
• Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams
• Compromised Turkish Government Web site leads to malware
• Novice cyberciminals offer commercial access to five mini botnets
• Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
• Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild
• Malicious ‘FW: File’ themed emails lead to malware
• Mass iframe injection campaign leads to Adobe Flash exploits
• Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Potentially Unwanted Application)
• A peek inside the administration panel of a standardized E-shop for compromised accounts
• U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails
• New DIY compromised hosts/proxies syndicating tool spotted in the wild
• Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
• Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware
• Fake ‘Important: Company Reports’ themed emails lead to malware
• Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot
• Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

21. November - 2013

• Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity
• Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)
• Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’
• New vendor of ‘professional DDoS for hire service’ spotted in the wild
• Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity
• Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild
• Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application)
• Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player
• Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits
• Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool
• Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
• Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware
• ‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’
• Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware
• Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware
• Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware
• Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

21. December - 2013

• Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’
• Commercial Windows-based compromised Web shells management application spotted in the wild
• Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”
• Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two
• How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+’s ToS
• Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools
• Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part three
• Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC)
• Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams
• A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools
• Cybercrime Trends 2013 – Year in Review

22. January - 2014

• ‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns intercepted in the wild
• Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool
• New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
• DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild
• Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
• Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
• Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process
• Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild
• Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share

23. February - 2014

• Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
• Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
• Managed TeamViewer based anti-forensics capable virtual machines offered as a service
• Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
• ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
• DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
• Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
• Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit

24. March - 2014

• Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)
• Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild
• Commercial Windows-based compromised Web shells management application spotted in the wild – part two
• Multiple spamvertised bogus online casino themed campaigns intercepted in the wild
• 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure
• Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme
• A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot
• Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment
• Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild
• Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)
• DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two
• Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild

24. May - 2014

• Legitimate software apps impersonated in a blackhat SEO-friendly PUA (Potentially Unwanted Application) serving campaign
• DIY cybercrime-friendly (legitimate) APK injecting/decompiling app spotted in the wild
• Malicious DIY Java applet distribution platforms going mainstream – part two
• Spamvertised ‘Error in calculation of your tax’ themed emails lead to malware
• A peek inside a subscription-based DIY keylogging based type of botnet/malware generating tool
• Spamvertised ‘Notification of payment received’ themed emails lead to malware
• Malicious JJ Black Consultancy ‘Computer Support Services’ themed emails lead to malware
• A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services
• Long run compromised accounting data based type of managed iframe-ing service spotted in the wild

Enjoy!

Continue reading →

Seeking Investor Contact!

Dear blog readers, I'm currently seeking a investor contact regarding an upcoming security project and wanted to find out whether you might be aware of an investor that would be willing to invest in my upcoming security project?

I can be reached at dancho.danchev@hush.com Continue reading →

Dancho Danchev's Blog Going Private - Request Access

Dear blog readers, it's been several years since I last posted a quality update following my disappearance in 2010. I wanted to take the time and thank everyone including researchers and colleagues who participated in the search including colleagues and vendors who offered expertise and advice including possible career opportunity.

As I've recently launched InfoWar Monitor 2.0 I decided that the time has come for me to take my blog to a new level by offering proprietary invite-only commercial access to selected readers who request access. The access guarantees unlimited access to daily cybercrime research information security topics coverage including an unlimited supply of actionable threat intelligence research on a daily basis including access to InfoWar Monitor 2.0 security podcast subscription security mailing list security newsletter a closed security community and a hacker E-zine released by the community including unlimited access to proprietary research reports and articles.

How to request access?
Users interested in requesting access can approach me with the following details:

Name:
Position:
How long have you been reading my blog?
How much would you be willing to invest to obtain access on a monthly basis?

I can be reached at dancho.danchev@hush.com

Enjoy! Continue reading →

Summarizing Webroot's Threat Blog Posts for January - 2012

In this post I'll summarize Webroot Threat Blog Posts for January, 2012. Feel free to check out some of the latest research published at the blog here and consider subscribing to its RSS feed.

01. Cybercriminals generate malicious Java applets using DIY tools
02. A peek inside the uBot malware bot
03. Researchers intercept a client-side exploits serving malware campaign
04. How phishers launch phishing attacks
05. A peek inside the Umbra malware loader
06. How malware authors evade antivirus detection
07. Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
08. Zappos.com hacked, 24 million users affected
09. Inside a clickjacking/likejacking scam distribution platform for Facebook
10. A peek inside the Cythosia v2 DDoS Bot
11. A peek inside the PickPocket Botnet
12. Mass SQL injection attack affects over 200,000 URLs
13. Email hacking for hire going mainstream
14. Millions of harvested emails offered for sale Continue reading →

Security News - Safe Browsing protection from even more deceptive attacks - Commentary

Google's security initiatives, continue, indicating, the search engine market's leader, ambitions, towards, building, a vibrant, ecosystem, for, protecting, end users, from malicious attacks, and, further, position, the company, as, an emerging, leader, whose, activities, contribute, to the, overall security level, of the entire ecosystem.

External Link:

"Safe Browsing has been protecting over one billion people from traditional phishing attacks on the web for more than eight years. The threat landscape is constantly changing—bad actors on the web are using more and different types of deceptive behavior to trick you into performing actions that you didn’t intend or want, so we’ve expanded protection to include social engineering."

The latest, indication, of this, trend, is the company's, introduction, of, social engineering attack, warnings, fully capable, of preventing, widespread damage, and to prevent, a malicious attack, from taking, place, in the early stages, of the campaign. With malicious actors, continuing, to utilize, visual social engineering campaigns, to serve, malicious software, and potentially unwanted applications, compromising, the confidentiality, integrity, and, availability, of information, visual social engineering, will, continue, to represent, a growing attack vector, to be utilized, by malicious actors, that, needs, better, protective, mechanisms, on behalf, of ecosystem participants.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Continue reading →