Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Summarizing Webroot's Threat Blog Posts for July

August 23, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for July, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Cybercriminals launch managed SMS flooding services
02. 117,000 unique U.S visitors offered for malware conversion
03. Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail spotted in the wild
04. What’s the underground market’s going rate for a thousand U.S based malware infected hosts?
05. Spamvertised American Airlines themed emails lead to Black Hole exploit kit
06. Online dating scam campaign currently circulating in the wild
07. New Russian service sells access to compromised social networking accounts
08. Cybercriminals impersonate UPS in client-side exploits and malware serving spam campaign
09. Russian Ask.fm spamming tool spotted in the wild
10. Spamvertised Intuit themed emails lead to Black Hole exploit kit
11. Cybercriminals impersonate Booking.com, serve malware using bogus ‘Hotel Reservation Confirmation’ themed emails
12. Spamvertised Craigslist themed emails lead to Black Hole exploit kit
13. Cybercriminals impersonate law enforcement, spamvertise malware-serving ‘Speeding Ticket’ themed emails
14. Spamvertised ‘Download your USPS Label’ themed emails serve malware
15. Cybercriminals target Twitter, spread thousands of exploits and malware serving tweets
16. Russian spammers release Skype spamming tool
17. Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Blog Posts for July

August 23, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for July, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:

01. Security flaw found in Amazon's Kindle Touch
02. New contacts stealing Android malware spotted in the wild
03. Firefox 14 fixes 5 critical security vulnerabilities
04. Bogus Google Files site earns revenue through premium rate SMS micro payments
05. Research: 80% of Carberp infected computers had antivirus software installed

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for June

July 10, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for June, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Cybercriminals infiltrate the music industry by offering full newly released albums for just $1
02. A peek inside a boutique cybercrime-friendly E-shop – part three
03. DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream
04. Skype propagating Trojan targets Syrian activists
05. Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and malware
06. Mozilla patches critical security vulnerabilities in Firefox and Thunderbird
07. Spamvertised ‘DHL Package delivery report’ emails serving malware
08. Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware
09. Cybercriminals populate Scribd with bogus adult content, spread malware using Comodo Backup
10. Oracle and Apple patch critical Java security vulnerabilities
11. Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware
12. ‘Create a Cartoon of You” ads serving MyWebSearch toolbar
13. Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware
14. Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites
15. Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware
16. Spamvertised bogus online casino themed emails serving W32/Casonline

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Blog Posts for June

July 10, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for June, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter:

01. Fake Gmail Android application steals personal data
02. Facebook begins notifying DNSChanger victims
03. French E-voting portal requires insecure Java plugin
04. Credit card fraudsters sentenced in the U.K
05. North Korea ships malware-infected games to South Korean users, uses them to launch DDoS attacks
06. Q&A of the Week - 'Tales from the Underground' featuring Brian Krebs
07. 24 cybercriminals arrested in 'Operation Card Shop'
08. Silent security updates coming to Apple's OS X Mountain Lion
09. BlackHole exploit kit experimenting with 'pseudo-random domains' feature
10. Which is the most popular antivirus software?
11. Winamp 5.63 fixes four critical security vulnerabilities
12. Chrome 20 fixes 20 security vulnerabilities

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for May

June 06, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for May, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. London’s InfoSec 2012 Event – recap
02. Managed SMS spamming services going mainstream
03. A peek inside a boutique cybercrime-friendly E-shop
04. Cybercriminals release ‘Sweet Orange’ – new web malware exploitation kit
05. Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware
06. Poison Ivy trojan spreading across Skype
07. A peek inside a managed spam service
08. Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware
09. Spamvertised bogus online casino themed emails serving adware
10. Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to pharmaceutical scams
11. A peek inside a boutique cybercrime-friendly E-shop – part two
12. Spamvertised CareerBuilder themed emails serving client-side exploits and malware
13. Pop-ups at popular torrent trackers serving W32/Casonline adware
14.‘Windstream bill’ themed emails serving client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for May

June 06, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for May, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Is Mozilla's Firefox 'click-to-play' feature a sound response to drive-by malware attacks?
02. Rogue Firefox extension hijacks browser sessions
03. Spamvertised 'PayPal payment notifications' lead to client-side exploits and malware
04. Israeli Institute for National Security Studies compromised, serving Poison Ivy DIY malware
05. Researchers spot new Web malware exploitation kit
06. 2012 Olympics themed malware circulating in the wild
07. New ransomware impersonates the U.S Department of Justice
08. Localized ransomware variants circulating in the wild
09. Cybercriminals offer bogus fraud insurance services
10. Researchers spot fake mobile antivirus scanners on Google Play
11. The cyber security implications of Iran's government-backed antivirus software
12. Q&A of the week: 'The current state of the cyber warfare threat' featuring Jeffrey Carr
13. Researchers intercept Tatanga malware bypassing SMS based transaction authorization
14. New SpyEye plugin takes control of crimeware victims' webcam and microphone
15. Comcast phishing site contains valid TRUSTe seal
16. Q&A of the Week: 'The current state of the cybercrime ecosystem' featuring Mikko Hypponen

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

May 08, 2012

The Lizamoon mass SQL injection attacks gang is continuing to efficiently inject malicious code on hundreds of thousands of legitimate sites, for the purpose of serving fake security software -- also known as scareware -- and client-side exploits.

The latest round of the campaign is serving client-side exploits through multiple redirections taking place once the end user loads the malicious script embedded on legitimate sites. In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware and bogus Adobe Flash Players.

What are some of the currently SQL injected malicious domains? How does the redirection take place? Did they take into consideration basic QA (quality assurance) tactics into place? Let's find out.

Currrently injected malicious domains are parked at 31.210.100.242 (AS42926, RADORE Hosting), with the following domains currently responding to that IP:
skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com
njukol.com/r.php - Email: jamesnorthone@hotmailbox.com
hnjhkm.com/r.php - Email: jamesnorthone@hotmailbox.com
nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com
hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com
uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com
uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com
werlontally.net/r.php - Email: jamesnorthone@hotmailbox.com

March's round of malicious domains was hosted at 91.226.78.148 (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”).

The redirection takes us to these two domains: www3.topcumaster.com - 75.102.21.120 (AS23352, SERVERCENTRAL)

Parked at 75.102.21.120 are also the following domains:
www3.personal-scanera.com - Email: benji.rubes@yahoo.com
www3.personalvoguard.com - Email: benji.rubes@yahoo.com
www3.hard-zdsentinel.com - Email: benji.rubes@yahoo.com
www3.bestbxcleaner.com - Email: benji.rubes@yahoo.com
www3.topcumaster.com - Email: benji.rubes@yahoo.com
www3.safe-defensefu.com - Email: benji.rubes@yahoo.com

and www1.safe-wnmaster.it.cx - 217.23.8.123 (AS49981, WorldStream)

Parked on 217.23.8.123 are also the following client-side exploits serving domains part of the Lizamoon mass SQL injection attacks:
www1.thebestscannerdc.it.cx/i.html
www1.safebh-defense.it.cx/i.html
www1.strongdkdefense.it.cx/i.html
www2.best-czsuite.it.cx/i.html
www1.smartmasterf.it.cx/i.html
www1.simplescanerei.it.cx/i.html
www1.bestic-network.it.cx/i.html
www1.topqonetwork.it.cx/i.html
www2.topasnetwork.it.cx/i.html
www1.powerynetwork.it.cx/i.html
www1.simplemasterzk.it.cx/i.html
www1.powerneholder.it.cx/i.html
www1.personalkochecker.it.cx/i.html
www1.smarthdschecker.it.cx/i.html
www1.safebacleaner.it.cx/i.html
www1.strongzkcleaner.it.cx/i.html
www1.topumcleaner.it.cx/i.html
www1.topgdscanner.it.cx/i.html
www1.smartwoscanner.it.cx/i.html
www1.safe-wnmaster.it.cx/i.html
www1.powervmaster.it.cx/i.html
www1.top-armyvs.it.cx/i.html
www2.saveocsoft.it.cx/i.html
www1.top-zjsoft.it.cx/i.html
www1.powerdefensekt.it.cx/i.html
www1.best-scanersw.it.cx/i.html
www1.powermb-security.it.cx/i.html
www1.strongxd-security.it.cx/i.html
www1.strongbtsecurity.it.cx/i.html

Client side exploits, CVE-2010-0188 and CVE-2012-0507 in particular are served through the i.html file located on these hosts. In order for the client-side exploitation process to take place, the redirection chain must be correct, if not the server will return a "404 Error Message" when requesting a specific file part of the campaign. There are no HTTP referrer checks in place, at least for the time being. What's particularly interesting about the current campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no matter what happens.

Updates will be posted, as soon as new developments emerge.

Related posts:

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

May 08, 2012

Summarizing Webroot's Threat Blog Posts for April

May 08, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for April, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Adobe patches critical security flaws, introduces auto-updating mechanism
02. Email hacking for hire going mainstream – part two
03. Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware
04. New underground service offers access to hundreds of hacked PCs
05. Google’s Chrome patches 12 ‘high risk’ security vulnerabilities
06. Adobe plans to issue Acrobat Reader ‘security update’ next week
07. Microsoft issues 6 security bulletins on ‘Patch Tuesday’
08. Adobe patches critical Reader and Acrobat security vulnerabilities
09. Hewlett-Packard shipping malware-infected compact flash cards
10. New DIY email harvester released in the wild
11. Upcoming Webroot briefing at InfoSec, 2012, London – “Current and Emerging Trends Within the Cybercrime Ecosystem”

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for April

May 08, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for April, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Researcher: 50 percent of Mac OS X users still running outdated Java versions
02. Malicious version of Angry Birds Space spotted in the wild
03. French gaming site serving ZeuS crimeware for over 8 weeks
04. New ransomware variants spotted in the wild
05. Nuclear Pack exploit kit introduces anti-honeyclient crawling feature

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for March

April 09, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. New service converts malware-infected hosts into anonymization proxies
02. Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing emails
03. A peek inside the Darkness (Optima) DDoS Bot
04. Research: proper screening could have prevented 67% of abusive domain registrations
05. Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side exploits and malware
06. Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams
07. Research: U.S accounts for 72% of fraudulent pharmaceutical orders
08. Millions of harvested U.S government and U.S military email addresses offered for sale
09. Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware
10. Malicious USPS-themed emails circulating in the wild
11. Spamvertised LinkedIn notifications serving client-side exploits and malware
12. Tens of thousands of web sites affected in ongoing mass SQL injection attack
13. Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware
14. Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Posts for March

April 09, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for March, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. New Mac OS X malware variant spotted in the wild
02. Researchers intercept targeted malware attack against Tibetan organizations
03. Skype vouchers themed site serving client-side exploits and malware
04. Stratfor subscribers targeted by passwords-stealing malicious emails
05. Spoofed LinkedIn emails serving client-side exploits
06. Fake YouTube sites target Syrian activists with malware
07. New Mac OS X malware variant spotted in the wild
08. Spamvertised 'DHL Tracking Notification' emails serve malware
09. Compromised WordPress sites serving client-side exploits and malware
10. 'Pixmania.com payment order detail' themed emails serving SpyEye crimeware
11. Fake 'Roar of the Pharaoh' Android game spreads premium-rate SMS trojan
12. Research: Many mobile password managers offer false feeling of security
13. Targeted Pro-Tibetan malware attacks hit Mac OS X users
14. Opera for Mac OS X patches 6 security holes
15. Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastructure
16. Facebook phishing attack targets Syrian activists

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for February

March 07, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Research: Google’s reCAPTCHA under fire
02. Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceutical scams
03. A peek inside the Smoke Malware Loader
04. Researchers spot Citadel, a ZeuS crimeware variant
05. Researchers intercept two client-side exploits serving malware campaigns
06. Pharmaceutical scammers launch their own Web contest
07. The United Nations hacked, Team Poison claims responsibility
08. Report: Internet Explorer 9 leads in socially-engineered malware protection
09. Twitter adds HTTPS support by default
10. Spamvertised “Hallmark ecard” campaign leads to malware
11. Report: 3,325% increase in malware targeting the Android OS
12. Why relying on antivirus signatures is simply not enough anymore
13. Researchers intercept malvertising campaign using Yahoo’s ad network
14. A peek inside the Ann Malware Loader
15. Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits
16. How cybercriminals monetize malware-infected hosts
17. A peek inside the Elite Malware Loader
18. BlackHole exploit kits gets updated with new features

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing ZDNet's Zero Day Posts for February

March 07, 2012

The following is a brief summary of all of my posts at ZDNet's Zero Day for February, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Spamvertised 'Tax information needed urgently' emails lead to malware
02. Researchers spot a fake version of Temple Run on Android's Market
03. Which are the most commonly observed Web exploits in the wild?
04. Cryptome.org hacked, serving client-side exploits
05. Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
06. Anonymous launches 'Operation Global Blackout', aims to DDoS the Root Internet servers
07. Report: malware pushed by affiliate networks remains the primary growth factor of the cybercrime ecosystem
08.Cutwail botnet resurrects, launches massive malware campaigns using HTML attachments
09. New Mac OS X trojan spotted in the wild
10. Spamvertised 'Scan from a HP OfficeJet' emails lead to exploits and malware
11. XSS Flaw discovered in Skype's Shop, user accounts targeted

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Webroot's Threat Blog Posts for January

February 02, 2012

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Millions of harvested emails offered for sale
02. Email hacking for hire going mainstream
03. Mass SQL injection attack affects over 200,000 URLs
04. A peek inside the PickPocket Botnet
05. A peek inside the Cythosia v2 DDoS Bot
06. Google announces new anti-malware features in Chrome
07. Adobe issues a patch for critical security holes in Reader and Acrobat
08. Inside a clickjacking/likejacking scam distribution platform for Facebook
09. Zappos.com hacked, 24 million users affected
10. Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
11. How malware authors evade antivirus detection
12. A peek inside the Umbra malware loader
13. How phishers launch phishing attacks
14. Researchers intercept a client-side exploits serving malware campaign
15. A peek inside the uBot malware bot
16. Cisco releases ‘Cisco Global Threat Report’ for 4Q11
17. Cybercriminals generate malicious Java applets using DIY tools

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Summarizing Webroot's Threat Blog Posts for July

Summarizing ZDNet's Zero Day Blog Posts for July

Summarizing Webroot's Threat Blog Posts for June

Summarizing ZDNet's Zero Day Blog Posts for June

Summarizing Webroot's Threat Blog Posts for May

Summarizing ZDNet's Zero Day Posts for May

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

Summarizing Webroot's Threat Blog Posts for April

Summarizing ZDNet's Zero Day Posts for April

Summarizing Webroot's Threat Blog Posts for March

Summarizing ZDNet's Zero Day Posts for March

Summarizing Webroot's Threat Blog Posts for February

Summarizing ZDNet's Zero Day Posts for February

Summarizing Webroot's Threat Blog Posts for January

RSS Feed

About Me

Blog Archive

Tags

Popular Posts