Crimeware-as-a-Service, CryptoLocker, ICANN Spear Phishing, and more | TWIC - December 20, 2014

Posted by Lindsey Havens

Dec 20, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, The Week in Cybercrime, Crimeware, Vawtrak, Banking Trojan, CryptoLocker

The unrelenting evolution of Vawtrak

Posted by Don Jackson, Director of Threat Intelligence

Dec 19, '14

In a recent blog post, we wrote about Vawtrak expanding targets and gaining momentum. Fast forward a few months and the threat is anything but diminishing. Sophos just released a technical report on Vawtrak which discusses the significance of the threat and its Crimeware-as-a-Service model. In December 2014, Vawtrak version 0x38 was released including significant code and configuration changes that indicate momentum and an intense focus on development of the crimeware kit. To better understand the complexity of the threat, this post is a historical review bringing you all the way up to the most recent enhancements observed in December.

Read More

Topics: Malware, Vawtrak, Banking Trojan

Fraudsters take advanced fee scams to the next level

Posted by Threat Analysts Paul Burbage and James Bettke

Dec 16, '14

We've all seen them before. The late prince Abdul has left us millions in inheritance and we need only provide a minor convenience fee to receive the funds. Advanced fee scams are nothing new and have been circulating the Internet since its inception. Until now, scammers have relied on email correspondence and convincing legal jargon to con victims out of their hard-earned dollars.

Read More

New Zeus Variant, Alibaba Marketplace Vulnerability, Poodle Bug Returns, and more | TWIC - December 14, 2014

Posted by Lindsey Havens

Dec 14, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Malware, ZeuS, The Week in Cybercrime, POS Attacks

One-man operation leverages phishing and browser alerts to distribute new variant of Zeus banking Trojan

Posted by R.A.I.D.

Dec 11, '14

In a blog post last week, we shared the discovery of a relatively convincing browser warning whose "Download & Install" button leads to an infection by the infamous Zeus Trojan. After further research, it appears that the threat actor has been carrying out various phishing and malware campaigns using the same playbook and virtual base of operations for nearly a year, maybe longer. The cybercriminal has devised a unique variant of Zeus based off the source code of version 2.0.8.9. 

Read More

Topics: Phishing, ZeuS, Banking Trojan

Sony Hack, Zeus Malware, FIN4 Phishing Attacks and more | TWIC - December 6, 2014

Posted by Lindsey Havens

Dec 6, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Malware, ZeuS, The Week in Cybercrime, Data Breach, Retail Breach

Zeus malware distributed through browser warning: social engineering at its finest

Posted by Paul Burbage, Threat Analyst

Dec 5, '14

Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings.”

Figure 1 shows the browser warning which is designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity.” The path of origin for how victims encounter this browser message is still under investigation by the PhishLabs R.A.I.D.

Read More

Topics: ZeuS, Banking Trojan

PoS Malware, Adobe Emergency Update, ATM 'Wiretapping' and more | TWIC - November 28, 2014

Posted by Lindsey Havens

Nov 28, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Malware, Vulnerability, Adobe, The Week in Cybercrime, Data Breach

Citadel Trojan Targets Password Managers, Microsoft Emergency Patch, Charities Targeted and more | TWIC - November 22, 2014

Posted by Lindsey Havens

Nov 22, '14

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Vulnerability, The Week in Cybercrime, Banking Trojan

Cybercriminals abuse charities to verify stolen credit card data

Posted by Don Jackson, Director of Threat Intelligence

Nov 21, '14

It should come as no surprise that cybercriminals have yet again displayed superior moral character with a scheme exploiting websites of non-profit organizations to verify stolen card data. PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) has uncovered an underground service that allows cybercriminals to use an interactive chat bot to automate the verification of stolen payment card data. The bot is a script programmed to login to an online chat channel and monitor it for messages containing data such as credit card numbers, cardholder names, and expiration dates using a special input syntax. Miscreants are purposefully targeting websites of non-profits with this service to verify stolen credit card data.

Bot design and implementation

When cybercriminals join the online channel and "chats," the bot uses the data provided (cardholder name and information) to input and run transactions against the websites of charities and other non-profits in order to verify that the card data is correct and the account is active. The bot then reports the results and any transaction details back the crook.

The bot interacts as a user on an IRC (Internet Relay Chat) channel. Functions like card verification are handled through private messages between a moderator, the criminal service's customer, and the bot's own "user" ID on the same chat channel. These messages contain bot commands formatted using a specific syntax recognized by the bot. Using the private message feature allows the service's users to chat openly with each other but keep messages that contain things like valuable card data out of the hands of the other criminals on the channel.

The bot itself is a program implemented in the perl programming language. Although based on a design for IRC interactions that dates back many years, this bot uses specific modules and code customized for cybercrime purposes first seen in 2011. This particular strain of criminal tailored code is known for its use of Portuguese for comments and variable names.

The source code to those bots is available, but compared to those older bots that were coded for a single main purpose, the bot used in this case is larger and more complex, handling many different functions that cybercriminals may find useful. Indeed, in addition to automated card verification, this bot also includes modules for tasks such as:

  • Checking tracking numbers on packages, for example, used by the channel members to track items purchased using stolen cards through a "reshipper" network
  • Address and ZIP code verification for cardholder identity data

However, card verification seems to be the primary use, and that's the main draw for the service's customers. See Figure 1 for a snippet of code showing the card verification data.

Figure 1 - Bot source code snippet showing card data approval messages

Read More

Topics: Fraud

    

Subscribe to Email Updates