Tag Archive | "cybercrime"

Tags: , , , ,

Anonymous Hacker Group Vows to Wipe ISIS off of the Internet

Posted on 18 November 2015 by GranTorinoGuy

The recent terrorist attacks in Paris France has been very unfortunate and sad accounting for the deaths of over 100 people. Just after the identification of the perpetrators being the well-known ISIS terrorist group, hackers from the infamous Anonymous group set out to attack ISIS on the internet front and now have vowed to wipe ISIS off of the internet.

The Anonymous hacker group has long been known for their efforts to attack companies or organizations that do something against their personal morals or beliefs. As it turns out, aggressive terrorism carried out by ISIS in the recent Paris, France killings has Anonymous angered and pushed them to take action to take well-over 5,500 of ISIS-owned Twitter accounts down, release a “How to Hack ISIS” guide, and perform other actions to essentially attack and dismantle ISIS over the Internet.

In a YouTube video posted recently (below), Anonymous makes a threat directly at ISIS saying “Expect massive cyber-attacks. War is declared, Get prepared.”

In the normal fashion of Anonymous, the video above makes their threat known to the public using their customary signatures.

Through the use of an #OpParis effort and website, Anonymous its targeting ISIS with everything they have all over the Internet. Through these efforts, Anonymous may somehow become an ally among law enforcement agencies around the world who also look to take ISIS down and put an end to their terror.

Do you think Anonymous will have any luck in helping with the take-down of ISIS or disrupt them in any way other than what has already been done with ISIS-member Twitter accounts?

Popularity: 25%

Comments (0)

Tags: , ,

Cybercrooks Using Malicious Video Advertisements to Plant Malware

Posted on 13 November 2015 by GranTorinoGuy

Hackers and cybercrooks are busier than ever, and they won’t back down at anything that gets in their way of spreading their malicious creations. In an effort to more effectively spread malware, cybercrooks are taking their distribution methods to video advertisements.

What is technically known as a method of malvertising, is a process of spreading malware through advertisements, which has been around for many years. Among various ad networks cybercrooks are able to inject their malicious ads that cause redirects to malicious sites that offer or initiate the download of malware.

In the latest schemes of spreading malware through malvertising, cybercrooks are aggressively using video ads as a means of spreading malware. The video ads that hackers target are ones distributed through ads served on high-traffic sites.

What is happening in these cases is that cybercrooks grant themselves access to various ad networks where they must purchase ad space for running the more-expensive video ads. Once access is granted they misleadingly serve up ads that should not be approved by they are sneaky in their approach as to not alert the ad network serving the ads.

Currently, it is very difficult to estimate how many malicious video ads are running on any giving website, even if it is a high-traffic site well-known to internet surfers.

Companies are starting to serve more and more video ads and publishers that monetize those video ads should pay close attention to each network channel that serves up third party coding for those ads. Where there is third party ad coding involved, there is a likelihood of cybercrooks taking advantage of the ad servicing and delivering malicious ads.

As far as avoiding malicious video ads, there is no sure way. The only thing end users can do is to take proactive steps in running antivirus and/or antimalware software to detect and eliminate malicious threats when they occur. Other things computer users can do is to avoid visiting questionable sites or ones that display advertisements that seem out of the ordinary or offer something that is just too good to be true.

Popularity: 7%

Comments (0)

Tags: , , , ,

Ramnit Botnet Extends Infection Reach To Over 28 Countries and 500,000 Computers

Posted on 11 March 2015 by GranTorinoGuy

The Ramnit malware threat, which has recently evolved into a dangerous botnet, is extending its presence across the world infecting hundreds of thousands of computers. The systems infected with Ramnit may be used to exploit online banking accounts, much like how other well-known botnets have done in the past.

Among many of the banking theft botnets, Ramnit is a bit late to the game getting its start in 2010, then recognized as a computer worm threat. Now, after an update through as many as two command and control servers, Ramnit has the ability to shut down security applications including all security components of Windows.

The expansion of Ramnit tends to lead experts down a path where such an infection may reach over a million computers before it is stopped in its tracks. Because of the unsurpassed sophistication of Ramnit, it has an upper hand to evade tracking and detection.

Dynamic IPs used by Ramnit on infected systems makes it difficult to track them down. Additionally, in the past six months Microsoft researchers have seen more than 500,000 systems become infected making the growth rate of Ramnit rather alarming.

The vast spread of Ramnit has reached more than 28 countries, and that number is bound to go up. Among those 28 countries, the most compromised systems reside in Indonesia with about 90,925 in total accounting for 26.27% according to Symantec’s data in recording this infection thus far. India is second in line with 80,144 infections at a 23.16% rate with Vietnam at 37,708 and a 10.03% rate with Algeria at 5.73% and Thailand at 4.84% completing the top 5 locations.

Other regions of the world account for 23 countries where Ramnit has reached, including the UK Egypt, Philippines, Saudi Arabia, Pakistan, Iran, Azerbaijan, Morocco, Nepal, Nigeria, Malaysia, Romania, Yemen, Russian Federation, Turkey, Mexico, China, Brazil, Myanmar, Palestinian Territory, and Mongolia.

From the extensive list of countries showing no rhyme or reason for the locations, Ramnit’s operators have no desire to focus in on a specific target location. However, it may be prudent to mention that attackers behind sophisticated botnets like Ramnit may exploit systems that prove to be more vulnerable than others, which could lead them down a path to virtually any location in the world.

Popularity: 13%

Comments (0)

Tags: ,

DDoS Attacks – Short-Lived, but More Powerful

Posted on 25 September 2014 by SlimboCA

DDoS (Distributed-Denial-of-Service) attacks still present major problems to big companies.

According to a report released recently by NSfocus’ research team, the DDoS attacks have become relatively shorter compared to before, but way more powerful.

The results of the remediation company’s research are based on information from real cases of DDoS attacks throughout the first half of 2014.

The short duration of the attacks allows them to occur repeatedly in a short period. The volumes, on the other hand, are much higher. The research team concluded that a large part of the attacks lasted less than 30 min.

According to the report, the most targeted websites are latency-sensitive, such as e-commerce and hosting services, online gaming, etc.

In the meantime, the DDoS traffic volume went up to 4 GBPS. More than half of the attacks were above 0.2 Mpps in the first six months of 2014, which indicates a 16% increase year over year.

Here are a few more numbers you may be interested in:

  • Over 2% of the attacks were started at a rate above 3.2Mpps
  • Attacks against ISPs have jumped by 87.2%
  • Attacks against enterprises increased by 100.5%
  • Attacks targeting online gaming sites are up by 60%
  • The highest frequency of DDoS attacks endured by a single victim is sixty-eight.

All of these changes can be based on various factors – evolution of network environment that brings the DDoS battlefield to a brand new level; tech developments, which allow hackers to exploit new tools constantly; DDoS pattern changes for higher profit.

The firm has been keeping track of the DDoS attacks in the past years and has observed numerous changes in the behavior of the hackers. Since the trends cannot be predicted, security experts advise the companies in the targeted sectors to take a defensive approach.

Hacker’s Favorites – Fourth Place for DDoS Attacks

According to the security report for 2014 by another big security company, Check Point, DDoS take the fourth place of all the creative ways hackers can attack an organization. 23% of all the attacks last year were DDoS.

This statement agrees with the report that DDoS remains high volume. Keith Bird, Managing Director at Check Point, suggests that it would be only logical to assume that the IT security sector is dealing with the DDoS attacks more effectively than before, since their lifespan is getting shorter. Although this might be quite encouraging, companies should keep on applying strong defenses to make sure that the ongoing trend would not be reversed.

Another security firm that follows the DDoS trends closely is Arbor Networks. According to their research, 90.6% of the DDoS attacks last less than an hour. Additionally, the firm concluded that an average attack over 10GB lasts approximately 1 hour 38 minutes.

Popularity: 5%

Comments (0)

Tags: , ,

Black Energy’s New Targets – Ukraine, Poland, Brussels

Posted on 24 September 2014 by SlimboCA

Current malware campaigns in Ukraine, Brussels and Poland are most likely to target information, not cash.

BlackEnergy Strikes Again in a New Manner

The security firm ESET discovered a newer version of the BlackEnergy malware that has been targeting over a hundred industry and security organizations in the Ukraine and Poland currently. BlackEnergy has been known to the public since the cyber-attack on Georgia in 2008. So far BalckEnergy was used for DDoS attacks, distribution of spam messages and bank frauds.

According to a report of the ESET research team, the botnet-based malware has a new strategy, targeting private companies and state organizations in various industries. There have been numerous attacks throughout 2014, and they are still active this month.

Reportedly, the “lite” BlackEnergy version has over a hundert victims so far. These are mainly companies and organizations in the Ukraine and Poland.

In the meantime, another security company, F-Secure, discovered a recent BlackEnergy campaign active in Brussels. The security specialists believe this may be a sign of a breach in the European Commission or the European Parliament.

F-Secure also revealed another Russian malware campaign, CosmicDuke, which uses a fake document concerning the news about the current vote of independence in Scotland in order to lure the victim into opening it and thus introduce the threat into the system. The attacked targets companies in the oil sector, mainly situated in the UK.

BlackEnergy Lite – What’s Different?

The security experts at ESET call the newer version of BlackEnergy “lite” for a few reasons:

  • The latest BlackEnergy is cheaper.
  • The malware does not use a kernel mode driver anymore.
  • BlackEnergy does not have a rootkit functionality, that was used as a cover for the malware in the previous versions.

Although the newer version might appear a bit stripped-down, it is still able to damage the systems of numerous organizations, taking advantage of various software vulnerabilities, or by using phishing emails and fake documents to attack the victims.

The lack of kernel mode driver is a quite common tendency among malware creators lately. It may be because of technical difficulties that developers face or just because it is a big investment to create a malware like this.

The cyber crooks behind BlackEnergy Lite use it for:

  • Remote code execution.
  • Collecting data.
  • Network discovery.

The distribution mechanism of the attacks is quite interesting as well. A document named “Russian ambassadors to conquer the world” was used in one of the attacks in April. The decoy file exploited a vulnerability in Microsoft World (CVE-2014-1761). In other cases, the dropper is an EXE file hiding behind the Word icon.

Reportedly, in the attacks from the last two months the crooks used PowerPoint documents and unclear Java vulnerabilities.

The Experts’ Opinion

Security experts observe a growth in Russian malware campaigns. They believe that hackers, who were previously interested in credit card theft, are now targeting trade secrets.

Compared to CosmicDuke, the attacks of BlackEnergy may appear a bit more patriotically driven, than cash oriented. Some specialists believe that the campaigns may not even be started by Russian nation-state cyber criminals.

BlackEnergy Lite’s lack of concealment features is not something to hold it back, the experts say. Apparently, Lite has been reduced to the needed functionality.

Compared to its previous version, the malware is now easier to detect, but mainly in the lab environment. The technology used by most organizations is quite static, as they still maintain a firewall. This makes their battle against BlackEnergy even harder.

More information concerning the newer version of BlackEnergy is expected to be released by the experts of the both security companies.

Popularity: 21%

Comments (0)

Tags: , ,

BlackEnergy – Simple to Control and Hard to Detect

Posted on 16 July 2014 by SlimboCA

BlackEnergy is a web-based DDoS (distributed denial of service) bot, which was created in the mid-90′s by Russian hackers. BlackEnergy provides the attackers with an easily controlled web-based bot that can target more than one IP address per hostname and due to the runtime encrypter, the author has used, BlackEnergy botnet can prevent antivirus detection.

BalckEnergy provides a tool for hackers to create floods to different systems and servers, causing them to overload and deny service. Black Energy can accomplish those attacks from multiple systems at a time, attacking various IP addresses, which makes the attacks quite severe.

From the time, the BlackEnergy was initially launched until 2008 no significant changes in its way of work have been detected. 2008 new major update, known as Black Energy 2, has emerged. BlackEnergy is also knows as Backdoor.Win32.Blakken. Till then, the modulations mostly included different rootkits, so that various weak points in the operating systems can be exploited. Diverse droppers and Trojans were used to disperse BlackEnergy.

The most recent version of BlackEnergy has been transferred by a zip-file, claiming to contain a list of unsafe passwords. The zip-file itself opens normally, and the user can find an actual list within. Once the list is opened BlackEnergy starts to spread in the system as a background process, while an actual document with passwords acts as a decoy to the unsuspecting user.

BlackEnergy 2 – Step-by-step to Hostile Overtaking

The bot has a few main functions. Each of them is performed by a separate component of the program:

  • to hide the virus from the antimalware-program
  • to infect the system processes
  • to suggest flexible ways for the execution of the malicious activities, that the C&C (Control and Command) center sends

Similar to other threats, BlackEnergy 2 has a protective layer that does not allow the antivirus-products to detect it. As soon as an executable file is activated on the computer, the malicious application allocates virtual memory, copies the decryptor code on it and transfers control to the encryptor.

Once the decryptor code has been executed, it is placed in the memory. After its execution, a decryptor driver is created in the C:\Windows\System32\Drivers folder and a descriptor service is activated. The driver itself works as a cover for most of the interesting processes that follow after.

Inside of the decryptor driver is a block of encrypted data. That data is an infector which will insert a DLL into the svchost.exe.

The DLL inside the svchost.exe is the most important part for launching a DDoS attack from the infected computer. The DLL has a data string that creates an XML file that defines the bot’s original configuration. Among the data is the address of the botnet’s C&C. Sometimes there are more than one addresses added so there is a backup if the initial one cannot be contacted.

The bot then sends a preformed http request to the C&C, which contains details about the infected computer. That would include an identifier of the computer, serial number of the hard drive on which the Windows is installed, country, language strings, etc. If the Command and Contact Center authorizes the request, it replies with a bot configuration file which is an encrypted with RC4 XML document. The encryption itself is created with the computer identifier sent previously by the bot so that only that specific computer can operate with it.

Popularity: 30%

Comments (0)

Tags: , , ,

Beware of Netflix Phishing Scam Tricking Customers with Fake Member Services

Posted on 05 March 2014 by GranTorinoGuy

Netflix is a giant in the scheme of streaming movies and movie rentals through the mail. They reportedly have over 40 million subscribers around the world. As it turns out, hackers and cybercrooks are attempting to scam users with a new phishing technique preying on the blind trust of customer service representatives.

In what appears to be a phishing campaign from a fake Netflix customer service number, users are being exploited in a way where they are presented with an “Important Notice” claiming that unusual activity was detected on the Netflix account. The user is given a 1-800 number on the screen with an error code to reference. Users who call up the number the rogue represented instructs the user to go through a process where the so-called service rep is able to connect to the user’s computer through the remote control software Teamviewer. From there, the fake agent searches the system for banking information or other personal data they can use for potential identity theft of theft of money from an online banking account.

This new phishing technique is rather clever but it is not the first of its kind. Scammers have long been known to use fake customer service setups to exploit gullible computer users. In the case of the Netflix phishing scam, users are easily victimized because of how clever the “Important Notice” error message is.

There are a lot of issues and red flags to point out about the whole scam starting with the message as it is never a case where Netflix would warn you through your computer on an alert message of unusual activity on your Netflix account. Additionally, a service agent at Netflix would never connect to your computer to resolve a supposed issue causing such an error message.

The video below is the complete phishing scam in action where a computer may have redirected you to a malicious site and then initiate the scam. The video also goes through the full conversation with the said member services, which is a complete scam even claiming that there is a hacker on the computer causing the issue.

We highly advice computer users to utilize caution with such messages as the fake Netflix “Important Notice”. These scammers are sneaky and they don’t want to help you, they want to hurt you badly through stealing from you by any means necessary within their power.

Popularity: 11%

Comments (0)

Tags: , , , ,

Average Time It Takes Cybercriminals to Start Exploiting Breaking News Decreases to 22 Hours

Posted on 28 September 2013 by GranTorinoGuy

It is almost a daily occurrence that cybercrooks find the most popular news stories or breaking news events to exploit. Researchers from Commtouch Security have now made the conclusion for the time it takes for cybercriminals to start exploiting breaking news is now around 22 hours, the lowest we have ever seen.

Cybercrooks waste no time in their efforts to ramp up actions for exploiting some popular news story. It is almost as expected as you are to take your next breath of air. Cybercriminals in their malware distribution campaigns commonly utilize a popular news subject or breaking news to get traction on search engines. Naturally, popular search engines like Google, Bing and Yahoo will quickly pick up a breaking news story. Hackers thrive on this idea and virtually waste no time in rehashing a version of the story on either a hacked website or one specifically designed to exploit computer users through news stories eventually spreading malware.

Over the past few months, experts have taken notice to the start time of a breaking news event and how long it takes cybercrooks to react to the news by posting their malware-laced stories related to the news. It was found that, in April of this year, the average time was 27 hours when examining the Boston Marathon bombings. In recent events, such as the Royal Baby, Syrian conflict, NSA leaks and even the U.S. government shutdown, the start-time has shrunk to just 22 hours.

In retrospect, 22 hours is a short amount of time for getting breaking news stories out where the posts or pages have malware linked in one way or another. Just think, a breaking news story floods the media at 9am this morning, and the hackers have their own version of the story, only laced with malware by 7am the next morning. In some instances, this is faster than some reputable news outlets are able to confirm and relay a breaking news story on their website.

Do you think cybercrooks will eventually break popular news stories to us laced with malware faster than the top news websites in the near future? After-all, what is stopping them from doing that?

Popularity: 19%

Comments (0)

Tags: , , , , , , ,

Spam and Cybercrime Attacks on Twitter and Facebook Have Tripled in 2009

Posted on 02 February 2010 by SlimboCA

Malware, spam and spyware attacks are on the rise on social networks such as Twitter, MySpace, Facebook and LinkedIn.

In the last year, 57 percent of users report they have been spammed via social networking sites, an increase of 70.6 percent compared to last year. Furthermore, 36 percent of users claim they’ve been sent spyware via social networking sites, which is a rise of 69.8 percent from last year.

On the other hand, CEOs of companies are concerned that their employees’ usage of social networks is posing a security risk for their company. Sophos has surveyed more than 500 organizations, discovering that 72 percent of them think social networks are a danger for their companies, with 60 percent of them tagging Facebook as the biggest security risk, followed by MySpace, Twitter and LinkedIn.

Facebook is the biggest threat because it’s the biggest social network out there, but some of the blame can be placed on Facebook’s own privacy rules. When Facebook rolled-out its new recommended privacy settings late last year, it was seen largely a backwards step, encouraging many users to share their information with everybody on the Internet.

Cyber-criminals are now also selling hacked usernames and passwords online to make hundreds of dollars. One Twitter account was offered at $1 000 in an underground hacker forum.

Hackers have maliciously been creating Internet data-stealing spyware since 2005. Now it’s becoming a growing problem on the Internet as these programs become more sophisticated. Some corrupt programs seek banking passwords, others hunt for online gaming credentials. But according to online security experts, the fastest-growing data stealers are generic spying programs which steal as much information as possible from their victims.

Cybercrooks are starting to realize that they can do more than simply swipe credit card numbers. In 2009 about 70,000 of these programs were identified, twice as many as the year before, and almost three times the number of banking password stealing programs.

Gmail accounts have been compromised and are put up for sale on Russian hacker forums, asking price 2500 rubles, or $82. RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials being offered. The prices vary depending on the one who owns the account and the number of followers the person has. Attackers usually look for a trusted stepping stone from which to send malicious Twitter messages and infect more machines. A Twitter account, with just over 320 followers, has been offered at $1,000 in an underground hacker forum. Compared to MSN accounts, which have been seen priced at €1 (USD$1.40), the price for Twitter accounts is really high.

When the value of stolen credit cards and other types of credentials are added up, hackers can easily take in $1,000 worth of data after hacking just one computer.

Popularity: 26%

Comments (0)