Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two


By Dancho Danchev

The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem.

Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or direct impersonation of popular brands in spam/phishing campaigns tactics, on a daily basis, traffic is sold and resold for achieving a customer’s or a seller’s fraudulent/malicious objectives, and is then most commonly converted to malware-infected hosts.

In this post, I’ll profile two cybercrime-friendly iFrame traffic exchanges, with the second ‘vertically integrating’ by also offering spamming services, as well as services violating YouTube’s ToS (Terms of Service) such as likes, comments, views, favorites and subscribers on demand, with an emphasis on the most common ways through which a potential cybercriminal can abuse any such traffic exchange network.

More details:

Continue reading

Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity


By Dancho Danchev

Throughout the last couple of years, the persistent demand for geolocated traffic coming from both legitimate traffic exchanges or purely malicious ones — think traffic acquisition through illegally embedded iFrames — has been contributing to the growing market segment where traffic is bought, sold and re-sold, for the sole purpose of monetizing it through illegal means.

The ultimately objective? Expose users visiting compromised, or blackhat SEO-friendly automatically generated sites with bogus content, to fraudulent or malicious content in the form of impersonations of legitimate Web sites seeking accounting data, or client-side exploits silently served in an attempt to have an undetected piece of malware dropped on their hosts.

A recently spotted cybercrime-friendly underground traffic exchange service empowers cybercriminals with advanced targeting capabilities on per browser version basis, applies QA (Quality Assurance) to check their fraudulent/malicious domains against the most popular community/commercial based URL black lists, and ‘naturally’ we found evidence that it’s already been used to serve client-side exploits to unsuspecting users.

More details:

Continue reading

Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to client-side exploits and malware


By Dancho Danchev

Bank of America (BofA) customers, watch what you click on!

A currently ongoing malicious spam campaigns is attempting to entice BofA customers into clicking on the client-side exploit serving URLs found in legitimate looking ‘Statement of Expenses’ themed emails. Once users with outdated third-party applications and browser plugins click on the link, an infection is installed that automatically converts their PC’s into zombies under the control of the botnet operated by the cybercriminal/gang of cybercriminals behind the campaign.

More details:

Continue reading

New Mac Malware Uses Right-to-Left Override To Trick Users


By Michael Sweeting

After a relatively long lag period without seeing any particular new and exciting Mac malware, last week we saw the surfacing of a new and interesting method of compromising the OSX system. Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files. Changing file extensions in Mac OSX can be tricky due to a built in security feature of the OS that detects attempts to change the extension and automatically annexes the extension of its correct file or package type. So what’s the trick you may ask? Well, in order for malware authors to get around this built in OSX security feature, they are implementing what is called “right-to-left encoding” using the built in Mac OSX Character Viewer. OSX Character Viewer allows the user to very easily insert a vast array of characters and text input methods, which in this case, gives the malware author the ability to insert a fake file extension using the “right-to-left” encoding character. Continue reading

Master Key Bug Patch – Webroot SecureAnywhere Mobile Update on Google Play Now


By Nathan Collier

7-16-2013 8-32-56 AMLast Friday we blogged about the radical Android OS bug 8219321, better known as the “Master Key” bug, which was reported by Bluebox Security. Check out last weeks blog if you haven’t already: “The implications are huge!” – The Master Key Bug. We mentioned how we have been diligently working on protecting those not yet covered by patches or updates, and finding a solution for older devices as well. We are happy to report we have the solution! The newest version of Webroot SecureAnywhere Mobile with a patch for the “Master Key” bug can be found on the Google Play store now: Webroot SecureAnywhere Mobile.

Malware is always evolving, and so are we. No matter what new exploits are thrown our way, we have you covered. From all of us at the Webroot Mobile Team, stay safe.

“The implications are huge!” – The Master Key Bug *UPDATED*


By Nathan Collier and Cameron Palan

Android Master KeyLast week, Bluebox Security reported they’d found a new flaw with the Android OS, saying “The implications are huge!”. The bug, also known as the “Master Key” bug or “bug 8219321”, can be exploited as a way to modify Android application files, specifically the code within them, without breaking the cryptographic signature. We call these signatures the “digital certificate”, and they are used to verify the app’s integrity. Since the bug is able to modify an application and still have the certificate appear valid, it is a big deal. Continue reading

Android.Bankun: Bank Information Stealing Application On Your Android Device


By Nathan Collier

There’s one variant of Android.Bankun that is particularly interesting to me.  When you look at the manifest it doesn’t have even one permission.  Even wallpaper apps have internet permissions.  Having no permissions isn’t a red flag for being malicious though.  In fact, it may even make you lean towards it being legitimate.

There is one thing that thing that gives Android.Bankun a red flag though.  The package name of com.google.bankun instantly makes me think something is fishy.  To the average user the word ‘Google’ is seen as a word to be trusted.  This is especially true when it comes to the Android operating system which is of course created by the search engine giant. Continue reading