Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two

By Dancho Danchev

The list of monetization tactics a cybercriminal can take advantage of, once they manage to hijack a huge portion of Web traffic, is virtually limitless and is entirely based on his experience within the cybercrime ecosystem.

Through the utilization of blackhat SEO (search engine optimization), RFI (Remote File Inclusion), DNS cache poisoning, or direct impersonation of popular brands in spam/phishing campaigns tactics, on a daily basis, traffic is sold and resold for achieving a customer’s or a seller’s fraudulent/malicious objectives, and is then most commonly converted to malware-infected hosts.

In this post, I’ll profile two cybercrime-friendly iFrame traffic exchanges, with the second ‘vertically integrating’ by also offering spamming services, as well as services violating YouTube’s ToS (Terms of Service) such as likes, comments, views, favorites and subscribers on demand, with an emphasis on the most common ways through which a potential cybercriminal can abuse any such traffic exchange network.

More details:

Continue reading

Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity

By Dancho Danchev

Throughout the last couple of years, the persistent demand for geolocated traffic coming from both legitimate traffic exchanges or purely malicious ones — think traffic acquisition through illegally embedded iFrames — has been contributing to the growing market segment where traffic is bought, sold and re-sold, for the sole purpose of monetizing it through illegal means.

The ultimately objective? Expose users visiting compromised, or blackhat SEO-friendly automatically generated sites with bogus content, to fraudulent or malicious content in the form of impersonations of legitimate Web sites seeking accounting data, or client-side exploits silently served in an attempt to have an undetected piece of malware dropped on their hosts.

A recently spotted cybercrime-friendly underground traffic exchange service empowers cybercriminals with advanced targeting capabilities on per browser version basis, applies QA (Quality Assurance) to check their fraudulent/malicious domains against the most popular community/commercial based URL black lists, and ‘naturally’ we found evidence that it’s already been used to serve client-side exploits to unsuspecting users.

More details:

Continue reading

New boutique iFrame crypting service spotted in the wild

By Dancho Danchev

In a series of blog posts shedding more light into the emergence of the boutique cybercrime ‘enterprise’, we’ve been profiling underground market propositions that continue populating the cybercrime ecosystem on a daily basis, but fail to result in any widespread damage or introduce potential ecosystem disrupting features. Despite these observations, the novice cybercriminals behind them continue earning revenue from fellow cybercriminals, continue generating and maintaining their botnets, and, just like small businesses in a legitimate economy model, continue to collectively occupy a significant market share within the cybercrime ecosystem.

In this post, I’ll profile a self-service type of boutique iFrame crypting cybercrime-friendly operation and discuss why its perceived short product/service life cycle is still a profitable cybercrime ecosystem monetization tactic, despite these services’/products’ inability to differentiate their proposition from the market leading competitors whose ‘releases’ remain a major driving force behind the mature state of the underground market in 2013.

More details:

Continue reading

Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace

By Dancho Danchev

Utilizing the very best in ‘malicious economies of scale’ concepts, cybercriminals have recently released a privilege-escalating Web-controlled mass iFrame embedding platform that’s not just relying on compromised FTP/SSH accounts, but also automatically gains root access on the affected servers in an attempt to target each and every site hosted there. Similar to the stealth Apache 2 module that we profiled back in November, 2012, this platform raises the stakes even higher, thanks to the automation, intuitive and easy to use interface, and virtually limitless possibilities for monetization of the hijacked traffic.

Let’s take an exclusive look inside the new platform, offer screenshots of the platform in action, discuss its key features, the pricing scheme, and discuss why its release is prone to cause widespread damage internationally, given the obvious adoption that’s beginning to take place.

More details:

Continue reading

Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules

By Dancho Danchev

What would an attacker do if they were attempting to inject malicious iFrames on as many Web sites as possible?

Would they rely on search engines’ reconnaissance as a foundation fo their efficient exploitation process, data mine a botnet’s infected population for accounting data related to CPanel, FTP and SSH accounts, purchase access to botnet logs, unethically pen-test a Web property’s infrastructure, or hit the jackpot with an ingenious idea that’s been trending as of recently within the cybercrime ecosystem?

No, they wouldn’t rely on any of these. They would just seek access to servers hosting as many domains as possible and efficiently embed malicious iFrames on each and every .php/.html/.js found within these domains. At least that’s what the cybercriminal operations that I’ll elaborate on in this post are all about.

Let’s take a peek at a recently advertised DIY mass iFrame injecting Apache 2.x module that appears to have already been responsible for a variety of security incidents across the globe. This module makes it virtually impossible for a webmaster to remove the infection from their Web site, affects millions of users in the process, and earns thousands of dollars for the cybercriminals operating it.

More details:

Continue reading

Everyone has a role in protecting a corporate infrastructure (Part 1)

By Jacques Erasmus

This time of year, those of us in information security become wary of crafty criminals leveraging the winter holidays to prey on our employees’ lack of awareness online in a number of ways. All it takes is for one Trojan to infect a single PC in a company to put an entire infrastructure at risk.

Everyone plays a role in protecting the assets and information of their organization. To help explain what this means for you as an IT manager, an employee or even a home user, we have developed a two-part primer on common threats you may encounter on a daily basis that might pose a risk to you or your company’s infrastructure.

We begin today with part one: Web-based attacks.

From a security awareness point of view, these threats are much harder to spot due to the manner in which they operate. However, this discussion will help you better understand how they work and to know when these attacks take place.

Below is a picture of what the common workflow is for a web-based threat. In the last few years, exploit frameworks have exploded onto the scene as the de-facto way to accumulate many users in a short period of time. The diagram below tries to detail the basic workflow of these to improve your understanding of how you might get infected.

In this example, a user might be using Search to find information on a hot topic such as the iPhone 4S and browse to a website that is totally legitimate. The website, however, might be compromised by a hacker exploiting an outdated or vulnerable version of some package the site is leveraging — let’s use WordPress as an example. A botnet may be used to crawl Search data and popular terms to find websites running vulnerable versions of WordPress. If a blog or website is found that meets this criteria, an IFrame will be injected into the site pointing to the hacker’s exploit server. When you browse to this website, your browser loads the content of the IFrame which, in the background, creates a session to the exploit framework that will in turn try to infect you while you are on a website you assume is safe.

Then, the exploit server, or ‘framework’ in this case, looks for out-of-date versions of popular third party applications such as Adobe Acrobat, Adobe Flash, Quicktime, Media Player, Java (JRE), Webex and a myriad of other applications that may be running on your machine. Third party applications are now a massive vector for attack — in my opinion, bigger than Windows operating system exploits.

How do companies protect against this?

The first step is ensuring that all systems are patched — not just Windows and Office applications updates, but also the auxiliary apps that run on your desktops and laptops. IT departments need to perform regular and rigorous patching.

But that’s not all. Cases exist where a patch does not exist for a particular vulnerability. To circumvent this, IT admins should implement a layered defense system where protection is running on the desktop and layered defenses on the gateway to filter these attacks. Additional monitoring to correlate network forensics into our array of tools to detect these exploits and attacks is also a good idea.

As an employee, the important thing to remember is to be vigilant and report anything suspicious to your IT department. The more disciplined you are on what to look for in a scam, the less potential there is for a company-wide breach of security.

Please stay tuned for part two of this awareness series: email-borne threats.

Modified Websites Pushing Trojans On the Rise

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

For the past couple of weeks, owners of Web sites have been hit with a wave of attacks that surreptitiously infect unsuspecting visitors with a wide variety of malware types. The first wave inflicted rogue antivirus on unlucky victims, but late last week victims who visited infectious sites were redirected into a drive-by download site that pushes clickers onto a vulnerable visitor’s computer.

The affected web sites have been modified to add malicious, obfuscated Javascript code to the footer of each page. Some Web hosts are trying to notify customers or fix the problems. At first, the problem affected sites that run the open-source WordPress publishing system, but the attack has broadened into non-Wordpress (and non-blog) Web sites. The gobbledygook Javascript opens an iframe hosted from a different Web site, and the code that loads inside that iframe redirects the victim’s browser to yet another site, which loads the infection and executes it.

I’m going to name (domain) names in this post, so please, for your own sake, use this information only to block the domains at your gateway or in your Hosts file — don’t go visiting them just to see what happens. I guarantee you won’t like what happens.

In the earlier attacks that began the week of April 5th, the malicious script directed victims to a page hosting the Eleonor exploit kit; The kit uses several well-worn methods to try to push executable malware (typically the Tacticlol downloader, which malware distributors have been using of late to push down rogue antivirus programs) at susceptible browsers, or computers running vulnerable versions of Adobe Acrobat or the Java Runtime Engine.

Those attacks originated from several domains, including,, and — all of which are hosted on the same IP address in Turkey, and are still live and hosting the exploit page.

But last week the script began directing users into a page on the domain name, a site which, despite its name, has nothing at all to do with the giant portal. That page, which loads in an iframe, opens other malicious sites which push the infection.

The list of affected sites is global, including a newspaper in Florida; the English-language page of a government’s Ministry of Women’s Affairs Web site; the Web site of a Spanish lawyer’s association; and a car dealership Web site in Indonesia. And as of today, visitors to this growing list of Web sites are still getting hit with Trojans.

Continue reading