17 May Malicious PACs and Bitcoins Fabio Assolini
22 Dec Lab Matters - Brazil Banks in the Malware Glare Ryan Naraine
28 Jun Gold rush Aleks
27 Oct Lab Matters: An inside look at mobile malware threats Ryan Naraine
07 Sep Are you $9.95 out of pocket? Roel
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Now cybercriminals from Brazil are also interested in Bitcoin currency. In order to join the horde of phishers on the lookout for the virtual currency they have applied their best malicious technique: malicious PAC on web attacks, and phishing domains.
The malicious usage of PAC (Proxy Auto-Config) among Brazilian black hats is not something new – we’ve known about it since 2007. Generally, these kind of malicious scripts are used to redirect the victim’s connection to a phishing page of banks, credit cards and so on. We described these attacks in detail here. In 2012 a Russian Trojan banker called Capper also started using the same technique. When it’s used in drive-by-download attacks, it becomes very effective.
After registering the domain java7update.com, Brazilian criminals started attacking several websites, inserting a malicious iframe in some compromised pages:
Fabio Assolini talks about the explosion of banker Trojans in Brazil and explains why it is so difficult to fight back against cyber-crime in the Latin American region.
We decided to see how successful our nameless ‘miner’ was, and ended up getting a bit of a surprise.
In this latest installment of the Lab Matters webcast, senior malware analyst Denis Maslennikov provides an inside look at the mobile threat landscape.
Maslennikov discusses the recent surge in SMS trojans targeting the Android platform, the use of search engine optimization techniques to spread mobile malware and the financial incentives involved.
He also talks about how attacks differ between mobile platforms and offer some startling predictions about what we'll see in the coming years.
Last Friday, we came across an interesting site: a message board where stolen credit card numbers have been published since August 2005. The site included over 300 credit card numbers and additional information. On Friday more than 60 numbers were posted, showing that the site is definitely active.
It was clear that the information came from a variety of sources - the entries varied from basic (card number, three digit pin code, validity, name and address of the owner) to comprehensive (all the data above, plus phone number, email address, ATM pin code and account details).
Having looked at the site, we decided to call one of the victims to check that the information was authentic. Once he got over his surprise, he confirmed that the details we'd found were his. And that was the start of our telephonic odyssey.
15.30 - Telephoned the Bundeskriminalamt (German Federal Office of Criminal Investigation)
We were given the names of three people to talk to. After a few unsuccessful attempts to get through, it turned out that these three people were either on holiday, or had already gone home. We were finally told to send an email to firstname.lastname@example.org.
16.00 - Telephoned the Landeskriminalamt (German State Office of Criminal Investigation)
Our last phone call made it seem pretty likely that no-one would read our email (let alone do anything with it) before Monday. So we decided to call the local branch of the criminal investigation office - unfortunately, with the same lack of success. The result: we sent another email.
16.15 Telephoned the credit card companies
The situation wasn’t any better when we called Visa and Mastercard - we couldn’t get through to anybody. As a last resort, we called the customer emergency number:
"We’re calling from Kaspersky Lab, an IT security company; we've found a website which has hundreds of your customers' credit card numbers on. Could you please tell us who in your company we should contact?"
“Er - could you please give me your credit card number, Sir?”
In order not to waste any more time, we got our US local office involved. They contacted the credit card companies and the FBI. Meanwhile, our Russian office started the process of getting the website taken down.
So everything’s been set in motion, but the whole thing still makes me a bit uneasy. If you lose your credit card, you’re obliged to inform the card issuer asap. And credit card companies do provide emergency numbers to make this easier. But the story above shows that if, like us, you come across more than 300 stolen numbers, it's going to be a bit more difficult. Yes, all of this happened on Friday afternoon, but criminals don’t take weekends off!
We’ll see how everything develops over the next couple of days and keep you posted. We'll also be publishing a short article about this case, with further details, in the very near future.
Next to the more or less daily scams mentioned in the previous post, we're seeing a resurgence in another scamming tactic.
Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards - for no reason whatsoever.
About a year ago we saw a similar trend and now it has been picked up again.
The scammers hope that because the amount of money is so small, the charge will go unnoticed. They're also using names which closely resemble real company names to make the charges look (at first glance) more legitimate.
So be sure to check your accounts for odd charges on a regular basis.