The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Events|CeCOS VIII - Hong Kong

Kaspersky Lab Expert
Posted April 24, 08:59  GMT
Tags: Conferences, Website Hacks, Content Filtering, Malvertizing

The eighth annual Counter-eCrime Operations Summit (CeCOS VIII) was held in Hong Kong on April 8th , 9th and 10th, 2014.
The event brings together global leaders from financial services, technology, government, law enforcement, communications sectors and research centers.

Cybercrime fighters from the field examined:

- Public-source criminal tracking techniques
- Cloud and mobile malware forensics
- The latest crimeware and web-based attack schemes
- Bitcoin as a cybercrime tool
- Globalized industrial cybercrime event data sharing
- Ransomware scams menacing businesses
- Global approaches to securing the Domain Name System

CeCOS VIII was an open conference for members of the electronic-crime fighting community. The agenda is located at http://apwg.org/apwg-events/cecos2014/agenda and I had the opportunity to share recent research results on the second day of the event.


    Cyber-criminals in Brazil and the wider Latin America region almost always use social engineering tricks to launch attacks.  Sometimes, they send fake bank e-mails or e-mails from popular Internet services. The e-mail databases of the potential victims are being compiled based on the stolen e-mail addresses from the infected machines and particularly from the addresses stored in e-mail clients.

Once the e-mail addresses are compiled, the fraudsters use several external tools like PHP shells on hacked Web servers.

During my daily analysis, I found an interesting shell for mass mailing. The code shows it was developed locally in Brazil:

By editing the original PHP code, the criminal can fake the “original headers” of the messages they send.  Very interesting.

Now let’s check the original IP address of the mentioned domain:

As you see in this case, the criminals are sending fake e-mails using the identity of IG (www.ig.com.br) a very popular Internet resource in Brazil. They fake the mailer, the original IP address and even the Spam scoring. So, there is a big probability this e-mail will be delivered usefully to the victim, bypassing anti-spam filters.  Even the most experienced IT people can be tricked into believing that the message came from IG.

During analysis of the code, I discovered another interesting bit of information related to the shell. The server was hacked by a famous defacer from Brazil (name withheld during this investigation) who is quiet active and notorious around the world.   On September 7th alone,  he/she defaced 42 different domains.

In the past, we’ve seen Web defacers act with only with political motivation. That has now changed. The Web defacers are being used by the online money gangs as a part of outsourced services.
comments      Link

Research|Gumblagra and a piano

Kaspersky Lab Expert
Posted August 31, 04:01  GMT
Tags: Spam Letters, Website Hacks, Spammer techniques, Gumblar

Since the beginning of August, our Japan office has seen 900+ mails of a certain kind in their spam traps.

We noticed two common patterns in all of the mail. First, the links in these spammed messages all point to compromised servers. Also, the file names of the redirectors are all dictionary words followed by two digits. The files redirect the users to online pharmacy sites and fake watch stores. Here is a screen capture of a directory hosted on one of these online sites:

You might wonder why this caught our attention. The answer is simple: about half of these files contained links to 'gumblar.x' servers.

The upper red link points to a pharmacy site, the lower one is a gumblar.x URL.

So basically an unsuspecting (and unprotected) user who will click these links in their mail will experience a typical 'gumblar-attack' while browsing a pill catalog. The recent peak of such hybrid attacks may be a sign that the cybercriminal(s) who’ve been slowly but surely growing the Gumblar botnet worldwide, and who up until now have been keen to fly under the radar, are now starting to monetize it. The first test runs of mixed pharmacy/gumblar pages were actually identified by our experts as early as April 2010, when we noticed a few mails of this kind, with subjects like "Twitter 61-213".

On further investigation of the involved servers, it turned out that plenty of them have additional malicious code injected directly into their www root. We counted mostly gumblar.x but also some 'pegel.*' and other obfuscated code containing iframers or other redirectors.

Additionally, almost ALL of these domains contained a link to 'hxxp://nuttypiano.com/*.js' at the end of the file.

There are more than 300 different .js files in circulation on such servers, the content of these is obfuscated and similar to known 'pegel' threats. To make our researchers' task more difficult, the malicious code will only be sent once to the same IP address. However, we have managed to download several samples from the same locations and identified polymorphic-like structures.

These are redirecting to other :8080 locations, which in turn try to push more malware onto the victim's machine.

Here is a quick summary of such injected sites, sorted by country: #1 is the US, followed by FR, DE, TR and JP. Affected webmasters should consider changing their compromised ftp credentials, clean the machines which led to the leak, and investigate their server logs for more details.

Comment      Link

Incidents|Hot Fail On SexBoosters

Kaspersky Lab Expert
Posted July 08, 14:27  GMT
Tags: Website Hacks, Content Filtering, Spammer techniques

Over the last couple of days we've been noticing a few pharmacy spam mails which are a bit different. Somebody seems to have replaced the original graphical content with an alert highlighting that such messages are malicious.

So far we have counted three (ab)used image hosting services for this spam:

  1. imageshack.us
  2. imgur.com
  3. myimg.de

A quick analysis of these showed that #1 currently serves all the replaced images, #2 serves all original spammers images and #3 seems to have removed the offensive content immediately, good work!

At the moment, we don't have any further information about the source/background of the warning replacements - this gives us plenty of opportunity to use our imaginations when thinking about what's actually going on. A few of the key words and concepts we're considering are: white hats, rival spammers, compromised hosting service(s). Not an exhaustive list, but more of a launch pad for further theories and research!

comments      Link

Incidents|Spammers hacked pool

Kaspersky Lab Expert
Posted July 05, 07:12  GMT
Tags: Spam Letters, Website Hacks, Spammer techniques

In recent spam mails we have often noticed links to *.html files with random names. Another trend is that the cybercriminals do not even bother to register domains for their dirty deeds, but simply plant their malicious code on compromised hosts. "Simply?" one may ask, and sadly the answer seems to be "yes" based on our observations.

For example, we have collected some hundred mails of a certain type promoting online software shops - a small portion is shown in the animated gif image below.

All of the samples stick out by virtue of the fact that they contain colored text/links which point to compromised legitimate websites. The links also show that the locations of the files are directly on the root URLs and not in a subfolder of some vulnerable application as we usually see.

We can assume that the intruders have ‘write’ access, at least to the www root of the involved sites - a very worrying fact. We have also confirmed that in many cases not only were the abovementioned spam links stored on the victim’s servers, but additionally, malicious iframes or javascript snippets were injected into the main content of the sites.

Another sample reaching us today just confirms that the cybercriminals are not sparing with the domains they abuse, and indeed seem to have a pool of unknown quantity at their disposal. The capture below shows a spam mail where each of the 12 links in the mail body points to a unique site. All of these sites also contain malicious code in their root which we detect as 'Trojan-Clicker.JS.Agent.*'

Please do not attempt to visit these links shown if you are not sure of what you are doing.

comments      Link

Incidents|Net-integrations.net spamming Trojans

Kaspersky Lab Expert
Posted August 16, 20:58  GMT
Tags: Website Hacks

Net-integrations, a site dedicated to malware removal and especially known for its forum has fallen victim to malicious hackers.
Attackers seem to have made use of a vulnerability in the forum software used by Net-integrations to gain access to the server, although this has not yet been confirmed.
The most notable effect so far has been that the server has sent out many emails containing a link to a trojan.

It's is not the first time an anti-malware site gets compromised via the accompanied forum.
Although phpBB is often the target, this time Invision Power Board fell victim.

A spammed mail looks like this:
(Email adress slightly altered)

From: "Net-Integration Forums"
To: webmaster@net-]integration[.net
Subject: Protect Your PC !!! ( From Net-Integration Forums )

Protect Your PC !!!

Please download antivirus protection

The file, which next to a Kaspersky related filename also has a Kaspersky AV-like icon, is detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.LdPinch.gen.
LdPinch is a very popular password stealing Trojan family, a generic description of it can be found here.

Several copies of this email have been sent out by the hacker to the members of the forum.

This incident once again shows that your operating system as well as all software needs to be kept uptodate and patched.
I do wonder if the attacker fellt s/he would have much success spamming a security conscious crowd.

Comment      Link