The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Incidents |New threat: Trojan-SMS.AndroidOS.Stealer.a

Victor Chebyshev
Kaspersky Lab Expert
Posted April 17, 09:00  GMT
Tags: Mobile Malware, Malware Descriptions

The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.

Geographic distribution

This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia. Infections with this Trojan have occurred virtually everywhere across the globe:

Incidents |Mystery shopper: Beware of Frauds

Tatiana Kulikova
Kaspersky Lab Expert
Posted March 05, 13:57  GMT
Tags: Spam Letters, Fraud

Offers to work as a mystery shopper are a common trick used by fraudsters. They give you a chance to work in your free time, and if you agree, they send you a fake check with a huge sum of money, which is supposed to compensate the costs of goods and research. Any remaining money left over after the work is returned to the fraudsters. When the bank annuls the check as a fake, the secret shopper is left out of pocket.

But as users become more aware of online dangers, scammers have had to resort  to various types of tricks to achieve their goals, such as disguising scammer mailings as a mailing from a large company specializing in working with secret shoppers. The message, sent on behalf of Mystery Shopper Inc., prompted the user to look at a description of the vacancy, but the attached link led to another resource that also specializes in this type of market research.

The real address of the scammer’s page was revealed after clicking the attached link. Obviously, it had nothing to do with Mystery Shopper Inc. official resources.


Incidents |Tor hidden services – a safe haven for cybercriminals

Sergey Lozhkin
Kaspersky Lab Expert
Posted March 05, 11:00  GMT
Tags: TOR, Darknet, Malware, Bitcoin

Over the last few months I have been closely monitoring so-called Darknet resources, mostly the Tor network. And one thing that is immediately obvious is that the cybercriminal element is growing. Although, the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, we managed to find approximately 900 hidden services online at the current time. There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network.


Cybercriminals have started actively using Tor to host malicious infrastructure.  We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.

Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.

Cythosia botnet webpanel

Incidents |A ‘gift’ for Apple’s valued customers

Tatyana Shcherbakova
Posted March 05, 09:14  GMT
Tags: Spam Letters, Apple, Phishing

In January we detected a phishing mailing that was sent on behalf of Apple. The messages contained an offer to purchase a card giving a discount of 150 euros in any European AppStore for only 9 euros. The senders also underlined that only valued customers were eligible to receive the card.

To place an order for the card, Apple fans had to open an attached HTML page and fill in all the fields, such as information about the user’s bank card, including the three-digit security code stated on the reverse of the card.

In exchange, the scammers promised to send a discount card via email within 24 hours. But evidently it was just another scam to trick users. The fraudsters also used the Apple logo and automated subscriptions at the end of the message to confuse victims.


The scammers didn’t just target logins and passwords for personal accounts but also users’ banking information, and in order to achieve their goal they are willing to promise anything. Inexperienced users may find it difficult to see through the fraud, but requests for confidential bank information or data that gives access to personal accounts are a clear sign of a phishing scam.   

Comment      Link

No doubt it's been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of technical issues.

Mt. Gox BTC price evolution in February 2014, source: Clark Moody

As customers were unable to move their funds out from Mt. Gox, the world's most famous exchange essentially became isolated from the rest of the Bitcoin ecosystem, making the Bitcoin price traded on Mt. Gox plummet to as low as $100 for 1 BTC before the exchange went completely offline.

In our forecast for 2014, we've stated that attacks on Bitcoin, specifically attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. These attacks will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.

While the Mt. Gox incident might be the most significant in Bitcoin history to-date, as it is rumored to be worth 744,408 Bitcoins, or more than $300 million at current BTC prices, the only question that remains unanswered is what actually caused it.

Incidents |The ‘Nigerian’ vow: our promises – your money

Tatiana Kulikova
Kaspersky Lab Expert
Posted February 26, 10:18  GMT
Tags: Spam Letters, Nigerian Spam

The tales spun by Nigerian scammers often amaze with their ability to exploit and adapt the same type of scam to a whole variety of situations. Most of these situations are tragic, either related to someone’s death or political turmoil. That’s why an attempt to give away one’s money (or huge part of it) as a vow to God may well come as a complete surprise.

The vow was given by an engineer who had decided to give away tens of thousands of dollars to a randomly chosen user from the Internet. According to his story, he signed a very lucrative contract in Australia, but after finishing his part of the contract, his work wasn’t paid. The desperate engineer swore to God to give away $250,000 to some random person if he received his money. Of course, the story had a happy ending and recently, the Australian government agreed to pay up. And now the happy engineer has to fulfill his vow and is ready to give $250,000 to the lucky recipient.


Although Google confirms the existence of Mr. Brady’s company, the promise of a large sum of money shouldn’t be taken too seriously. Suspicions should immediately be raised by the fact that a private businessman is writing from an address with the domain fbi.gov.

We hope that nobody ends up responding and paying for Mr. Brady’s holy vow. After all, a happy end for the scammers often spells tragedy for the victims.

Comment      Link

Incidents |Are you sure you want to unsubscribe from our mailings?

Maria Vergelis
Kaspersky Lab Expert
Posted February 26, 10:15  GMT
Tags: Social Engineering, Spammer techniques

Spammers are relentless in their attempts to bypass anti-spam filters and confuse recipients of spam. Recently we detected a mass mailing disguised as an automated reply to a request to unsubscribe from a news blog. The authors noted their regret at losing one of their subscribers and asked if the user really wanted to unsubscribe.


Phrases like “We regret your decision to unsubscribe” do indeed appear in responses sent following requests to unsubscribe. However, there followed some unusual text in which the senders also regretfully informed the recipient that they had also unsubscribed him from other information mailings on subjects such as:

  • Driving licenses without medical certificates
  • Bankruptcy procedures for legal entities
  • Bank licenses
  • Setting up businesses abroad
  • Real estate with a 50% discount

These are typical spam topics which, in this case, were disguised as information blocks. Why were the messages so suspicious? Because the senders didn’t even mention the name of the blog, site or journal from which the user was supposed to have unsubscribed.

The name of the unsubscribed service wasn’t in the sender’s domain name either – the address contained only one phrase that translates as “driving license right now” (spammers frequently use words related to the topic of the message in new domains), and the messages were sent in the month the domain was created. There were no links to prolong the subscription. It looks like the spammers thought that any interested users would reply to the message and receive a whole variety of spam mailings related to the chosen topic.

An even more insolent mailing stated that for a certain amount of money the spammers would tell the recipient how they found out his/her email address and why the mail box was full of spam messages. The information cost just $3.50. In order to pay for the information, the user had to click a link at the end of the message.


The link led to the site called End of Spam where the user could view a full pricelist. For instance, the user could remove his/her email address from spam mailing lists for a $1.50 payment via PayPal. Information on how the spammers found out about the user’s email address cost $3.50. The fraudsters reminded the user to state their email address so that they “know which email address to unsubscribe”.


All of the links led to a PayPal page with a set payment document. If the user was already authorized in PayPal system, he/she simply had to press the button “Buy Now” and transfer his/her money to goodness knows where.

Of course, this is unlikely to halt the spam mailings – it’s hard to believe that the senders know all the spammers in the world and can stop their mailings at the request of a user. Besides, after the money transfer, the stream of unsolicited correspondence may even increase after the address is confirmed as being valid and the user’s naivety is noted. In the worst case scenario, the user’s personal data from the money transfer payment could be used.

comments      Link

Incidents |The first Tor Trojan for Android

Roman Unuchek
Kaspersky Lab Expert
Posted February 25, 10:00  GMT
Tags: Mobile Malware, Google Android

Virus writers of Android Trojans have traditionally used Windows malware functionality as a template. Now, yet another technique from Windows Trojans has been implemented in malware for Android: for the first time we have detected an Android Trojan that uses a domain in the .onion pseudo zone as a C&C. The Trojan uses the anonymous Tor network built on a network of proxy servers. As well as providing users with anonymity, Tor makes it possible to display ‘anonymous’ sites in the .onion domain zone that can only be accessed in Tor.


Incidents |Virtual bitcoins vs hard cash

Tatiana Kulikova
Kaspersky Lab Expert
Posted February 20, 12:45  GMT
Tags: Spam Letters, Tematic Spam, Bitcoin

The festive season with its gifts, decorations and costumes can easily put a dent in your finances. No wonder then that after the holidays spam started appearing with suggestions on how to make some money. And increasingly spammers are using bitcoins – a cryptocurrency – as the bait. For instance, bitcoins can be earned in return for access to the computing power of a device. There are plenty of stories about millionaires who have made a fortune with the help of this currency, and spammers have been quick to exploit its current popularity.

Recently, bitcoin’s exchange rate has been steadily increasing (at the time of writing 1 bitcoin is worth $623), making it a rather attractive proposition.

Spammers are exploiting the popularity of the currency in different ways. One of the mailings offered to share the secret of a millionaire who made his fortune with bitcoins. The message stated that with the help of this secret, the recipient could make $1500 per day without even buying any bitcoins.


The link in the message led to a web page that contained promises of great wealth. In order to receive the software required for this type of income, the user had to enter his/her e-mail address.


2014 sees two huge sporting events taking place: the football World Cup in Brazil and the Winter Olympic Games in Sochi. In November we mentioned a mailing exploiting the World Cup – the fraudsters disguising their scam as a lottery. In January the number of these kinds of mailings increased. The stories used in the messages were identical: the user was informed that he/she had been chosen from among millions of other users as the winner of a lottery with a huge prize. In order to claim the money, the user had to contact the organizers using the addresses and phone numbers provided.

The body of the message was either empty or contained just one phrase: “See the attachment for information” or “Open the attachment”. The content of the attached file changed from message to message, as did the file format – JPEG, PDF or DOC. The file contained information about the alleged prize and also had references to FIFA and the World Cup. The scammers even went to the trouble of including official logos and pictures from the ceremony when Brazil was awarded the World Cup.