[SecurityRatty] tag: paypal

Copycat Web Malware Exploitation Kits are Faddish

Wed, 03 Sep 2008 03:18:08 +0000

For the cheap cybercriminals not wanting to invest a couple of thousand dollars into purchasing a cutting edge web malware exploitation kit -- a pirated copy of which they would ironically obtained several moths later -- with all the related and royalty free updates coming with it, there are always the copycat malware kits like this one offered for $100.

Taking into consideration the proprietary nature of some of the kits, the business model of malware kits was mostly relying on their exclusive nature next to the number, and diversity of the exploits included in order to improve the infection rate. This simplistic assumption on behalf of the coders totally ignored the possibility of their kits leaking to the general public, or copies of the kits ending up as a bargain in particular underground deal where the once highly exclusive kit was offered as a bonus.

"Me too" web malware kits were a faddish way to enjoy the popularity of web malware kits like MPack and Icepack and try to cash in on that popularity by coming up average kits lacking any significant differentiation factors in the process. But just like the original and proprietary kits, whose authors didn't envision the long term growth strategy of integrating different services into their propositions or the kits themselves, the authors of copycat malware kits didn't bother considering the lack of long-term growth strategy for their releases. Branding in respect to releasing a Firepack malware kit to compete with Icepack which was originally released to compete with Mpack, has failed to achieve the desired results as well.

And with malware kits now a commodity, and underground vendors excelling in a particular practice with the long term objective to vertically integrate in their area of expertise -- think spammers offering localization of messages into different languages and segmented email databases from a specific country -- would we witness the emergence of managed cybercrime services charging a premium for providing fresh dumps of credit card numbers, PayPal, Ebay accounts or whatever the buyer is requesting?

That may well be the case in the long term.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

Banker Malware Targeting Brazilian Banks in the Wild

Mon, 18 Aug 2008 03:01:03 +0000

Despite the ongoing customerization of malware, and the malware coding for hire customer tailored services, certain malware authors still believe in the product concept, namely, they build it and wait for someone to come. In this underground proposition for a proprietary banker malware targeting primarily Brazillian bank, the author is relying on the localized value added to his malware forgetting a simply fact - that the most popular banker malware is generalizing E-banking transactions in such a way that it's successfully able to hijack the sessions of banks it hasn't originally be coded to target in general.

Banks targetted in this banker malware :
Bank Equifax
Bank Itau
Bank Check
Bank Vivo
Bank Banrisul
Tim Bank Brazil
Bank Nossa Caixa
Bank Santander Banespa
Bank Infoseg
Bank Paypal
Bank Caixa Economica Federal
Bank Bradesco
Bank Northeast
Royal Bank
Bank Itau Personnalite
Bank PagSeguro
Australia Bank
Credicard Citi Bank
Credicard Bank Itau
Rural Bank

Taking into consideration the fact that not everyone would be willing to pay a couple of thousand dollars for a banker malware kit targeting banks the customer isn't interested in at the first place, malware authors have long been tailoring their propositions on the basis of modules. Adding an additional module for stealtness increases the prices, as well as an additional module forwarding the process of updating the malware binary to the "customer support desk". Moreover, stripping the banker kit from modules in which the customer doesn't have interest, like for instance exclude all Asian banks the kit has already built-in capabilities to hijack and log transactions from, decreases its price.

In a truly globalized IT underground, Brazillian cybercriminals tend to prefer using the market leading tools courtesy of Russian malware authors, so this localized banker malware with its basic session screenshot taking capabilities and accounting data logging has a very long way to go before it starts getting embraced by the local underground.

Related posts:
The Twitter Malware Campaign Wants to Bank With You
Targeted Spamming of Bankers Malware
A Localized Bankers Malware Campaign
76Service - Cybercrime as a Service Going Mainstream
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

Trust No One?

Wed, 13 Aug 2008 10:46:48 +0000

Sorry to go all X-Files on you, but I received an EMail earlier today that really drives home how paranoid we probably all are about Phishing nowadays.

Entitled "Chris Boyd, would you be able to spot a fake email?", it was apparently from Paypal:

"Protect yourself from phishing: Paypal is working with Gmail and Yahoo! to block fake Paypal emails from your inbox. Learn how".

As it turns out, the email was legitimate - but as soon as I hear someone asking me "Can you spot a fake Email", my brain is sadly conditioned to assume the mail asking me that question is fake too.

Kind of depressing, isn't it? At any rate, it's interesting how certain words / phrases in mails will automatically set alarm bells ringing. If I'd received this email, I'd have deleted it as soon as I saw the phrase "Your download to win contest has arrived".

Download to Win Contest?? That sounds so very, very wrong, doesn't it?

Summarizing Zero Day's Posts for July

Fri, 08 Aug 2008 10:35:52 +0000

Different audience provokes different approach for communicating a particular event. In case you aren't reading ZDNet's Zero Day, where I blog next to Ryan Naraine and Nathan McFeters - join us.

Also, consider subscribing yourself to my personal RSS feed, or Zero Day's main feed in order to read all the posts. Here's a quick summary of my posts for last month :

01. Blizzard introducing two-factor authentication for WoW gamers
02. Sony PlayStation's site SQL injected, redirecting to rogue security software
03. 300 Lithuanian sites hacked by Russian hackers
04. Antivirus vendor introducing virtual keyboard for secure Ebanking
05. Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers
06. Storm Worm's Independence Day campaign
07. Approximately 800 vulnerabilities discovered in antivirus products
08. $1 Million prize offered for cracking an encryption algorithm
09. U.K's most spammed person receives 44,000 spam emails daily
10. Storm Worm says the U.S have invaded Iran
11. Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails
12. Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008
13. XSS worm at Justin.tv infects 2,525 profiles
14. Remote code execution through Intel CPU bugs
15. Ringleader of cybercrime group to be offered a job as cybercrime fighter
16. Spam coming from free email providers increasing
17. Kaspersky's Malaysian site hacked by Turkish hacker
18. Georgia President's web site under DDoS attack from Russian hackers
19. 75% of online banking sites found vulnerable to security design flaws
20. McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position
21. Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame
22. How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability
23. DNS cache poisoning attacks exploited in the wild
24. The Neosploit cybercrime group abandons its web malware exploitation kit
25. OS fingerprinting Apple's iPhone 2.0 software - a "trivial joke"
26. HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blame

Phishers Backdooring Phishing Pages to Scam One Another

Thu, 07 Aug 2008 11:01:50 +0000

There seems to be no such thing as a free phishing page these days, with phishers scamming one another at an alarming rate according to a recently published research entitled "There is No Free Phish:An Analysis of “Free” and Live Phishing Kits".

Cybercriminals attempting to scam other cybercriminals has been happening for years, with old school cases where backdoored malware tools such as crypters and binders are offered for free, or a newly released RAT whose client is in fact infected with a third-party malware. Realizing and definitely not enjoying the fact that the lowered entry barriers into cybercrime are empowering yesterday's script kiddies will malware kits that used to be utilized by a set of people who invested time and money into the process several years ago, this unethical competitive practice is only going to get more common. Backdooring phishing pages is one thing, backdooring entire web malware exploitation kits, next to the possibility to remotely exploit a competitor's command and control server is entirely another :

"Taking a more strategic approach, a cybercriminal wanting to scam another cybercriminal would backdoor a highly expensive web malware exploitation kit, then start distributing it for free, and in fact, there have been numerous cases when such kits have been distributed in such a fraudulent manner. The result is a total outsourcing of the process of coming up with ways to infect hundreds of thousands of users though client side exploits embedded or SQL injected at legitimate sites, and basically collecting the final output - the stolen E-banking data and the botnet itself."

What's to come in the long term? Why just backdoor the phishing page, when you can embedd it with a live exploit URL in an attempt to both, infect the cybercriminal about to use and obtain all of the already stolen virtual assets has has already stolen, and also, have a third-party maintain a blended attack campaign without even knowing it.

Related posts:
Phishing Campaign Spreading Across Facebook
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing

The one-time credit card that isn't

Thu, 24 Jul 2008 04:11:48 +0000

Not too long ago, I wrote about a great service provided by PayPal--the one-time credit card, Secure Card. I still use the service, and I think its a great addition to my online shopping habit. However, I found out recently that the credit card isn't exactly restricted to a single use.

The one-time credit card that isn't

Thu, 24 Jul 2008 04:11:48 +0000

Smash and Grab

Tue, 22 Jul 2008 09:27:42 +0000

Ever wondered how much damage can be caused with what is likely a few handily placed keyloggers and trojans?

Well, this is probably a good (bad?) place to start.

"Also while that was happening the person who stole my GoDaddy account also stole our paypal accounts and charged several thousand dollars to us. PayPal is working to get that money back, so far about 600.00 was retrieved but we are still waiting for news on the other funds."

Ouch....

EBay officially kills controversial PayPal-only plan in Australia

Thu, 10 Jul 2008 09:00:00 +0000

Although eBay has withdrawn its controversial PayPal-only plan in Australia, it still will require sellers to offer the payment service as an option for buyers.

Information Card Foundation

Wed, 09 Jul 2008 08:15:00 +0000

Finally there's a home on the Internet for information cards. I've been waiting for this for a long time - a place to point consumers, executives, and developers to learn more about information cards. And it's not just a Microsoft thing. Founding members include Google, PayPal, Novell, and the Liberty Alliance. While the adoption of information cards has been happening at a snail's pace, this collaboration might just change that.

And that would be very good for consumers.