Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Summarizing Webroot's Threat Blog Posts for April

noreply@blogger.com (Dancho Danchev) — Wed, 01 May 2013 05:32:59 PDT

The following is a brief summary of all of my posts at Webroot's Threat Blog for April, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter: 01. DIY Java-based RAT (Remote Access Tool) spotted in the wild02. Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware03. Cybercrime-friendly service offers access to tens of thousands of compromised

What's the ROI on Going to a Virtual Blackhat SEO School?

noreply@blogger.com (Dancho Danchev) — Wed, 17 Apr 2013 14:46:36 PDT

For years, fraudulent or purely malicious actors have been abusing the online advertising market, by directly hijacking and redirecting the revenue flow, or by successfully and efficiently hijacking as much percentage of legitimate search traffic as possible, and monetizing it through the use of blackhat SEO (search engine optimization) tactics/shady affiliate networks. Monetizing the very

Historical OSINT - The "BadB International" Cybercrime Enterprise

noreply@blogger.com (Dancho Danchev) — Wed, 10 Apr 2013 12:53:30 PDT

BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who eventually got busted in France in 2010. This month, he was sentenced to serve 88 months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of supervised release. In the wake of these events, I decided to release some raw OSINT data regarding BadB's official Web site, hxxp://

Summarizing Webroot's Threat Blog Posts for March

noreply@blogger.com (Dancho Danchev) — Mon, 01 Apr 2013 12:37:21 PDT

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter: 01. New DIY IRC-based DDoS bot spotted in the wild 02. Cybercriminals release new Java exploits centered exploit kit 03. Segmented Russian “spam leads” offered for sale 04. New DIY hacked email account content grabbing

Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

noreply@blogger.com (Dancho Danchev) — Wed, 06 Mar 2013 14:52:11 PST

Oops, they did it again! The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web

Summarizing Webroot's Threat Blog Posts for February

noreply@blogger.com (Dancho Danchev) — Mon, 04 Mar 2013 05:31:56 PST

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter: 01. Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware 02. Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware 03. ‘Your Kindle e-book Amazon receipt’

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

noreply@blogger.com (Dancho Danchev) — Thu, 21 Feb 2013 12:03:44 PST

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to

Historical OSINT - Hacked Databases Offered for Sale

noreply@blogger.com (Dancho Danchev) — Tue, 05 Feb 2013 16:03:26 PST

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg. In this intelligence brief, I'll profile a service that

Summarizing Webroot's Threat Blog Posts for January

noreply@blogger.com (Dancho Danchev) — Mon, 04 Feb 2013 13:14:30 PST

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter: 01. Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware02. Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit03. ‘Attention! Changes

Summarizing ZDNet's Zero Day Posts for January

noreply@blogger.com (Dancho Danchev) — Mon, 04 Feb 2013 12:45:01 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2013. You can subscribe to Zero Day's main feed, or follow me on Twitter: 01. Dutch security researchers dissect the Pobelka botnet02. ESPN's ScoreCenter for iOS sends passwords in clear-text, susceptible to XSS flaw03. Report: AutoRun malware infections continue topping the charts04. Comparative review:

Summarizing Webroot's Threat Blog Posts for December

noreply@blogger.com (Dancho Danchev) — Wed, 09 Jan 2013 09:34:53 PST

The following is a brief summary of all of my posts at Webroot's Threat Blog for December, 2012. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter: 01. DIY malicious domain name registering service spotted in the wild 02. Fake ‘FedEx Tracking Number’ themed emails lead to malware 03. Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side

Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part Twelve

noreply@blogger.com (Dancho Danchev) — Mon, 07 Jan 2013 12:56:40 PST

In the following (historical) intelligence brief, I'll provide you with some raw domain data of fake companies that are known to have attempted to recruit money mules over the past 2 years. The domains listed here were registered by the same gang of cybercriminals that I've been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" posts. Money mule recruitment

Historical OSINT - Profiling an OPSEC-Unaware Vendor of GSM/USB ATM Skimmers and Pinpads

noreply@blogger.com (Dancho Danchev) — Sat, 05 Jan 2013 11:25:48 PST

On daily basis, I profile over a dozen of newly advertised (verified) vendors of ATM skimmers, indicating that this market segment is still quite successful, thanks to the overall demand for these 'tools-of-the-trade', allowing potential cybercriminals to enter the world of ATM skimming. In this post part of the "Historical OSINT" series, I'll profile the underground market proposition of a

Dancho Danchev's Blog Most Popular Posts for 2012

noreply@blogger.com (Dancho Danchev) — Thu, 27 Dec 2012 14:26:11 PST

The time has come to reflect on this year's most popular posts, and emphasize on the key points about what made them special. Who's Behind the Koobface Botnet? - An OSINT Analysis - Indisputably, the exposing of Koobface botnet master KrotReal is this year's most popular blog post. The release of the post, and the New York Times article discussing the case, immediately resulted in the shut down

Upcoming Portfolio of Commercially Available CYBERINT Reports

noreply@blogger.com (Dancho Danchev) — Thu, 13 Dec 2012 03:41:09 PST

Valued blog readers, Over the years, you've been exposed to insightful, in-depth, "God Eye's View" of some of the most prolific, targeted, and trending cyber attacks/cybercriminal schemes, that shaped the way we fight and anticipate cybercrime campaigns throughout the years. Although the production of such publicly available and socially oriented content at this blog will continue, it's time

Summarizing Webroot's Threat Blog Posts for November

noreply@blogger.com (Dancho Danchev) — Fri, 30 Nov 2012 14:31:19 PST

The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter: 01. BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware 02. ‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit 03. USPS ‘Postal Notification’ themed

Summarizing ZDNet's Zero Day Posts for November

noreply@blogger.com (Dancho Danchev) — Fri, 30 Nov 2012 05:55:18 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for November, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter: 01. Opera for Mac OS X patches six security vulnerabilities 02. Cybercriminals start spamvertising Xmas themed scams and malware campaigns 03. Apple releases QuickTime 7.7.3 for Windows, patches critical security vulnerabilities 04.

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

noreply@blogger.com (Dancho Danchev) — Sun, 25 Nov 2012 18:16:59 PST

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in

Summarizing Webroot's Threat Blog Posts for October

noreply@blogger.com (Dancho Danchev) — Thu, 01 Nov 2012 17:34:36 PDT

The following is a brief summary of all of my posts at Webroot's Threat Blog for October, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter: 01. Russian cybercriminals release new DIY SMS flooder 02. Upcoming Webroot presentation on Cyber Jihad and Cyberterrorism at RSA Europe 2012 03. Recently launched E-shop sells access to hundreds of hacked PayPal

Summarizing ZDNet's Zero Day Posts for October

noreply@blogger.com (Dancho Danchev) — Thu, 01 Nov 2012 16:47:05 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for October, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter: 01. Report: Large US bank hit by 20 different crimeware families 02. Localized Dorkbot malware variant spreading across Skype 03. Sopelka botnet drops Citadel, Feodo, and Tatanga crimeware variants 04. Adobe patches 6 critical

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

noreply@blogger.com (Dancho Danchev) — Fri, 26 Oct 2012 06:36:47 PDT

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions. As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam

Summarizing Webroot's Threat Blog Posts for September

noreply@blogger.com (Dancho Danchev) — Mon, 01 Oct 2012 05:18:15 PDT

The following is a brief summary of all of my posts at Webroot's Threat Blog for September, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter: 01. Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit 02. Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit 03. Cybercriminals resume spamvertising

Summarizing Webroot's Threat Blog Posts for August

noreply@blogger.com (Dancho Danchev) — Thu, 27 Sep 2012 16:54:38 PDT

The following is a brief summary of all of my posts at Webroot's Threat Blog for August, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter: 01. Spamvertised AICPA themed emails lead to Black Hole exploit kit 02. Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit 03. Ongoing spam campaign impersonates LinkedIn,

Summarizing ZDNet's Zero Day Posts for August

noreply@blogger.com (Dancho Danchev) — Thu, 27 Sep 2012 16:43:28 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for August, 2012. You can subscribe to Zero Day's main feed, or follow me on Twitter: 01. BlackBerry users targeted with malware-serving email campaign 02. Java zero day vulnerability actively used in targeted attacks 03. Loozfon Android malware targets Japanese female users 04. Researcher reports a CSRF

Dissecting 'Operation Ababil' - an OSINT Analysis

noreply@blogger.com (Dancho Danchev) — Fri, 28 Sep 2012 06:35:09 PDT

Provoked by a questionable online video posted on YouTube, Muslims from the around the world united in an apparent opt-in botnet crowdsourcing campaign aiming to launch a DDoS (denial of service attack) against YouTube for keeping the video online, and against several major U.S banks and financial institutions. Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam