Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Summarizing Webroot's Threat Blog Posts for January

noreply@blogger.com (Dancho Danchev) — Wed, 01 Feb 2012 15:07:39 PST

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter: 01. Millions of harvested emails offered for sale 02. Email hacking for hire going mainstream 03. Mass SQL injection attack affects over 200,000 URLs 04. A peek inside the PickPocket Botnet 05. A peek inside the

Summarizing ZDNet's Zero Day Posts for January

noreply@blogger.com (Dancho Danchev) — Wed, 01 Feb 2012 14:59:36 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. 'Most beautiful' scams proliferate on Facebook 02. Android users hit by scareware scam 03. 'Remove Facebook Timeline' themed scam circulating on Facebook 04. Fake Kim Jong-il video distributing malware 05.

Who's Behind the Koobface Botnet? - An OSINT Analysis

noreply@blogger.com (Dancho Danchev) — Tue, 17 Jan 2012 10:58:07 PST

It's full disclosure time. In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now

Profiling a Vendor of Visa/Mastercard Plastics and Holograms

noreply@blogger.com (Dancho Danchev) — Tue, 03 Jan 2012 18:15:29 PST

What is it that cybercriminals needs once they have obtained access to stolen financial data? Next to money mules, that's empty plastic cards in which they will later on embed the stolen financial data. Let's profile a vendor of empty Visa/Mastercard plastic cards and holograms in order to gain a better picture at just how easy it is to obtain such plastic cards. Associated nickname: pizzA

Summarizing ZDNet's Zero Day Posts for December

noreply@blogger.com (Dancho Danchev) — Sun, 01 Jan 2012 11:31:22 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for December. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. New study claims that Chrome is the most secure browser 02. FTC issues refunds to scareware victims 03. Yahoo! Mail introduces two factor authentication 04. Web malware exploitation kits updated with new Java

Summarizing ZDNet's Zero Day Posts for November

noreply@blogger.com (Dancho Danchev) — Sun, 01 Jan 2012 11:27:54 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for November. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. Massive DNS poisoning attack in Brazil serving exploits and malware 02. South Korea to block port 25 as anti-spam countermeasure 03. Researchers spot malware using a stolen government certificate 04. SCADA

Summarizing ZDNet's Zero Day Posts for October

noreply@blogger.com (Dancho Danchev) — Sun, 04 Dec 2011 11:15:03 PST

The following is a brief summary of all of my posts at ZDNet's Zero Day for October. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. iPhone 5 themed emails serve Windows malware 02. 27 of 100 tested Chrome extensions contain 51 vulnerabilities 03. 37 percent of users browsing the Web with insecure Java versions 04. Google introduces

Exposing the Market for Stolen Credit Cards Data

noreply@blogger.com (Dancho Danchev) — Mon, 31 Oct 2011 06:59:03 PDT

What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays? In this intelligence brief, I will expose the market for stolen credit cards data, by profiling 20 currently active and

Dissecting the Ongoing Mass SQL Injection Attack

noreply@blogger.com (Dancho Danchev) — Fri, 21 Oct 2011 14:51:33 PDT

The ongoing mass SQL injection attack, has already affected over a million web sites. Cybercriminals performing active search engines reconnaissance have managed to inject a malicious script into ASP ASP.NET websites. From client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. In this intelligence brief, we'll dissect the campaign and establish a direct

Spamvertised IRS-themed "Last Notice" Emails Serving Malware

noreply@blogger.com (Dancho Danchev) — Tue, 18 Oct 2011 12:45:13 PDT

Cybercriminals are once again impersonating the Internal Revenue Service (IRS) for malware-serving purposes. In this intelligence brief, we'll dissect the malware campaign. Spamvertised attachment: IRS_Calculations_#ID6749.zipSpamvertised message: Notice, There are arrears reckoned on your account over a period of 2010-2011 year. You will find all calculations according to your financial debt

Spamvertised "IRS notice" Serving Malware

noreply@blogger.com (Dancho Danchev) — Sun, 09 Oct 2011 10:55:40 PDT

Cybercriminals are spamvertising yet another malware-serving campaign. Impersonating the IRS, malicious attackers are attempting to entice end users into downloading and executing a malicious file attachment. Spamvertised message: Tax notice, There are arrears reckoned on your account over a period of 2010-2011 year. You will find all calculations according to your financial debt, enclosed.

Spamvertised "NACHA security nitification" Serving Malware - Historical OSINT

noreply@blogger.com (Dancho Danchev) — Tue, 04 Oct 2011 07:55:33 PDT

The following intelligence brief will offer historical OSINT on the "NACHA security nitification" -- the typo is intentionally left as this is how the original campaign was spamvertised -- malware campaign. Spamvertised body: Dear Valued Client,We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions:-(ID: 13104924)-(ID: 04804768)-(

Summarizing ZDNet's Zero Day Posts for September

noreply@blogger.com (Dancho Danchev) — Tue, 04 Oct 2011 05:37:07 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for September. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. Spamvertised 'Facebook notification' leads to exploits and malware 02. Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers 03. Microsoft themed ransomware variant

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

noreply@blogger.com (Dancho Danchev) — Wed, 28 Sep 2011 05:43:48 PDT

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification. _Uniform Traffic Tickets Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip Detection rates: Ticket.exe - Gen:Trojan.Heur.FU.bqW@aK9ebrii - Detection

Summarizing ZDNet's Zero Day Posts for August

noreply@blogger.com (Dancho Danchev) — Tue, 27 Sep 2011 10:13:08 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for August. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. Study: Rootkits target pirated copies of Windows XP 02. 56 percent of enterprise users using vulnerable Adobe Reader plugins 03. New malware attack circulating on Facebook 04. Kaspersky: 12 different

Summarizing 3 Years of Research Into Cyber Jihad

noreply@blogger.com (Dancho Danchev) — Sun, 11 Sep 2011 04:34:34 PDT

On this very special day, I'd like to honor the fallen by summarizing my research into cyber jihad, a topic I'm still highly passionate about. Enjoy and share it with your social circle! Tracking Down Internet Terrorist Propaganda Arabic Extremist Group Forum Messages' Characteristics Cyber Terrorism Communications and Propaganda A Cost-Benefit Analysis of Cyber Terrorism Current State of

Keeping Money Mule Recruiters on a Short Leash - Part Eleven

noreply@blogger.com (Dancho Danchev) — Mon, 29 Aug 2011 06:51:42 PDT

The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I'll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs. Money mule recruitment domains: ACWOODE-GROUP.COM - 78.46.105.205 - Email: admin@acwoode-group.com ACWOODE-GROUP.NET - 78.46.105.205 -

A Peek Inside Web Malware Exploitation Kits

noreply@blogger.com (Dancho Danchev) — Mon, 29 Aug 2011 04:30:53 PDT

With web malware exploitation kits, continuing to represent the attack method of choice for the majority of cybercriminals thanks to the overall susceptibility of end and enterprise users to client-side exploitation attacks, it's always worth taking a peek inside them from the perspective of the malicious attacker. In this post, we'll take a peek inside three web malware exploitation kits, and

Summarizing ZDNet's Zero Day Posts for July

noreply@blogger.com (Dancho Danchev) — Mon, 22 Aug 2011 09:06:22 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for July. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01.'Leaked Video of Casey Anthony CONFESSING to Lawyer!' scam spreading on Facebook 02. Anonymous leaks 90,000+ emails from compromised military contractor Booz Allen Hamilton 03. 'This girl must be Out of

Keeping Money Mule Recruiters on a Short Leash - Part Ten

noreply@blogger.com (Dancho Danchev) — Thu, 07 Jul 2011 04:25:57 PDT

The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I'll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs. Currently active money mule recruitment domains: ACWOODE-GROUP.COM - 184.168.64.173 - Email: admin@acwoode-group.com ACWOODE-GROUP.NET -

Summarizing ZDNet's Zero Day Posts for June

noreply@blogger.com (Dancho Danchev) — Thu, 07 Jul 2011 03:29:13 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for June. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. 'Hot Lesbian Video - Rihanna and Hayden Panettiere' scam on Facebook leads to Mac malware 02. Sony Europe hacked by Lebanese grey hat hacker 03. Spamvertised United Parcel Service emails lead to scareware 04

Summarizing ZDNet's Zero Day Posts for May

noreply@blogger.com (Dancho Danchev) — Wed, 08 Jun 2011 07:29:47 PDT

The following is a brief summary of all of my posts at ZDNet's Zero Day for May. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: Recommended reading: China's Blue Army: When nations harness hacktivists for information warfare 01. Vishing attack on Skype pushing scareware 02. Commtouch: 71 percent increase in new zombies 03. Osama execution

Keeping Money Mule Recruiters on a Short Leash - Part Nine

noreply@blogger.com (Dancho Danchev) — Mon, 30 May 2011 03:09:24 PDT

The following brief summarizes currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds. Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online: ATLANTALTD-UK.CC - 193.105.134.233

A Peek Inside the Vertex Net Loader

noreply@blogger.com (Dancho Danchev) — Thu, 26 May 2011 07:35:32 PDT

It appears that the author of the of the DarkComet RAT has been keeping himself rather busy. In early-stage development (currently in BETA), the Vertex Net Loader is your typical web-based command and control malware loader, worth keeping an eye on. More details: Info on the loader: This is the small program that will send/retrieve info from/to the web panel , it is like the server part of a

Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT

noreply@blogger.com (Dancho Danchev) — Wed, 25 May 2011 04:18:16 PDT

With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I'll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical