Cybercrime Intelligence
Cybercrime Intelligence Report - (Issue 3, 2009)
In the third issue of its Cybercrime Intelligence Report for 2009, Finjan shows how cybercrooks used a combination of Trojans and money mules to rake in hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks. After infection, a bank Trojan was installed on the victims' machines and started communication with its Command & Control (C&C) server for instructions. These instructions included the amount to be stolen from specific bank accounts and to which money mule-accounts the stolen money should be transferred. The use of this Anti anti-fraud method signals a new trend in cybercrime.
Cybercrime Intelligence Report - (Issue 2, 2009)
In the second issue of its Cybercrime Intelligence Report for 2009, Finjan shows the operations of an advanced trading network and botnet where compromised PCs are bought and sold for profit. The trading platform utilizes all necessary components (buyer side, seller side, attack toolkit, and distribution via “partners”). This advanced trading platform marks a new milestone in the cybercrime evolution. Looking at the list of compromised PCs that Finjan's MCRC found, it is clear that no individual, corporate or governmental PC is safe.
Cybercrime Intelligence Report - (Issue 1, 2009)
In the first issue of its Cybercrime Intelligence Report for 2009, Finjan shows how rogueware affiliate networks use SEO techniques to distribute their rogue Anti-Virus Software for profit. Typos and misspelled keywords (such as “obbama” and liscense”) as well as trendy keywords taken from Google Trends system were abused to show compromised websites as top search results. Subsequently, the traffic volume to the compromised websites increased significantly luring masses of potential buyers to the rogueware offering. Members of one of the researched rogue affiliate networks were rewarded for each successful redirection, which accumulated to (illegal) earnings of $ 10,800 a day.
Malicious Page of the Month
Malicious Page of the Month - (October 2008)
This report provides a step-by-step example of corporate data theft by a Trojan that successfully avoided traditional passive web security solutions. It describes how a corporate user, while browsing the web for his regular business needs, got infected with a Trojan. The report outlines how the corporate PC got infected by the Trojan; what happened just after the malware was installed on that corporate PC; what the Trojan looked for on that infected PC; where the stolen corporate data was stored; and what type of stolen data was found on a remote server owned by the cybercriminal.
Malicious Page of the Month - (September 2008)
This report describes the malicious obfuscated code evolution, including its latest phase - embedding malicious code in rich-content files such as PDF and Flash. Examples of the latter were found by Finjan's Malicious Code Research Center (MCRC) and are explained in the report. With JavaScript being the most-used scripting language for communication with web browsers, third-party applications such as Flash player, PDF readers and other multimedia applications have added support for JavaScript as part of their application. This offers crimeware authors the opportunity to inject malicious code into rich-content files used by Ads and user-generated content on Web 2.0 websites.
Malicious Page of the Month - (May 2008)
This research covers the discovery by Finjan's Malicious Code Research Center (MCRC) of 500 Mb of stolen medical, business and airline data on two Crimeware servers located in Argentina and Malaysia by hackers. The data included healthcare and business related data, as well as personal identifiable information (stolen Social Security Numbers), and is part of the “premium” offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online.
Finjan's Malicious Code Research Center (MCRC) analysis showed, that the data detected was part of the premium offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online. As in the legitimate business world, they are using price strategies for different customer groups.
Since stolen credit cards and bank accounts are being commoditized today, they are offered for low prices. In contrast, healthcare related information, single sign-on login credentials for organizations, email exchanges, Outlook accounts and FTP accounts are premium goods in the criminal economy, and can be traded for high prices.
Some of the implications of stolen medical and patient data include: illegal and/or bogus treatments; obtaining prescription drugs for the purpose of selling them; loss of health coverage for the victimized patient; inaccurate records of victimized patients, which could result in incorrect and potentially harmful treatments. Healthcare providers could also face potential HIPAA violations or breach of general data protection legislation.
Malicious Page of the Month - (April 2008)
This research covers the discovery of a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. Both email communications and web-related data were among them. This analysis contains findings indicating that Crimeware has reached a new level of sophistication. We detected a Crimeserver which was used as a command and control for the Crimeware that was executed on infected PCs. This Crimeserver was also used as the "drop site" for private information being harvested by that Crimeware. The Command & Control applications on this Crimeserver enabled the hacker to manage the actions and performance of his Crimeware, giving him control over the uses of the Crimeware as well as its victims. Since the stolen data was left unprotected on the Crimeserver, without any access restrictions or encryption, the data were freely available for anyone on the web, including criminal elements.
Malicious Page of the Month - (February 2008)
This analysis shows the commercialization of stolen FTP server credentials of legitimate companies as well as how the deployment of ready-made Crimeware toolkits has gained momentum. It takes a close look at the latest version of one of those Crimeware toolkits - NeoSploit version 2. When examining a server hosting the latest version of this Crimeware toolkit, we also found an almost unnoticeable standalone application, especially designed to abuse and trade stolen FTP account credentials of legitimate companies around the world. More than 8,700 FTP servers' credentials of highly respected organizations and enterprises were thus stolen, including valid user names and passwords.
Malicious Page of the Month - (January 2008)
This analysis is geared towards helping our customers to understand how current threats are created. It also examines the methodologies used by Crimeware authors to increase the infection rate and to evade conventional security measures. More than 10,000 websites in the US were infected in December by a new variant of crimeware toolkit. The attack, which Finjan has designated “random js toolkit”, is an extremely elusive crimeware Trojan that infects an end user's machine and sends data from the machine via the Internet to the Trojan's "master", a cybercriminal.
Malicious Page of the Month - (November 2007)
This analysis highlights the increased malicious activity coming out of China in recent months. While examining these types of attacks and the mechanisms involved in executing them, we will show the intricate network of connections between Chinese-based servers whose main purpose is to conduct criminal activity, and how attackers are utilizing this network as a “clearing house” for the attacks themselves.
Malicious Page of the Month - (October 2007)
This report presents examples of web attacks which can be executed very easily and stay active for a long time. This attack vector was spotted during October by Finjan's Malicious Code Research Center (MCRC) when searching for popular services with a slight change of the top level domain names. Attacks using this method typically involve a domain name that is strikingly similar in spelling to the domains of legitimate sites. Leveraging the similarity to legitimate and frequently used domain names enables these attacks to go unnoticed by webmasters and security solution providers.
Malicious Page of the Month - (September 2007)
This month we have chosen to look at another aspect of web security – domain names. Taking a note from similar malicious activities done on the internet, web attackers are employing techniques that not only exploit software bugs, but also human trust and instinct. Hosting malicious code on domains registered to look like legitimate ones (misspelled service domains) gets the malicious code more time in the wild before it gets reported and removed. This publication shows a few examples of such attacks, and the trust boundaries being exploited in order to maximize the effects of the malicious code. Once again we also show that by truly scrutinizing the actual code in real-time with complete disregard of its origin (demonstrated with the SecureBrowsing plugin), one can assess the true security of a site.
Malicious Page of the Month - (August 2007)
Code obfuscation wasn't originally developed for spreading malicious content on the web, and can be easily generated by automated utilities. This edition focuses on a successful exploitation discovered in the wild that used a legitimate code obfuscation utility. This is a frightening proof-of-concept, since crimeware authors can use free obfuscation utilities to mask their malicious code, and then test the code against a variety of online security products before releasing them, in order to verify their ability to avoid detection.
Malicious Page of the Month - When Trojans Go Phishing - (July 2007)
Finjan has identified 58 criminals using the MPack toolkit who have successfully infected over 500,000 unique users. The infection ratio stands at 16% from 3.1 million attempts – indicated by the web traffic volumes of the infecting sites. Finjan's analysis indicates that the crimeware being used within MPack steals bank account information, such as user name, password, credit card number, social security number etc., in a creative way. The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind. Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection.
Malicious Page of the Month - (May 2007)
This installment focuses on “do-it-yourself toolkit – exploit for sale” techniques used to exploit current vulnerabilities on web-based applications. The Multi Exploit Pack v3.1 supports eight exploits, as well as using evasive technologies to minimize the malicious code's visibility. The page analyzed in this report was one of thousands discovered by the Finjan SecureBrowsing™ security browser extension, all pointing to the same source of malicious code.
Malicious Page Under Benchmark - (April 2007)
In this installment of the Malicious Page Under Benchmark, we run a known art catalogue website containing obfuscated malicious code (as detected by Finjan) through a variety of security solutions ranging from Anti-Viruses, Anti-Malware, and URL Filtering solutions to see how can they cope with recent attack vectors as seen in the wild.
Malicious Page of the Month - (April 2007)
Finjan has detected a malicious behavior on a major news website that was a result of a probable hacking attempt. This release of the Malicious Page of the Month inspects the attack vector, analyzes the code involved in the infection of the website visitors, and tries to understand how URL Filtering solutions would cope with such changes on highly reputable sites that become malicious overnight.
Malicious Page Under Benchmark - (March 2007)
Finjan benchmarked a page from a long-known source of malicious code against 32 web security products, using an independent online security benchmark website. Finjan's Vital Security™ Web Appliance was the only product that managed to proactively detect and block the code without any product update or signature, illustrating the difference between real time code inspection versus other security products and technologies.
Malicious Page of the Month - (March 2007)
Malicious Page of the Month covers new techniques used to exploit the proliferation of AJAX-based web applications (a.k.a. Web 2.0).