This new year, expect crimeware like toolkits and exploit kits to be improved and continue their money-making streak.

As profit remains the main driver of these threats, cybercriminals will continue to implement new features to increase profit and new countermeasures to protect their investment by keeping security researchers in the dark. So far, the following notorious crimeware underwent some noteworthy changes.

ZeuS. Though last updated around more than 2 years ago, ZeuS remains popular among cybecriminals due to its reliability. Because it was coded well, cybercriminals continue to earn money from this toolkit and evade law enforcement.

Spyeye. Initially deemed as ZeuS’ rival, SpyEye’s creator Gribodemon offered the toolkit as an alternative while providing support to existing ZeuS customers. Since its debut in 2009, it underwent several improvements until its creator disappeared sometime in 2010.

Citadel and Ice IX. Both are considered by-products of ZeuS, however each of these toolkits present certain improvements. Citadel contains more user-friendly control panel, while Ice IX is supposedly protected against trackers.

Blackhole exploit kits. Known to distribute malware by exploiting known software vulnerabilities, the stealthier version of Blackhole Exploit Kit was recently released. To avoid detection, its creator Paunch does not directly provide the kit, but instead installed in a web server somewhere that is connected to a database for logging and reporting.

Read the rest of this entry »

We’ve been hearing much about how Africa is rapidly catching up with the rest of the world in terms of the Internet. More and more Africa-based users are now connecting to the Internet, giving them a great resource for information and an easier means for communication. Unfortunately, as more users in Africa become connected to the Internet, they become just as susceptible as the rest of the world to online threats.

In our recently released forecasts for 2013, Raimund mentioned how Africa will become the new haven for cybercriminals. I have done some research on Africa (which I will release soon), and I very much agree with that forecast. Here are three reasons why:

1. Great Internet availability and fast connections
   The Internet infrastructure in Africa, supported by undersea cables, is very well developed. As of now, the different ISPs in Africa are able to offer a variety of connection to their customers such as 3G, 4G LTE, dial-up, DSL, fiber and even satellite connection. The availability of such a resource as stable and fast Internet connectivity will surely be considered valuable by cybercriminals.

Read the rest of this entry »

These days, cybercriminals and other bad guys on the Internet may no longer have to use infostealing Trojans to gather data from users. Users intentionally posting pictures of their IDs, credit cards on Twitter and Instagram are already doing the job for them.

I’ve been noticing several young people (and even adults) who post pictures of their credit and debit cards on Twitter. But lately, I’ve also seen tons of these images on the photo sharing site Instagram. Some users even post their driver’s license in full view and unknowingly exposing sensitive information like their complete name, home address etc.

Just doing a simple search on Instagram or Twitter, one can easily find several of these documents. There’s even a particular Twitter account and list (called NeedADebitCard) specific to users who post their cards on the said platform.

Read the rest of this entry »

In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used.  For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.

Here are some of the more well-known names, and what’s happened to them recently.

ZeuS

ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.

Citadel, IceIX

Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.

Read the rest of this entry »

Banks and other financial institutions have put in stricter controls in an attempt to minimize losses that phishing attacks cause. Cybercriminals have not taken this sitting down by producing a new tool to automate online banking fraud — automatic transfer systems (ATSs).

In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites.

With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users’ bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.

This research paper contains our preliminary research on ATSs. In the process of conducting research, we were able to find key aspects of ATS attacks, determine some known targets, and dig into the murky underground engaged in producing and selling ATSs.

Our full findings can be seen in the research paper, “Automating Online Banking Fraud,” which you may download by clicking the image below:

An infographic illustrating the ins and outs of this attack can be seen below: