Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Loucif Kharouni (Senior Threat Researcher)

    These days, cybercriminals and other bad guys on the Internet may no longer have to use infostealing Trojans to gather data from users. Users intentionally posting pictures of their IDs, credit cards on Twitter and Instagram are already doing the job for them.

    I’ve been noticing several young people (and even adults) who post pictures of their credit and debit cards on Twitter. But lately, I’ve also seen tons of these images on the photo sharing site Instagram. Some users even post their driver’s license in full view and unknowingly exposing sensitive information like their complete name, home address etc.

    Just doing a simple search on Instagram or Twitter, one can easily find several of these documents. There’s even a particular Twitter account and list (called NeedADebitCard) specific to users who post their cards on the said platform.

    Read the rest of this entry »


    In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used.  For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.

    Here are some of the more well-known names, and what’s happened to them recently.


    ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.

    Citadel, IceIX

    Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off

    Banks and other financial institutions have put in stricter controls in an attempt to minimize losses that phishing attacks cause. Cybercriminals have not taken this sitting down by producing a new tool to automate online banking fraud — automatic transfer systems (ATSs).

    In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites.

    With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users’ bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.

    This research paper contains our preliminary research on ATSs. In the process of conducting research, we were able to find key aspects of ATS attacks, determine some known targets, and dig into the murky underground engaged in producing and selling ATSs.

    Our full findings can be seen in the research paper, “Automating Online Banking Fraud,” which you may download by clicking the image below:

    An infographic illustrating the ins and outs of this attack can be seen below:

    Posted in Malware | Comments Off

    Mass attack by “Soldier” ensnares major U.S. corporations in its net, steals US$3.2 million in six months, causes organizations and individuals to be vulnerable to future attacks; 90+ other countries hit by shrapnel.

    For some time now, we’ve been investigating the operation of a certain cybercriminal—a young man in his early 20s who resides in Russia. During our investigation, we discovered that the attacker uses various criminal toolkits, including SpyEye and ZeuS for crimeware, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.

    Using the SpyEye criminal toolkit, money mules, and an accomplice believed to reside in Hollywood, U.S.A., “Soldier,” as he’s known in the criminal underground, stole over US$3.2 million in six months starting January 2011, which equates to approximately US$533,000 per month, or US$17,000 dollars a day!

    “Soldier” mainly targeted U.S. users and to increase the number of successful infections achieved in the country, he even bought U.S. traffic from other cybercriminals. Besides using malware to steal money from compromised accounts, he also steals users’ security credentials.

    Noteworthy Compromises

    Using the IP addresses of the victims that were recorded by the SpyEye command-and-control server, we were able to determine the network to which the IP address was assigned. We found that a wide variety of large organizations and U.S. multinational corporations in a variety of sectors were represented in the victim population.

    We do not believe these large organizations and U.S. multinational corporations were originally the intended target, we instead believe that they were impacted following end-user compromise. Bots (infected victims’ systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.

    The victims’ IP addresses that were identified in the compromise included those belonging to the following types of organizations:

    • U.S. government (local, state federal)
    • U.S. military
    • Educational and research institutions
    • Banks
    • Airports
    • Other companies (automobile, media, technology)

    Read the rest of this entry »


    This entry is a follow-up to my blog post last week in which I noted some significant changes that have been made to SpyEye 1.3.4.x. Further observation revealed other modifications that made me think we are getting closer to the merger of the SpyEye and ZeuS botnets.

    This SpyEye version comes with a Gate, a CN1 and a SYN1 installer.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice