Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro



    Apr28
    5:54 am (UTC-7)   |    by

    The Russian Underground has been around (in an organized manner) since 2004, and has been used both as a marketplace and an information exchange platform. Some well-known centers of the Russian underground include zloy.orgDaMaGeLab, and XaKePoK.NeT. Initially, these forums were used primarily to exchange information, but their roles as marketplaces have become more prominent.

    Many parts of the Russian underground today are now highly specialized. A cybercriminal with ties to the right people no longer needs to create all his attack tools himself; instead he can buy these from sellers that specialize in specific products and services. For example, you see groups that do only file encryption, or DDoS attacks, or traffic redirection, or traffic monetization. Groups are able to specialize in each of these items do what they do best and produce better, more sophisticated products. 

    Perhaps the most popular product in the Russian underground economy today is traffic and various traffic-related products. Examples include traffic detection systems (TDSs), traffic direction, and pay-per-install (PPI) services. This purchased Web traffic not only increases the number of cybercrime victims; it may also be used to gather information about potential targeted attack victims.

    Like any other economy, the laws of supply and demand are followed in the Russian underground. As we mentioned last week, the prices of underground goods have dropped across the board. This is generally because of the increased supply for these goods available – for example, stolen American credit cards are widely available; as a result the price has fallen. This is evident in the following chart of stolen credit card prices:

    Figure 1. Prices for stolen credit cards

    The same is true for stolen accounts:

    Figure 2. Prices for hacked accounts

    With falling prices, however, comes a loss in reliability: goods or services are not always as high-quality as advertised. Sometimes, escrow providers (known as garants) are used to try and give both parties (buyer and seller) reassurances that neither party is scamming the other.

    Today, we released our updated look at the Russian Underground titled Russian Underground RevisitedThis is an update to our earlier paper discussing the items which are bought and sold in various parts of the Russian underground. For this edition, we have clearly outlined the products and services being sold and what their prices are. In addition, we discuss the changes since the original paper to highlight the continued evolution of the cybercrime threat landscape.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

     



    Before the end of the month, we will release a new paper in our Cybercriminal Underground Economy Series titled Russian Underground Revisited. This is a followup to our earlier paper Russian Underground 101both papers examined the Russian Underground and looked at the goods and services being sold inside these underground communities.

    While the full details will not be published until next week, the overall finding of the report is clear: cybercrime has never been more affordable and accessible, even for lesser-skilled cybercriminals.

    The lower ranks of the underground communities are often derisively referred to as “script kiddies”, but this does not mean that the damage they cause is any less consequential. Technical understanding of security flaws is not a prerequisite to exploiting them at all; they are just like the “users” of any other organization: they just want their code “to work”; the only difference here is that their code is carrying out malicious behavior.

    What does this mean? For starters, it means that the volume of threats will keep on increasing for the foreseeable future. We may also see more variety in threats, if only because the attackers are more numerous than before. (One shouldn’t interpret falling prices as a sign of a failing business.) In addition, the scope and variety of the products for sale are also improving, making the resources available for “script kiddies” more powerful.

    Cybercrime is a business, and the prices we’ve seen validate what we already know: that times are good, victims are plentiful, and the risk is relatively low. This is all in spite of technical solutions that have increased the security of computing devices overall. It highlights the need for cybercrime solutions that focus not just on technical issues, but also economic and legal ones as well.

     
    Posted in Malware | Comments Off


    Apr17
    4:59 am (UTC-7)   |    by

    500x1500 web

    How the Heartbleed bug works

    In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

    To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

    We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

    • It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
    • It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
    • It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

    Main Page

    Figure 1. Detector application

    If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

    Summary marked

    Figure 2. Vulnerable app detected

    We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

    For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

    For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

    We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

     
    Posted in Bad Sites | Comments Off


    Apr1
    6:09 am (UTC-7)   |    by

    A key part of our cybercrime research focuses on the communities that cybercriminals form. These are used in much the same way that communities of other shared “interests” are – to socialize, to get together, and to buy and sell various items of interest.

    For security researchers, the activities of these underground communities – and the corresponding economies that they form – is a valuable source of threat intelligence. This allows us to examine current trends in the threat landscape, as well as look into and prepare for future threats.

    Our research in the past has highlighted the wide variety of good and services available in the cybercrime underground. These range from crypters, exploit kits, and Trojans – to denial of service (DoS) attacks, proxy servers, and web traffic, and everything in between. Our research into the underground has included findings related to malicious traffic management, the reaction to the fall of the BlackHole Exploit Kit, as well as overviews of the Chinese and Russian undergrounds.

    One consistent trend has been the continuing fall in prices of most goods and services. The average price of items has been dropping across the board, making these items accessible to more would-be cybercriminals. Pricier, more effective versions of these goods are available, of course – but the “average” versions of these tools are more than adequate for their purposes.

    There is no shortage of targets either, with much of the world today now online. The following chart shows the number of countries with the most Internet users and thus, potential victims:

    Figure 1. Countries with largest online population

    There are multiple cybercrime communities around the world with various ties to each other, but they have unique characteristics that differentiate them as well. Throughout the year, we will be publishing various papers that describe various communities, as well as the economies that they create. These papers are all part of our Cybercriminal Underground Economy Series, or CUES. These papers will highlight the unique characteristics of each market, provide a summary of the good and services available, and the prices for these items.

    The first paper of CUES, covering the mobile cybercrime underground in China, was released earlier this month. The CUES portal will be updated as more papers covering other economies such as those in Russia and Brazil are released.

     
    Posted in Malware | Comments Off



    On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so:

    Figure 1. Underground advertisement.

    The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510, the Vx670, and the Vx810 Duet are specifically mentioned. These rogue terminals can be used in a store to steal the credit card information of customers; the stolen information is then used or sold on the black market.

    In addition, the seller wants to prove that he is a reputable seller and said he is willing to provide ship his product anywhere in the world, as well as provide 24/7 support. He went on to say:

    BARE IN MIND WE HAVE THE POWER TO MASS PRODUCE THESE ATM SKIMMERS WITH THE LATEST TECHNOLOGY WE ARE NOT BUYERS AND BUILDERS WE HAVE ALL FILES NEEDED AND PRINTING FACILITIES IN CHINA ALSO WE HAVE FILES TO MASS PRODUCE MSRV ELECTRONICS

    These criminals claim they are able to mass produce almost anything related to ATM and PoS devices. One such ad listed the parts and devices they can produce and ship, with some prices in parentheses:

    • Fake berifone VerixV terminals (VX510, 670 and 810 Duet)
    • Gerber file for producing the PCBs for MSRV009 credit card readers
    • ATM panel, camera panel, and keypads for Wincor ProCash2050xe ATMs
    • green cover panel and camera panel for NCR 5886 ATMs ($1850)
    • apple ring and camera panels for NCR Self Serve ATMs ($2000)
    • keypard for Wincor ATMs ($1000)

    Producing parts for ATM skimmers and fake PoS terminals is not new; it has been reported by other researchers since 2011. What is very worrying is that the sellers are claiming that they can mass-produce these items from locations in China. This is something we should be worried about as mass production of these devices or parts could result in more bank fraud for end-users. The sellers appear to be quite knowledgable about developments in ATM skimmers and PoS terminals; they are also very open in what they offer to would-be buyers. In fact, several customers have already vouched for gripper, sharing their good customer experience with this seller.

    A gallery of pictures supplied by the cybercriminals in order to promote their wares follows.

    Figures 2-5. ATM skimmer and PoS terminal images

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice