Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Loucif Kharouni (Senior Threat Researcher)

    We’ve been hearing much about how Africa is rapidly catching up with the rest of the world in terms of the Internet. More and more Africa-based users are now connecting to the Internet, giving them a great resource for information and an easier means for communication. Unfortunately, as more users in Africa become connected to the Internet, they become just as susceptible as the rest of the world to online threats.

    In our recently released forecasts for 2013, Raimund mentioned how Africa will become the new haven for cybercriminals. I have done some research on Africa (which I will release soon), and I very much agree with that forecast. Here are three reasons why:

    1. Great Internet availability and fast connections
      The Internet infrastructure in Africa, supported by undersea cables, is very well developed. As of now, the different ISPs in Africa are able to offer a variety of connection to their customers such as 3G, 4G LTE, dial-up, DSL, fiber and even satellite connection. The availability of such a resource as stable and fast Internet connectivity will surely be considered valuable by cybercriminals.
    2. Read the rest of this entry »


    These days, cybercriminals and other bad guys on the Internet may no longer have to use infostealing Trojans to gather data from users. Users intentionally posting pictures of their IDs, credit cards on Twitter and Instagram are already doing the job for them.

    I’ve been noticing several young people (and even adults) who post pictures of their credit and debit cards on Twitter. But lately, I’ve also seen tons of these images on the photo sharing site Instagram. Some users even post their driver’s license in full view and unknowingly exposing sensitive information like their complete name, home address etc.

    Just doing a simple search on Instagram or Twitter, one can easily find several of these documents. There’s even a particular Twitter account and list (called NeedADebitCard) specific to users who post their cards on the said platform.

    Read the rest of this entry »


    In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used.  For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.

    Here are some of the more well-known names, and what’s happened to them recently.


    ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.

    Citadel, IceIX

    Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on News from the Underground: Toolkit/Exploit Kit Developments

    Banks and other financial institutions have put in stricter controls in an attempt to minimize losses that phishing attacks cause. Cybercriminals have not taken this sitting down by producing a new tool to automate online banking fraud — automatic transfer systems (ATSs).

    In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites.

    With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users’ bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.

    This research paper contains our preliminary research on ATSs. In the process of conducting research, we were able to find key aspects of ATS attacks, determine some known targets, and dig into the murky underground engaged in producing and selling ATSs.

    Our full findings can be seen in the research paper, “Automating Online Banking Fraud,” which you may download by clicking the image below:

    An infographic illustrating the ins and outs of this attack can be seen below:

    Posted in Malware | Comments Off on Evolved Banking Fraud Malware: Automatic Transfer Systems

    Mass attack by “Soldier” ensnares major U.S. corporations in its net, steals US$3.2 million in six months, causes organizations and individuals to be vulnerable to future attacks; 90+ other countries hit by shrapnel.

    For some time now, we’ve been investigating the operation of a certain cybercriminal—a young man in his early 20s who resides in Russia. During our investigation, we discovered that the attacker uses various criminal toolkits, including SpyEye and ZeuS for crimeware, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.

    Using the SpyEye criminal toolkit, money mules, and an accomplice believed to reside in Hollywood, U.S.A., “Soldier,” as he’s known in the criminal underground, stole over US$3.2 million in six months starting January 2011, which equates to approximately US$533,000 per month, or US$17,000 dollars a day!

    “Soldier” mainly targeted U.S. users and to increase the number of successful infections achieved in the country, he even bought U.S. traffic from other cybercriminals. Besides using malware to steal money from compromised accounts, he also steals users’ security credentials.

    Noteworthy Compromises

    Using the IP addresses of the victims that were recorded by the SpyEye command-and-control server, we were able to determine the network to which the IP address was assigned. We found that a wide variety of large organizations and U.S. multinational corporations in a variety of sectors were represented in the victim population.

    We do not believe these large organizations and U.S. multinational corporations were originally the intended target, we instead believe that they were impacted following end-user compromise. Bots (infected victims’ systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.

    The victims’ IP addresses that were identified in the compromise included those belonging to the following types of organizations:

    • U.S. government (local, state federal)
    • U.S. military
    • Educational and research institutions
    • Banks
    • Airports
    • Other companies (automobile, media, technology)

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice