Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Maxim Goncharov (Senior Threat Researcher)

    When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices.

    Million dollar breaches

    News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence.   2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot.  The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?

    Buying a stolen credit card

    One interesting thing I observed was that right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc.

    Figure 1. The marketplace GoCVV offers a global map index to show the availability of credit cards in different locations for a better underground shopping experience

    During my research excursions through various underground forums, I stumbled across several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of fresh credit card leaks.

    Corporate Credit Cards = $$$

    How often do you use your corporate credit card to pay for an overnight stay, a flight, a business lunch? Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement.

    Shopping in the Russian Underground

    Today we are releasing the third of a series of papers on the Russian Underground, titled Russian Underground 2.0.  It discusses the most current set-up of the Russian cyber underground scene, a mature ecosystem that covers all aspects of cybercriminal business activities. The Russian Underground not only provides products and services for cyber criminals but creates new niches for “employment” in the underground such as translation or spam-proofing services for criminals. The paper looks into new services becoming available to criminal minds, automated and optimized processes for quick and easy deals, and looming attack avenues we expect to see in the near future.

    This is part of the Cybercrime Underground Economy Series, which take a comprehensive view of various cybercrime markets from around the world.

    Posted in Malware |

    One of the challenges in fighting cybercrime is that it is borderless; cybercriminals can conduct their malicious activities in countries that do not have strict implementation of cybercrime laws.   However, no matter how difficult and perilous the task of arresting attackers and taking down cybercriminal operations is, it can be achieved through collaboration between security researchers and various law enforcements (LE) across the globe.

    Darkode, an underground forum that sells and buys stolen data and malicious tools of the trade among others was taken down last July 15, 2015, following the indictment of 12 people, including the forum’s administrator.  Dubbed as Operation Shrouded Horizon, the investigation and arrests were led by Federal Bureau of Investigation (FBI) and Department of Justice in collaboration with law enforcement agencies in 20 countries.

    Ties to bulletproof hosting service providers

    Our researchers have been monitoring bulletproof hosting service providers (BPHS), which play a crucial role in the proliferation of cybercriminal activities.  BPHS serves as ‘hideouts’ to store tools, stolen goods, and malicious content such as pornography, phishing, and command-and-control (C&C) infrastructure among others.  In essence, BPHS function as hosting facilities for hardware, software, and applications.

    Figure 1. Business models for BPHS (click the image to enlarge)

    Darkode was reportedly using bulletproof hosting services to go under the radar and avoid being detected by security researchers. Based on our investigation, the website, darkcode[.]com which became available as early as 2004, has hosting providers that were used  host it (Darkode).  Please take note that some of these may have been abused for hosting.

    Figure 2. IPs used to host darkode[.]com

    However, the following hosting providers are confirmed BPHS employed by Darkode:

    • 94[.]102[.]48[.]107
    • 93[.]174[.]93[.]246

    The importance of collaboration

    In our research paper, “Criminal Hideouts for Lease: Bulletproof Hosting Services”, on bulletproof hosting services, we highlighted the various security challenges preventing security vendors and LE from doing takedowns and arrests. One of which is how BPHS leverages countries with minimal cybercrime laws to continue or transfer their operations.  Because of the complex nature of BPHS and how it attempts to legitimize some of its activities particularly those following the third business model (abuse cloud hosting services), it may be arduous to shut down.

    Figure 3. Role that law enforcement agencies and security vendors play in BPHS takedowns (click the image to enlarge)

    However, as seen in the case of Darkode takedown, such task is possible, especially if law enforcement agencies in different countries will work together with the security researchers that provide intelligence and findings.

    Posted in Bad Sites |

    What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS).

    Simply put, BPHS is any “hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure.” If I were to compare them with real-life crime rings, BPHS would be those hideouts criminals use to perform their illegal activities in private. In the context of cybercrime, it is very common to belittle the role of BPHSs in cybercriminal operations and instead focus on revealing the bad guys’ identities or discussing their modus operandi. But the truth is: BPHSs are crucial. They are so crucial, in fact, that many major cybercriminal groups would not be able to operate without them.

    So why not just shut them down? Well, the thing with BPHS takedowns is that they are easier said than done.

    In my paper, “Criminal Hideouts for Lease: Bulletproof Hosting Services”, I cite several factors that make BPHSs an imposing challenge for security and law enforcement organizations. For one, many BPHS providers operate under the guise of legitimate and legal hosting providers. This makes tracking them a lot trickier.

    Running BPHS as a Business

    BPHS providers usually choose one of three business models when building their services, as follows:

    • Model 1: Dedicated bulletproof servers
      BPHS providers create a convincing business front to avoid suspicion from law enforcement. They usually cater to customers who need to host content that may be considered illegal in certain countries.
    • Model 2: Compromised dedicated servers
      BPHS providers choose to compromise dedicated servers and rent these out to parties who wish to host malicious content.
    • Model 3: Abused cloud-hosting services
      Cybercriminals abuse cloud-hosting services like Amazon Web Services (AWS), Hetzner, OVH, and LeaseWeb to host C&C servers or drop stolen data, among other malicious purposes.

    It is important for these BPHS providers to be able to retain their name or domain for a long time to show how adept they are in keeping customers’ activities confidential, particularly from security researchers and law enforcers. Longtime providers are usually kept afloat by their capability to provide immediate technical support, quickly migrate in case they’re blacklisted, protect from DDoS attacks, and advertise cleverly to reach their specific clientele.

    Figure 1. Sample of a BPHS provider with expensive offerings

    Pricing for BPHSs depends on the risk involved in hosting certain content. Providers in several countries offer as low as US$2 per month for low-risk content, while servers based in China, Bolivia, Iran, and the Ukraine can go as high as US$300 per month for critical infrastructure projects or high-risk content. (You can find a more detailed description of the risk ratings or the toxicity of BPHS servers in the paper.)

    Takedown Impossible

    Another challenge for security and law enforcement organizations is the fact that these services operate in locations that do not heavily police cybercrime. BPHSs are often based in countries with lax regulations and laws that penalize and protect against cybercriminal activities.

    We looked at several BPHS providers in different countries and noted the types of malicious content they frequently host. Do note that this list is not exhaustive. There are many more bulletproof hosts that operate in other countries not cited here.

    Figure 2. Malicious content found in BPHS servers in certain countries

    My FTR colleague, Bob McArdle, sums up the challenges BPHSs pose pretty well: “The very nature of BPHSs is that they protect malicious activity against law enforcement, giving cybercriminals the much-needed loophole to wriggle out of and escape from the clutches of both law enforcement and the security industry. That loophole unfortunately largely remains open today.”

    The paper contains more insights on BPHSs as well as a system of classifying them to help out my fellow security researchers and law enforcements in their own investigations.

    Click on the thumbnail below to read the paper “Criminal Hideouts for Lease: Bulletproof Hosting Services.”

    Posted in Bad Sites |

    In an interesting turn of events, a C&C used in the Carbanak targeted attack campaign now resolves to an IP linked to the Russian Federal Security Service (FSB).

    Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name (which was identified as a C&C server in the report) now resolves to the IP address When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.

    Figure 1. Information on

    For those who are not familiar, Carbanak is a targeted attack campaign that hit banks and financial organizations earlier this year. Based on reports, it employed methods and techniques such as spear phishing email and exploits, commonly seen in targeted attacks. Accordingly, attackers did intelligence gathering about their target networks in order to infiltrate it.

    I checked for other interesting details in the other IOCs but didn’t find anything related to this particular anomaly. I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service. It is also possible that the owner of the domain had done this as a prank.

    A reverse lookup on the IP addresses revealed that there are several other domains resolving to it apart from   Reverse IP Lookup   DomainTools

    Figure 2. Other domains resolving to the FSB Russia

    We will monitor this further and post updates when they’re available.


    Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today?

    Sites vulnerable to Heartbleed as of April 22-01

    Figure 1. Sites vulnerable to Heartbleed as of April 22

    Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds, to just under 10 percent. Only three TLDs we looked at have percentages above the global number: Brazil (.BR), China (.CN), and Russia (.RU).

    The only TLD with a 100% cleanup record was the .gov domain, reserved for the use of US government sites.The Australian (.AU), British (.UK), German (.DE), and Indian (.IN) TLDs also had rates that were significantly lower than the global average.

    Overall, the numbers leave room for optimism when it comes to addressing Heartbleed. Most system administrators have paid attention to the warnings and patched their servers accordingly. The question is now whether the remaining 10% of vulnerable domains will be patched sooner rather than later, or if we will be stuck with a non-trivial portion of the Internet that will be left at risk.

    For users who want to test if the sites they use are at risk, a Trend Micro heartbleed detector app may be found in the Google Play store, the Google Chrome store, and the web.

     For other posts discussing the Heartbleed bug, check our previous entries:

    Posted in Vulnerabilities | Comments Off on Number of Sites Vulnerable to Heartbleed Plunges by Two-Thirds


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice