Q2-2009 - $34m in Rogueware per month...
FYI...
Q2-2009 - $34m in Rogueware per month...
- http://www.theregister.co.uk/2009/08...reware_market/
7 August 2009 - "Fraudsters are making approximately $34m per month through scareware attacks, designed to trick surfers into purchasing rogue security packages supposedly needed to deal with non-existent threats. A new study, The Business of Rogueware*, by Panda Security researchers Luis Corrons and Sean-Paul Correll, found that scareware distributors are successfully infecting 35 million machines a month. Social engineering attacks, often featuring social networking sites, that attempt to trick computer users into sites hosting scareware software have become a frequently used technique for distributing scareware. Tactics include manipulating the search engine rank of pages hosting scareware. Panda reckons that there are 200 different families of rogueware, with more new variants coming on stream all the time... Luis Corrons, PandaLabs' technical director: "By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream." In Q2 2009, four times more new strains were created than in the whole of 2008, primarily in a bid to avoid signature-based detection by genuine security packages..."
* http://www.pandasecurity.com/homeuse...rts#Monographs
"... results:
• We predict that we will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year.
• Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers).
• Cybercriminals are earning approximately $34 million per month through rogueware attacks..."
:fear::mad:
Cybercrime Hub in Estonia
FYI...
Cybercrime Hub in Estonia
- http://blog.trendmicro.com/investiga...ub-in-estonia/
Aug. 26, 2009 - "... this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu (Estonia), employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation. This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company owns two networks in the United States. We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites."
(Screenshots available at the URL above.)
:fear::mad::fear:
NY Times pushes Fake AV malvertisement
FYI...
NY Times pushes Fake AV malvertisement
- http://countermeasures.trendmicro.eu...alvertisement/
Sep. 14, 2009 - "...the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes .com readers” relating to a malicious pop-up window while browsing the site... In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”... it looks as though the problem may have been ongoing for upwards of 24 hours. The pop-up window itself... was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course... The malicious software being punted in this case, is the same as we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog*. In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS. Here’s a really simple tip to remember. If you *ever* see a pop-up windows that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache... UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here**".
* http://blog.trendmicro.com/fakeav-for-september-11/
** http://troy.yort.com/anatomy-of-a-ma...on-nytimes-com
:fear::mad:
Fake A/V hacks for another celebrity death...
FYI...
Fake A/V hacks for another celebrity death...
- http://www.sophos.com/blogs/gc/g/200...eware-hackers/
September 15, 2009 - "Patrick Swayze, the star of movies such as "Dirty Dancing" and "Ghost", has died after fighting cancer of the pancreas for two years. Although the entertainment world mourns his loss, heartless hackers are taking advantage of the hot news story by creating malicious webpages that lead to fake anti-virus (also known as scareware) alerts... This is the same tactic used by cybercriminals after the death of Natasha Richardson and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last week. Clearly the cybercriminals are no slackers when it comes to jumping on a trending internet topic, and are more professional than ever before in spreading their fake anti-virus scams..."
:fear::mad:
Rogue Anti-Virus SEO Poisoning
FYI...
Rogue Anti-Virus SEO Poisoning...
- http://securitylabs.websense.com/con...logs/3479.aspx
09.16.2008 - "SEO poisoning is fast becoming a trend in spreading rogue anti-virus software. This type of attack coupled with relevant news items that might be of interest to users from all walks of life is a lethal combination. Search terms related to the recent MTV Video Music Awards brouhaha and President Obama’s off-the-record comments about Kanye West, as well as updates on murdered Yale graduate student Annie Le, are the latest targets... Upon visiting these search results, visitors would be presented with the standard fake / rogue AV Web site. To make matters worse, (real) anti-virus have very poor detection rates..."
- http://www.virustotal.com/analisis/5...896-1253125434
File setup_build6_195.exe received on 2009.09.16 18:23:54 (UTC)
Result: 1/41 (2.44%)
- http://www.virustotal.com/analisis/5...10e-1253125440
File Soft_71.exe received on 2009.09.16 18:24:00 (UTC)
Result: 3/41 (7.32%)
(Screenshots of the fake AV Web site, as led to by the search engine, available at the Websense URL above.)
- http://isc.sans.org/diary.html?storyid=7144
Last Updated: 2009-09-17 07:36:18 UTC
:fear::mad::fear:
Fake Twitter accounts for Fake AV
FYI...
Fake Twitter accounts for Fake AV
- http://www.f-secure.com/weblog/archives/00001773.html
September 20, 2009 - "We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically... All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans. And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need..."
(Screenshots available at the URL above.)
- http://www.sophos.com/blogs/gc/g/200...ttack-twitter/
September 21, 2009
:fear::mad: