A Cybercrime Hub. Trend Micro Threat Research. Trend Micro, Incorporated. A Trend Micro White Paper I August 2009
|
|
- Kelley Burns
- 8 years ago
- Views:
Transcription
1 Trend Micro, Incorporated Trend Micro Threat Research A Trend Micro White Paper I August 2009
2 TABLE OF CONTENTS INTRODUCTION...3 THE CYBERCRIME COMPANY...4 ROGUE DNS SERVERS...5 INTRANET OF CYBERCRIME...6 NETWORK OF SOCKS4 PROXIES...7 REPLACING ADS...8 HIJACKING GOOGLE SEARCH QUERIES...10 PUSHING ROGUE ANTIVIRUS...12 CONCLUSION WHITE PAPER A CYBERCRIME HUB
3 INTRODUCTION Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in Figure 1. The corporate website of the Estonian company In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since Its employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers from its office in Tartu. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. This does not cause much harm to the operation as a whole, however, as the same cybercriminal just continues its business under a new name. In fact, constantly changing names is part of the company s business model with a few constants, one of which is the mother company in Tartu. Although explicit evidence exists that the Estonian company is heavily involved in cybercrime, the company could also be just another façade of a bigger cybercriminal gang whose investors reside in another country like Russia or the United States. In fact, it is not at all unlikely that foreign criminal investors put their money into the Estonian company so they do not have to do the dirty work themselves. This paper provides detailed data on some of the cybercrimes that this Estonian company has been involved with. It also provides advertising fraud statistics committed on legitimate websites. Furthermore, it explains the backend structure of Figure 2. The corporate website of one of the Estonian company s many daughter companies fraud with Google search queries and shows that around 100,000 unique Internet users per day get a bogus message saying, You are infected with a virus, please download this piece of free antivirus software, whenever they attempt to access high-traffic pornography websites. Finally, it also briefly discusses the internal network of the Estonian company, which shows how all of its activities relate to one another. 3 WHITE PAPER A CYBERCRIME HUB
4 THE CYBERCRIME COMPANY The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States. His companies continue to offer the following services: Web hosting Advertising Internet traffic distribution Pay-per-click (PPC) advertising Parking domain site hosting The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States. All of the above-mentioned activities are part of the same criminal operation. At present, the company owns a few networks in the United States and leases or owns servers in numerous datacenters around the world. Spreading its activities over several datacenters lowers the risk that it will suddenly go out of business when upstream providers terminate their services. This is exactly what happened in Fall 2008 when the Internet connectivity in its datacenter in San Francisco was terminated. This caused serious problems for the business but was quickly averted by moving to other datacenters. A lot of the company s employees seem to be young students who are somewhere in their 20s and live in the Tartu area in Estonia. A few of them have acted as spokesmen for the company, flatly denying serious allegations made against it such as that on the site of Washington Post blogger, Brian Krebs. These spokesmen must be fully aware of what the company is doing while some of the other employees may not completely realize the implications of the work they do. Some of them do not hesitate to make their identities and their activities known. For instance, a Web developer who joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software. 4 WHITE PAPER A CYBERCRIME HUB
5 ROGUE DNS SERVERS One of the Estonian company s biggest assets is a set of hundreds of rogue Domain Name System (DNS) servers that have been active since These DNS servers look like ordinary recursive DNS servers. The only difference being they resolve thousands of domain names to foreign malicious IP addresses instead of actual legitimate IP addresses. DNS changer Trojans silently change the settings of victims computers to point to a foreign, rogue DNS server. Their victims are therefore put at great risk, as they can be redirected to any site every time they browse the Internet. They thus become vulnerable to malicious websites and spoofed sites and may become unwitting participants in a largescale click fraud scheme. It appears that the Estonian company controls every step between driving traffic to sites with DNS changer Trojans to maintaining rogue DNS servers. It also appears to maintain the foreign malicious IP addresses to which its victims are redirected to when they attempt to access a site such as Google. The rogue DNS servers have been active since 2005, with high-quality Internet connectivity in datacenters on the East and West coasts of the United States. Its pool of victims is still aggressively expanding today with the aid of advanced social engineering tactics. It appears that the Estonian company controls every step between driving traffic to sites with DNS changer Trojans to maintaining rogue DNS servers. It also appears to maintain the foreign malicious IP addresses to which its victims are redirected to whenever they attempt to access a legitimate site such as Google. 5 WHITE PAPER A CYBERCRIME HUB
6 INTRANET OF CYBERCRIME The Estonian company appears to be using a network comprising around 280 domain names ending with.intra for its server network. Using.intra domain names for internal servers seems to be a convenient way to automate tasks and to quickly move servers to different locations without the need to change written code. The 280.intra domain names clearly indicate that one gang is maintaining and deploying the vast network of backend website servers that host codec Trojans, websites that drive traffic to these codec sites, servers that host the C&C servers of the codec Trojans, and servers that host the click fraud-related components of the Trojans. portal2.intra IN A x.x codecsoft3.intra IN A x.x metaparser.intra IN A x.x adsclick.intra IN A x.x pharma1.intra IN A x.x tds.intra IN A x.x The table above shows the DNS resolutions of some of the private.intra domain names of the Estonian company s intranet. The following illustrates how backend servers are involved in one particular Trojan infection that occurs when an Internet user visits a website such as vivalatube.com: vivalatube.com is hosted on a backend server called portal2.intra. portal2.intra hosts pornography portal websites like vivalatube.com and drives traffic to examplefooter.com. examplefooter.com hosts a codec Trojan that is supposedly needed to view special video content but is actually a DNS changer. examplefooter.com is hosted on a backend server called codecsoft3.intra. The codec part in codecsoft3.intra is not a coincidence. An infected user is redirected to foreign sites by the Traffic Distribution System at the tds.intra domain (IP address: x.x). The infected user sees pharmaceutical ads instead of legitimate ones on many websites he/she is visiting. The ads redirect the user to the pharma1.intra domain (IP address: x.x), which advertises Vimax pills. The user s Google toolbar requests get hijacked by the adsclick.intra domain (IP address: x.x). The backend server, metaparser.intra, determines which ads the user will see in place of the Google ads. There are several other similar examples that suggest a single company controlling the portals and infection mechanisms involved. One company is behind the pornography sites riddled with Trojan codecs, the C&C servers that are contacted when victims get infected and those used to steal personal information, and the fraudulent ads: everything from the initial infection to exploiting infected hosts. Until Fall 2008, the Estonian company was an Internet Corporation for Assigned Names and Numbers (ICANN)-accredited domain name registrar. Then the cybercriminal gang controlled yet one more step in cybercrime anonymous domain registration. People who complained about domain names like vivalatube.com around that time by contacting the Web registrar or the Web hosting company were in fact sending their complaints to the cybercriminal gang itself. In November 2008, ICANN revoked the company s accreditation, as the association became aware that the company owner was convicted for credit card fraud. 6 WHITE PAPER A CYBERCRIME HUB
7 NETWORK OF SOCKS4 PROXIES The Estonian company appears to have an extensive network of more than 450 Socks4 proxies hosted on dedicated servers in at least 15 different networks around the world. The internal backend servers of the cybercriminals use these proxies to commit fraud with legitimate search engines. For instance, the Google search queries of DNS changer Trojan victims are relayed via backend servers through proxies to Google s real servers. This enables the company to show real Google search queries to victims and also to hijack search results. The large number of proxies (more than 400) spread the load so that Google does not notice the fraud. The Estonian company appears to have an extensive network of more than 450 Socks4 proxies hosted on dedicated servers in at least 15 different networks around the world. The.intra zone file reflects a network of proxies such as: gfeedproxy5.intra IN A x.x gfeedproxy5.intra serves as an intermediary hop for proxying Google search queries to Google s real servers. 7 WHITE PAPER A CYBERCRIME HUB
8 A Cybercrime Hub REPLACING ADS Figure 3 shows the CNN website as seen by an infected user (on January 5, 2009, Monday). Everything on it looks normal, except perhaps for the Vimax pills ad. The nature of this ad makes it somewhat unusual that it is being displayed on a mainstream news website. In fact, the Vimax pills ad is not what CNN intended to show to its visitors (see Figure 4). The ad should instead show a car for sale. The Vimax pills ad was inserted by a foreign party who uses DNS tricks to replace legitimate ads with its own ones, committing click fraud. Only Trojan-infected Internet users, however, will see other ads than those originally intended. Those who are not will just see the websites as they were designed. Figure 3. CNN as seen by a DNS changer victim servers outside its network such as the servers of ad agencies like Double Click or Yieldmanager. com. The ads that appear on victims systems, however, are loaded from foreign servers apart from Double Click or Yieldmanager.com instead. The most prevalent Trojans involved here are DNS changer Trojans, which silently modify the DNS settings of victims systems to point to foreign IP addresses. So, how does this fraudulent advertising scheme work? When an Internet user visits a website like CNN, the ads on it are loaded from We found several servers involved in a setup administered by the Estonian company in question. One of the servers in it contained numerous banner ads of varied sizes featuring different campaigns, including the Vimax ads. These banner ads are meant to replace those from ad companies such as Double Click on legitimate websites as shown in Figure 3 above. Figure 4. CNN as seen by an unaffected user 8 WHITE PAPER A CYBERCRIME HUB
9 Another server hosted spoofed versions of the legitimate websites of ad companies such as ad.yieldmanager.com on Yahoo! These spoofed sites contained scripts that parse ad URLs. For example, the scripts determine the size of the banners that should be embedded in legitimate websites so that the foreign ads can seamlessly replace actual ones. The layout of the site will look the same. Figure 5. Number of legitimate ads replaced by Vimax ads The data gathered from the said servers made it possible to indirectly determine how many ads are actually replaced by Vimax banners per day. Note, however, that the figures presented are just a fraction of the actual number of ads that are replaced every day (see Figure 5). For instance, we know that Double Click ads are replaced by text-based ones, too, which are not counted in the statistics used. When a victim clicks a Vimax ad, he/she is redirected to a pharmaceutical website. It was not surprising to find that this website had its own backend server in the company s.intra network with the following DNS resolution: pharma1.intra IN A x.x Using the internal name, as mentioned earlier, makes scripting and monitoring more convenient for these cybercriminals. 9 WHITE PAPER A CYBERCRIME HUB
10 HIJACKING GOOGLE SEARCH QUERIES The same Estonian company has also been found to hijack Google search queries. In this case, DNS changer Trojan victims unknowingly connect to a spoofed Google site when they perform a search query. When they click a Google search result, they are redirected to a different site than what the search should actually show. Traffic from Google thus gets stolen. This type of scheme primarily targets the google.co.uk, google.com.au, google.ca, google.de, google.es, google.fr, and google.it sites. Other major search engines like Yahoo! and Microsoft s bing.com are targeted as well. Figure 6. How the Estonian company hijacks Google search queries To successfully hijack Google search queries using DNS changer Trojans, victims actual Google search queries have to be relayed from a spoofed site to the real one. This allows cybercriminals to display real Google search results on victims browsers. It appears that the Estonian company is relaying the Google search queries of DNS changer Trojan victims through its network, which comprises more than 400 proxies. These proxies spread the load over different IP addresses so Google does not notice the illegal activity. We believe all of these proxies do not belong to compromised hosts, however, but to dedicated servers in datacenters owned or leased by the Estonian company. Apart from relaying victims search queries through the above-mentioned proxies, the said company also caches old search results so that only unique ones need to be relayed to Google. These cache servers are located on the following internal.intra servers as well: gcache1.intra IN A x.x gcache2.intra IN A x.x 10 WHITE PAPER A CYBERCRIME HUB
11 Figure 7 shows the number of unique Google search queries that the cybercriminal operation hijacks. Note that their uniqueness lies in the originality of the keywords used and not on how many times they have been used in previous queries. Figure 7. Number of unique Google search queries hijacked per day 11 WHITE PAPER A CYBERCRIME HUB
12 PUSHING ROGUE ANTIVIRUS When victims of DNS changer Trojans attempt to access high-traffic pornography sites such as redtube. com, they will receive a message saying they cannot access the site because they have been infected by a virus that is currently attacking the pornography site. They will then be prompted to download software that turns out to be fake antivirus (see Figure 8). Detailed statistics (see Figure 9) show that in July 2009, around 100,000 unique hosts visited the spoofed pornography site per day. In July 2009, we found that more than 1.8 million unique IP addresses visited the spoofed site and were, therefore, exposed to the bogus warning in a language that depended on their geographic location. This is an astonishingly high number because these Internet users are already victims of a DNS changer Trojan and they are visiting specific porn sites. Figure 8. Rogue version of the redtube.com porn site a DNS changer Trojan victim is redirected to In the unfortunate event that an internet user falls for the bogus virus warnings and installs the fake antivirus, he/she will actually install an additional Trojan on his/her system. The new Trojan frequently annoys the user with warnings that he/she is infected and needs to get a paid subscription for the fake antivirus. When the Internet user decides to purchase one, he/she will be directed to a secure website (see Figure 10). We found that this billing website is controlled by the Estonian company as well. This is reflected in the.intra zone file of the company, details on which are shown in the following table: Figure 9. Number of unique IP addresses exposed to bogus virus alerts while visiting high-traffic porn sites billing.intra IN A x.x billingproxy1.intra IN A x.x billingproxy2.intra IN A x.x 12 WHITE PAPER A CYBERCRIME HUB
13 The locations of the internal domains billingproxy1.intra and billingproxy2.intra exactly match two secure websites that are being used for selling fake antivirus. Both servers are probably frontend proxies for the actual billing server located at x.x (billing.intra). Figure 10. Site where the fake antivirus (Winbluesoft) is sold 13 WHITE PAPER A CYBERCRIME HUB
14 CONCLUSION This paper discussed some parts of a large ongoing cybercriminal operation that dates back to at least An Estonian company is actively administering a huge number of servers in numerous datacenters, which together form a network to commit cybercrime. It appears that the company from Tartu, Estonia controls everything from trying to lure Internet users to installing DNS changer Trojans by promising them special video content, and finally to exploiting victims machines for fraud with the help of ads and fake virus infection warnings. The company has spread its assets over numerous Web hosting companies since they got disconnected from a San Francisco datacenter in Apparently, it learned its lesson and decided to lower the risk of dropping off the Internet. The Estonian company is actively administering a huge number of servers in numerous datacenters, which together form a network to commit cybercrime. TREND MICRO Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at TREND MICRO INC N. De Anza Blvd. Cupertino, CA US toll free: phone: fax: WHITE PAPER A CYBERCRIME HUB 2009 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Rogue DNS servers a case study
Rogue DNS servers a case study Feike Hacquebord Forward Looking Threat Research, Trend Micro Cupertino, CA, USA feikehayo_hacquebord@trendmicro.com Contents Introduction to DNS DNS Changer Trojans Rogue
More informationThe Dark Side of Trusting Web Searches From Blackhat SEO to System Infection
The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection Trend Micro, Incorporated Marco Dela Vega and Norman Ingal Threat Response Engineers A Trend Micro Research Paper I November
More informationMALICIOUS REDIRECTION A Look at DNS-Changing Malware
MALICIOUS REDIRECTION A Look at DNS-Changing Malware What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a
More informationwhite paper Malware Security and the Bottom Line
Malware Security Report: Protecting Your BusineSS, Customers, and the Bottom Line Contents 1 Malware is crawling onto web sites everywhere 1 What is Malware? 2 The anatomy of Malware attacks 3 The Malware
More informationDNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS
DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat
More informationTECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains
TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................
More informationQUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY
QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY EXPLOIT KITS UP 75 PERCENT The Infoblox DNS Threat Index, powered by IID, stood at 122 in the third quarter of 2015, with exploit kits up 75 percent
More informationThe Police Trojan AN IN-DEPTH ANALYSIS
Trend Micro Research Paper 2012 The Police Trojan AN IN-DEPTH ANALYSIS By: David Sancho and Feike Hacquebord CONTENTS Introduction... 1 Technical Analysis... 1 Technical Findings... 4 Network Analysis...
More informationHow To Integrate Hosted Email Security With Office 365 And Microsoft Mail Flow Security With Microsoft Email Security (Hes)
A Trend Micro Integration Guide I August 2015 Hosted Email Security Integration with Microsoft Office 365» This document highlights the benefits of Hosted Email Security (HES) for Microsoft Office 365
More informationAddressing Big Data Security Challenges: The Right Tools for Smart Protection
Addressing Big Data Security Challenges: The Right Tools for Smart Protection Trend Micro, Incorporated A Trend Micro White Paper September 2012 EXECUTIVE SUMMARY Managing big data and navigating today
More informationWhite paper. Phishing, Vishing and Smishing: Old Threats Present New Risks
White paper Phishing, Vishing and Smishing: Old Threats Present New Risks How much do you really know about phishing, vishing and smishing? Phishing, vishing, and smishing are not new threats. They have
More informationDID YOU KNOW THAT... Javelin Strategy and Research projects a 78% increase in the U.S. shopper volume by 2014. 43% of owners of Webenabled
DID YOU KNOW THAT... Javelin Strategy and Research projects a 78% increase in the U.S. shopper volume by 2014. 43% of owners of Webenabled smartphones use these to help them shop (e.g., check prices, read
More informationTrend Micro Incorporated Research Paper 2012. Adding Android and Mac OS X Malware to the APT Toolbox
Trend Micro Incorporated Research Paper 2012 Adding Android and Mac OS X Malware to the APT Toolbox Contents Abstract... 1 Introduction... 1 Technical Analysis... 2 Remote Access Trojan Functionality...
More informationMicrosoft SharePoint Use Models and Security Risks
Microsoft SharePoint Use Models and Security Risks Trend Micro, Incorporated This white paper examines the increasing risks to SharePoint and offers best practices to ensure optimal security. A Trend Micro
More informationIntroduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Internet Security Seminar 2013 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion An overview of the paper In-depth analysis of fake Antivirus companies
More informationSecurity Guide to Social Networks
Security Guide to Social Networks Trend Micro, Incorporated By: David Sancho Senior Threat Researcher A Trend Micro White Paper I August 2009 TABLE OF CONTENTS INTRODUCTION...3 PRIVACY IN A CONNECTED WORLD:
More informationZNetLive Malware Monitoring
Introduction The criminal ways of distributing malware or malicious software online have gone through a change in past years. In place of using USB drives, attachments or disks to distribute viruses, hackers
More informationINFORMATION SECURITY REVIEW
INFORMATION SECURITY REVIEW 14.10.2008 CERT-FI Information Security Review 3/2008 In the summer, information about a vulnerability in the internet domain name service (DNS) was released. If left unpatched,
More informationHow To Protect Your Online Banking From Fraud
DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction
More informationTRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS
TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS g Maxim Goncharov A 2011 Trend Micro Research Paper Abstract Directing traffic to cash in on referrals is a common and legitimate method of making
More informationGlobal Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team
Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team The Internet is in the midst of a global network pandemic. Millions of computers
More informationAbused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity
2012 Abused Internet Domain Registration Analysis for Calculating Risk and Mitigating Malicious Activity KnujOn.com LLC Brief Version 2/18/2012 Promising Research KnujOn.com LLC is proud to release this
More informationACCEPTABLE USE AND TAKEDOWN POLICY
ACCEPTABLE USE AND TAKEDOWN POLICY This Acceptable Use and Takedown Policy ( Acceptable Use Policy ) of Wedding TLD2, LLC (the Registry ), is to be read together with the Registration Agreement and words
More informationPROTECT YOUR COMPUTER AND YOUR PRIVACY!
PROTECT YOUR COMPUTER AND YOUR PRIVACY! Fraud comes in many shapes simple: the loss of both money protecting your computer and Take action and get peace of and sizes, but the outcome is and time. That
More informationWeb. Paul Pajares and Max Goncharov. Connection. Edition. ios platform are also at risk, as. numbers via browser-based social.
RESEARCHBRIEF Fake Apps, Russia, and the Mobile Making the SMSS Fraud Connection Paul Pajares and Max Goncharov Web News of an SMS fraud service affecting many countries first broke out in Russia in 2010.
More informationWhat Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationCOB 302 Management Information System (Lesson 8)
COB 302 Management Information System (Lesson 8) Dr. Stanley Wong Macau University of Science and Technology Chapter 13 Security and Ethical Challenges 安 全 與 倫 理 挑 戰 Remarks: Some of the contents in this
More informationWEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World
Securing Your Web World WEBTHREATS Constantly Evolving Web Threats Require Revolutionary Security ANTI-SPYWARE ANTI-SPAM WEB REPUTATION ANTI-PHISHING WEB FILTERING Web Threats Are Serious Business Your
More informationT E C H N I C A L S A L E S S O L U T I O N
Trend Micro Email Encryption Gateway 5.0 Deployment Guide January 2009 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 USA T +1.800.228.5651 / +1.408.257.1500 F +1.408.257.2003 www.trendmicro.com
More informationRESEARCHBRIEF. Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market
RESEARCHBRIEF Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market Lion Gu After taking a grand tour of the Chinese underground market last year, let s revisit it and see what has
More informationCYBERSECURITY INESTIGATION AND ANALYSIS
CYBERSECURITY INESTIGATION AND ANALYSIS The New Crime of the Digital Age The Internet is not just the hotspot of all things digital and technical. Because of the conveniences of the Internet and its accessibility,
More informationNATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314
NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: December 2002 LETTER NO.: 02-CU-16 TO: All Federally-Insured Credit Unions SUBJ: Protection of Credit Union Internet Addresses
More informationLASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationAdvisory on Utilization of Whois Data For Phishing Site Take Down March 2008
Contributors Rod Rasmussen, Internet Identity Patrick Cain, Anti-Phishing Working Group Laura Mather, Anti-Phishing Working Group Ihab Shraim, MarkMonitor Summary Given fundamental policy changes regarding
More informationDomain Name Control Considerations
Domain Name Control Considerations When implementing an Internet presence, credit unions should establish controls to facilitate control over domain names. Credit unions should: 1. understand the Domain
More informationCSC 385-001 Essay 5: Outline
Baron i CSC 385-001 Essay 5: Outline Thesis: Spam is dangerous through the malware it encloses and the rogue pharmacy business it works through, but Internet users can work to avoid the dangers of the
More informationBRIEFING PAPER - Rogue Affiliates Distributing CSAM using Disguised Websites (Public version)
BRIEFING PAPER - Rogue Affiliates Distributing CSAM using Disguised Websites (Public version) Created April 2014 Author Created for Sarah Smith (Technical Researcher, IWF) Fred Langford (Director of Global
More informationAttack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites
Attack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites A l a d d i n. c o m / e S a f e Following up on some recent attacks, the AIRC team wanted to
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationHACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success
HACKER INTELLIGENCE INITIATIVE The Secret Behind 1 1. Introduction The Imperva Application Defense Center (ADC) is a premier research organization for security analysis, vulnerability discovery, and compliance
More informationPhishing Activity Trends Report June, 2006
Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account
More informationKASPERSKY FRAUD PREVENTION FOR ENDPOINTS
KASPERSKY FRAUD PREVENTION FOR ENDPOINTS www.kaspersky.com 2 Fraud Prevention for Endpoints KASPERSKY FRAUD PREVENTION 1. Ways of Attacking The prime motive behind cybercrime is making money, and today
More informationSTATE OF DNS AVAILABILITY REPORT
STATE OF DNS AVAILABILITY REPORT VOLUME 1 ISSUE 1 APRIL 2011 WEB SITES AND OTHER ONLINE SERVICES ARE AMONG THE MOST IMPORTANT OPERATIONAL AND REVENUE GENERATING TOOLS FOR BUSINESSES OF ALL SIZES AND INDUSTRIES.
More informationMalicious Websites uncover vulnerabilities (browser, plugins, webapp, server), initiate attack steal sensitive information, install malware, compromise victim s machine Malicious Websites uncover vulnerabilities
More informationThreat Management. Focus on Malicious URLs. Web Threats. A Trend Micro White Paper I October 2008
Threat Management Web Threats Focus on Malicious URLs A Trend Micro White Paper I October 2008 TABLE OF CONTENTS Executive Summary.......................................................................3
More informationPhishing Activity Trends
Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received by the (APWG) came to 23,61 in, a drop of over 6, from January s previous record
More informationLesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division
Lesson 13: DNS Security Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation
More informationPractical guide for secure Christmas shopping. Navid
Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security
More informationLatest Business Email Compromise Malware Found: Olympic Vision
A TrendLabs Report Latest Business Email Compromise Malware Found: Olympic Vision Technical Brief TrendLabs Security Intelligence Blog Jaaziel Carlos Junestherry Salvador March 2016 Introduction Olympic
More informationFAQ (Frequently Asked Questions)
FAQ (Frequently Asked Questions) Specific Questions about Afilias Managed DNS What is the Afilias DNS network? How long has Afilias been working within the DNS market? What are the names of the Afilias
More informationhttp://docs.trendmicro.com/en-us/enterprise/trend-micro-endpoint-applicationcontrol.aspx
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
More informationSecuring Your Business s Bank Account
Commercial Banking Customers Securing Your Business s Bank Account Trusteer Rapport Resource Guide For Business Banking January 2014 Table of Contents 1. Introduction 3 Who is Trusteer? 3 2. What is Trusteer
More informationThe Changing Face of SSL
The Changing Face of SSL New Realities Demand New Approaches Trend Micro, Incorporated» SSL underpins almost all online transactions today and the way SSL is sold is exposing organizations to excessive
More informationBeware Of Phishing A Trend Micro White Paper
Best Practices Series Botnet Threats and Solutions Phishing A Trend Micro White Paper I November 2006 TABLE OF CONTENTS Executive Summary.......................................................................3
More informationWHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper.
WHITE PAPER Using DNS RPZ to Protect An Osterman Research White Paper Published June 2015 SPONSORED BY SPON sponsored by sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058
More informationMalware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services
Malware, Spyware, Adware, Viruses Gracie White, Scott Black Information Technology Services The average computer user should be aware of potential threats to their computer every time they connect to the
More informationThe Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network
Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: info@cs3-inc.com The Reverse Firewall: Defeating
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationMalware & Botnets. Botnets
- 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online
More informationGlobalSign Malware Monitoring
GLOBALSIGN WHITE PAPER GlobalSign Malware Monitoring Protecting your website from distributing hidden malware GLOBALSIGN WHITE PAPER www.globalsign.com CONTENTS Introduction... 2 Malware Monitoring...
More informationEmerging Trends in Malware - Antivirus and Beyond
Malware White Paper April 2011 Emerging Trends in Malware - Antivirus and Beyond One need only listen to the news or read the latest Twitter and media updates to hear about cyber crime and be reminded
More informationInstallation and configuration guide
Installation and Configuration Guide Installation and configuration guide Adding X-Forwarded-For support to Forward and Reverse Proxy TMG Servers Published: May 2010 Applies to: Winfrasoft X-Forwarded-For
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationStreamlining Web and Email Security
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor
More informationFrom Russia with Love
A Trend Micro Research Paper From Russia with Love Behind the Trend Micro-NBC News Honeypots Kyle Wilhoit Forward-Looking Threat Research Team Contents Introduction...1 Environment Setup...1 User Activity...2
More informationThe F5 Intelligent DNS Scale Reference Architecture.
The F5 Intelligent DNS Scale Reference Architecture. End-to-end DNS delivery solutions from F5 maximize the use of organizational resources, while remaining agile and intelligent enough to scale and support
More informationBest Practices for Secure Remote Access. Aventail Technical White Paper
Aventail Technical White Paper Table of contents Overview 3 1. Strong, secure access policy for the corporate network 3 2. Personal firewall, anti-virus, and intrusion-prevention for all desktops 4 3.
More informationTARGETING THE SOURCE FAKEAV AFFILIATE NETWORKS. Nart Villeneuve. A 2011 Trend Micro White Paper
TARGETING THE SOURCE FAKEAV AFFILIATE NETWORKS g Nart Villeneuve A 2011 Trend Micro White Paper Abstract The underground ecosystem provides everything required to set up and to maintain a malware operation
More information5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)
5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know
More informationThe Underground Economy of the Pay-Per-Install (PPI) Business
The Underground Economy of the Pay-Per-Install (PPI) Business Kevin Stevens, Security Researcher SecureWorks Counter Threat Unit (CTU) History of the PPI Business The Pay-Per-Install business model (PPI)
More informationONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR WHAT DO YOU NEED TO DO IF YOU SUSPECT YOUR
ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES 01 One must remember that everyone and anyone is a potential target. These cybercriminals and attackers often use different tactics to lure different
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper» Trend Micro s portfolio of solutions meets and exceeds Gartner s recommendations on how to devise a server protection strategy.
More informationMalware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction
More informationDon t Fall Victim to Cybercrime:
Don t Fall Victim to Cybercrime: Best Practices to Safeguard Your Business Agenda Cybercrime Overview Corporate Account Takeover Computer Hacking, Phishing, Malware Breach Statistics Internet Security
More informationFIRST WORKING DRAFT FOR PUBLIC COMMENT. StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports.
StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports Introduction Malware poses a serious threat to the open Internet; a large and growing share of malware is distributed
More informationThe data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
Privacy and Security FAQ Privacy 1. Who owns the data that organizations put into Google Apps? 2. When can Google employees access my account? 3. Who can gain access to my Google Apps administrative account?
More informationWhite Paper. How to Effectively Provide Safe and Productive Web. Environment for Today's Businesses
White Paper How to Effectively Provide Safe and Productive Web Environment for Today's Businesses Table of Content The Importance of Safe and Productive Web Environment... 1 The dangers of unrestricted
More informationPortal Administration. Administrator Guide
Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec
More informationEco and Ego Apps in Japan
Eco and Ego Apps in Japan A special report based on the Trend Micro research paper written by senior threat researcher Noriaki Hayashi 1 Users face various unwanted app routines in the current mobile landscape.
More informationWHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware
WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available
More informationWHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2
FAQ WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2 WHAT IS UPTIME AND SPEED MONITORING 2 WHEN I TRY TO SELECT A SERVICE FROM
More informationPrimer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS
A Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS Even with today s breakthroughs in online communication, email is still one of the main ways that most
More informationReducing the Cost and Complexity of Web Vulnerability Management
WHITE PAPER: REDUCING THE COST AND COMPLEXITY OF WEB..... VULNERABILITY.............. MANAGEMENT..................... Reducing the Cost and Complexity of Web Vulnerability Management Who should read this
More informationMITB Grabbing Login Credentials
MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,
More informationDATA SHEET. What Darktrace Finds
DATA SHEET What Darktrace Finds Darktrace finds anomalies that bypass other security tools, due to the uniqueness of the Enterprise Immune System, capable of detecting threats without reliance on rules,
More informationN-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work
N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if
More informationWhose IP Is It Anyways: Tales of IP Reputation Failures
Whose IP Is It Anyways: Tales of IP Reputation Failures SESSION ID: SPO-T07 Michael Hamelin Lead X-Force Security Architect IBM Security Systems @HackerJoe What is reputation? 2 House banners tell a story
More informationThe State of Spam A Monthly Report August 2008. Generated by Symantec Messaging and Web Security
The State of Spam A Monthly Report August 2008 Generated by Symantec Messaging and Web Security Doug Bowers Executive Editor Antispam Engineering Dermot Harnett Editor Antispam Engineering Joseph Long
More informationManaging Web Security in an Increasingly Challenging Threat Landscape
Managing Web Security in an Increasingly Challenging Threat Landscape Cybercriminals have increasingly turned their attention to the web, which has become by far the predominant area of attack. Small wonder.
More information:: Free but Fake: Rogue Anti-malware. Cristian Borghello, CISSP
:: Free but Fake: Rogue Anti-malware Cristian Borghello, CISSP Table of Contents Introduction 2 Analysis of a Well-known Case 3 Conclusion 7 Further Information 8 1 Introduction Most antivirus products
More informationTen Tips to Avoid Viruses and Spyware
Ten Tips to Avoid Viruses and Spyware By James Wilson, CPA (480) 839-4900 ~ JamesW@hhcpa.com Oh, the deck is stacked. Don t think for a minute it s not. As a technology professional responsible for securing
More informationWhen attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher
TrendLabs When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher Advanced persistent threats (APTs) refer to a category
More informationCYBERCRIME AND THE HEALTHCARE INDUSTRY
CYBERCRIME AND THE HEALTHCARE INDUSTRY Access to data and information is fast becoming a target of scrutiny and risk. Healthcare professionals are in a tight spot. As administrative technologies like electronic
More informationStop Spam. Save Time.
Stop Spam. Save Time. A Trend Micro White Paper I January 2015 Stop Spam. Save Time. Hosted Email Security: How It Works» A Trend Micro White Paper January 2015 TABLE OF CONTENTS Introduction 3 Solution
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper Trend Micro, Incorporated» A detailed account of why Gartner recognizes Trend Micro as a leader in Virtualization and Cloud
More informationCountermeasures against Spyware
(2) Countermeasures against Spyware Are you sure your computer is not infected with Spyware? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Spyware?
More informationEmail Services Deployment. Administrator Guide
Email Services Deployment Administrator Guide Email Services Deployment Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the
More information