Home|Contact us|RSS | Search
 
   

 
   
   
 
Home Security Center Malicious Page of the Month
Security Center
Overview
Latest Web Vulnerabilities
“In the Wild” Audit Results
URL Analysis
Info Center
Malicious Page of the Month
Test Your Vital Security Policy
Code Obfuscation
Glossary
MCRC Blog

Malicious Page of the Month

Malicious Page of the Month
This research covers the discovery by Finjan’s Malicious Code Research Center (MCRC) of 500 Mb of stolen medical, business and airline data on two Crimeware servers located in Argentina and Malaysia by hackers.
The data included healthcare and business related data, as well as personal identifiable information (stolen Social Security Numbers), and is part of the “premium” offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online.

Finjan’s Malicious Code Research Center (MCRC) analysis showed, that the data detected was part of the premium offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online. As in the legitimate business world, they are using price strategies for different customer groups.
Since stolen credit cards and bank accounts are being commoditized today, they are offered for low prices. In contrast, healthcare related information, single sign-on login credentials for organizations, email exchanges, Outlook accounts and FTP accounts are premium goods in the criminal economy, and can be traded for high prices.

Some of the implications of stolen medical and patient data include: illegal and/or bogus treatments; obtaining prescription drugs for the purpose of selling them; loss of health coverage for the victimized patient; inaccurate records of victimized patients, which could result in incorrect and potentially harmful treatments. Healthcare providers could also face potential HIPAA violations or breach of general data protection legislation.

 May 2008

Malicious Page of the Month
This research covers the discovery of a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. Both email communications and web-related data were among them.
This analysis contains findings indicating that Crimeware has reached a new level of sophistication. We detected a Crimeserver which was used as a command and control for the Crimeware that was executed on infected PCs. This Crimeserver was also used as the “drop site” for private information being harvested by that Crimeware. The Command & Control applications on this Crimeserver enabled the hacker to manage the actions and performance of his Crimeware, giving him control over the uses of the Crimeware as well as its victims. Since the stolen data was left unprotected on the Crimeserver, without any access restrictions or encryption, the data were freely available for anyone on the web, including criminal elements.

 April 2008

Malicious Page of the Month
This analysis shows the commercialization of stolen FTP server credentials of legitimate companies as well as how the deployment of ready-made Crimeware toolkits has gained momentum. It takes a close look at the latest version of one of those Crimeware toolkits - NeoSploit version 2. When examining a server hosting the latest version of this Crimeware toolkit, we also found an almost unnoticeable standalone application, especially designed to abuse and trade stolen FTP account credentials of legitimate companies around the world. More than 8,700 FTP servers’ credentials of highly respected organizations and enterprises were thus stolen, including valid user names and passwords.

 February 2008

Malicious Page of the Month
This analysis is geared towards helping our customers to understand how current threats are created. It also examines the methodologies used by Crimeware authors to increase the infection rate and to evade conventional security measures.
More than 10,000 websites in the US were infected in December by a new variant of crimeware toolkit. The attack, which Finjan has designated “random js toolkit”, is an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan's “master”, a cybercriminal.

 January 2008

Malicious Page of the Month
This analysis highlights the increased malicious activity coming out of China in recent months. While examining these types of attacks and the mechanisms involved in executing them, we will show the intricate network of connections between Chinese-based servers whose main purpose is to conduct criminal activity, and how attackers are utilizing this network as a “clearing house” for the attacks themselves.

 November 2007

Malicious Page of the Month
This report presents examples of web attacks which can be executed very easily and stay active for a long time. This attack vector was spotted during October by Finjan’s Malicious Code Research Center (MCRC) when searching for popular services with a slight change of the top level domain names.
Attacks using this method typically involve a domain name that is strikingly similar in spelling to the domains of legitimate sites. Leveraging the similarity to legitimate and frequently used domain names enables these attacks to go unnoticed by webmasters and security solution providers.

 October 2007

Malicious Page of the Month
This month we have chosen to look at another aspect of web security – domain names. Taking a note from similar malicious activities done on the internet, web attackers are employing techniques that not only exploit software bugs, but also human trust and instinct. Hosting malicious code on domains registered to look like legitimate ones (misspelled service domains) gets the malicious code more time in the wild before it gets reported and removed. This publication shows a few examples of such attacks, and the trust boundaries being exploited in order to maximize the effects of the malicious code. Once again we also show that by truly scrutinizing the actual code in real-time with complete disregard of its origin (demonstrated with the SecureBrowsing plugin), one can assess the true security of a site.

 September 2007

Malicious Page of the Month
Code obfuscation wasn't originally developed for spreading malicious content on the web, and can be easily generated by automated utilities. This edition focuses on a successful exploitation discovered in the wild that used a legitimate code obfuscation utility. This is a frightening proof-of-concept, since crimeware authors can use free obfuscation utilities to mask their malicious code, and then test the code against a variety of online security products before releasing them, in order to verify their ability to avoid detection.

 August 2007

Malicious Page of the Month - When Trojans Go Phishing
Finjan has identified 58 criminals using the MPack toolkit who have successfully infected over 500,000 unique users.  The infection ratio stands at 16% from 3.1 million attempts – indicated by the web traffic volumes of the infecting sites. Finjan’s analysis indicates that the crimeware being used within MPack steals bank account information, such as user name, password, credit card number, social security number etc., in a creative way.  The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind. Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection.

 July 2007

Malicious Page of the Month
This installment focuses on “do-it-yourself toolkit – exploit for sale” techniques used to exploit current vulnerabilities on web-based applications. The Multi Exploit Pack v3.1 supports eight exploits, as well as using evasive technologies to minimize the malicious code’s visibility. The page analyzed in this report was one of thousands discovered by the Finjan SecureBrowsing™ security browser extension, all pointing to the same source of malicious code.

 May 2007

Malicious Page Under Benchmark
In this installment of the Malicious Page Under Benchmark, we run a known art catalogue website containing obfuscated malicious code (as detected by Finjan) through a variety of security solutions ranging from Anti-Viruses, Anti-Malware, and URL Filtering solutions to see how can they cope with recent attack vectors as seen in the wild.

 April 2007

Malicious Page of the Month
Finjan has detected a malicious behavior on a major news website that was a result of a probable hacking attempt. This release of the Malicious Page of the Month inspects the attack vector, analyzes the code involved in the infection of the website visitors, and tries to understand how URL Filtering solutions would cope with such changes on highly reputable sites that become malicious overnight.

 April 2007

Malicious Page Under Benchmark
Finjan benchmarked a page from a long-known source of malicious code against 32 web security products, using an independent online security benchmark website. Finjan’s Vital Security™ Web Appliance was the only product that managed to proactively detect and block the code without any product update or signature, illustrating the difference between real time code inspection versus other security products and technologies.

 March 2007

Malicious Page of the Month
Malicious Page of the Month covers new techniques used to exploit the proliferation of AJAX-based web applications (a.k.a. Web 2.0).

March 2007
 
 
 
  © Copyright 1996 - 2008. Finjan Inc. and its affiliates and subsidiaries. All rights reserved.       Privacy Policy