Inside Recent Point-of-Sale Malware Campaign Activities
Curt Wilson, Dave Loftus, Matt Bing
An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.
It appears that there are [...]
The Athena malware family has existed for quite some time and appears to have a love/hate relationship based on posts in various “underground” forums . The original version was IRC-based, but earlier this year an HTTP-based version was released. While not as prevalent as other malware families, Athena has had a strong presence in our malware processing system for quite some time. This blog post will discuss it’s origins, DDoS capabilities, and go over it’s latest evolution and offer some [...]
The roll out of the Healthcare.gov site in the United States has been met with a significant amount of news coverage. Reports have indicated that the site has been inaccessible to some people when they have attempted to visit it. ASERT has no direct knowledge of any significant denial of service attacks directed towards the site. However, ASERT has recently found one tool that is designed to overload the webpage.
The standalone tool is written in Delphi and performs layer seven [...]
The basics on Beta Bot was covered by Limor Kessem on the RSA blog. As a quick feature summary:
What our ATLAS data highlights is just how commonplace DDoS attacks have become – both in terms of frequency but also in terms of how many Internet users are impacted by DDoS. It’s not just a problem for large, global organizations and service providers, but anyone with an Internet connection can be caught in the crossfire of an attack. The ‘collateral damage’ of an attack against a large organization or service provider are the people that rely on [...]
The past few weeks have been busy with pop culture releases. Today we can measure pop culture not by the line at the record store for that new album, or the brave fans sleeping outside for front row seats for the next hot concert, but rather by network bandwidth traffic to and from locations across the internet.
Recently, we saw the release of Apple Inc.’s new iOS 7 software for the iPhone. Arbor’s ASERT noticed that Apple released the update almost [...]
While banking malware or “bankers” have a lot of functionality, they are defined by their Man-in-the-Browser (MITB) implementation. This mechanism allows them to not only steal banking usernames and passwords, but to also inject arbitrary content into banking websites in order to social engineer and try and steal additional credentials such as identifying information, pins, and token codes.
The paper below will walk through Citadel’s MITB implementation for the Firefox web browser. Citadel was chosen as the malware of interest because [...]
From our founding more than a dozen years ago, Arbor has studied network traffic. We started as a research project at the University of Michigan, looking at routing instability on large distributed networks. This led from monitoring network traffic, and modeling it, to identifying anomalies related to DDoS attacks. With that, Arbor Networks was commercialized and the concept of wide-scale network behavior analysis was born.
In that time, everything about DDoS has changed. What was once dismissed as a basic attack, [...]
The last time I wrote about Drive it was still following the old model of DirtJumper-variant phone-homes and all the communications were in plaintext. I recently discovered a new variant that diverges from the DirtJumper-variant phone home and adds a number of new attacks, including one that attempts to bypass some known mitigation techniques that it calls -smart and appears to be one of the first pieces of DDoS [...]
In recent months, several researchers have highlighted an uptick in bruteforce password guessing attacks targeting blogging and content management systems. Arbor ASERT has been tracking a campaign we are calling Fort Disco that began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing.
Understanding an attack campaign by only [...]