What We’re Reading

Meta

Has your credit card been stolen?

In the last three months we have seen some activity regarding a bot C&C Server named Apophis. Here you can see a few screenshots:

- Login:

- Statistics:                                                                             - Configuration:

- Settings:                                                                               - Templates:

- And a few more:

Today we have gained access to a new Apophis C&C Server. Looking at the files stored in the Server, we have found an encrypted file that seemed to have valuable information. We have decrypted it, it is an excel file that has information about 1,435 people. It includes:

- Full name

- Address (Street, City, State, Zip, Country)

- Phone

- E-mail

- CC number

- cvv

- CC exp. date

- Bank info

This is the number of affected users per country:

Users Country
994
USA
64
Italy
53
Netherlands
48
Israel
47
Belgium
43
Sweden
38
Norway
32
United Kingdom
21
Canada
15
Spain
14
Grecia
14
Switzerland
13
France
12
Germany
7
Austria
5
China
3
Bulgaria
3
Croacia
3
Polland
1
Estonia
1
Iceland
1
Latvia
1
Lithuania
1
Russia
1
Ukraine

It has all the information in all fields but the phone and e-mail addresses, these ones are stored for 994 users. All of them are from 3 countries: USA, UK and Canada. Scary. We are contacting the different banks in order to avoid major problems for the users.

Posted under Malware Alerts

This post was written by Ted on August 22, 2007

Tags:

Has your credit card been stolen?

In the last three months we have seen some activity regarding a bot C&C Server named Apophis. Here you can see a few screenshots:


 


- Login:



 


- Statistics:                                                                             - Configuration:


             


 


- Settings:                                                                               - Templates:


                                  


 


- And a few more:


 


                                  


 


Today we have gained access to a new Apophis C&C Server. Looking at the files stored in the Server, we have found an encrypted file that seemed to have valuable information. We have decrypted it, it is an excel file that has information about 1,435 people. It includes:


 


- Full name


- Address (Street, City, State, Zip, Country)


- Phone


- E-mail


- CC number


- cvv


- CC exp. date


- Bank info


 


This is the number of affected users per country:


 

















































































Users

Country


994

USA


64

Italy


53

Netherlands


48

Israel


47

Belgium


43

Sweden


38

Norway


32

United Kingdom


21

Canada


15

Spain


14

Grecia


14

Switzerland


13

France


12

Germany


7

Austria


5

China


3

Bulgaria


3

Croacia


3

Polland


1

Estonia


1

Iceland


1

Latvia


1

Lithuania


1

Russia


1

Ukraine


           


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


It has all the information in all fields but the phone and e-mail addresses, these ones are stored for 994 users. All of them are from 3 countries: USA, UK and Canada. Scary. We are contacting the different banks in order to avoid major problems for the users.


 


Thanks to Vicente for all the research.

Posted under Malware Alerts

This post was written by Luis Corrons on August 20, 2007

Tags:

Easy money: affiliate programs

Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call  ‘affiliate programs’, paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.


They usually pay depending on the country you obtain the download. Normally USA  and Europe are the best paid countries and other countries as China or Russia are the worst paid.


Here we can see some examples obtained from these pages:



We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan


Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:



A short time ago, analyzing  a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:


 


There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.


 


The web sites where they promote themselves use to be very eye-catching, here you can see some examples:





Posted under Malware Alerts

This post was written by Vicente Martinez on August 14, 2007

Tags: , , ,

« Previous Entries
Next Entries »

Search

Special Savings

Panda Internet Security 2009

Categories

-->