The PhishLabs Blog

Digging Deeper into IRS Phishing Attacks:  How Do They Work and Who are the Scammers Behind Them?


Recently, the media has been exploding with articles noting a massive increase in tax fraud phishing scams. The IRS publicly announced that they had seen a 400 percent increase in phishing incidents so far this year targeting taxpayers. Phishing is even on the IRS’ “Dirty Dozen” list of scams for the 2016 tax season.

Read More

Topics: Phishing, Fraud, Phish Kit, Spear Phishing, IRS Phishing Attacks

Understanding Bitcoin - the virtual currency of choice for cybercriminals and terrorists

Posted by Andre Correa on Dec 18, '15

Bitcoin is a decentralized, P2P network-based virtual currency that has only grown in popularity and controversy since its creation in 2008.  It is believed that more than 100,000 legitimate businesses accept Bitcoins and 95 percent of all cryptocurrency transactions utilize BTC.

Read More

Topics: DDoS, Fraud, Crimeware, Ransomware, Bitcoin

Camera DDoS Attacks, New BEC Strategies, TalkTalk Hack Arrests, and more | TWIC - October 30, 2015

Posted by Lindsey Havens on Oct 30, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, PhishLabs, DDoS, Fraud, Exploit, Strategy, The Week in Cybercrime, Data Breach, Botnet, Hacked, Spear Phishing Protection, Breach

High Schooler Hacks, Financial Security Weaknesses/Developments, Dark Web Pricing, and more | TWIC - October 23, 2015

Posted by Lindsey Havens on Oct 23, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Malware, Fraud, Exploit, Strategy, Vulnerability, The Week in Cybercrime, Hacked, Patch, Spear Phishing Protection

Stolen Military Information, ATM Fraud Prevention, Dridex Botnet Takedown, and more | TWIC - October 16, 2015

Posted by Lindsey Havens on Oct 16, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Malware, Fraud, Exploit, Strategy, Adobe, Hacker Tools, The Week in Cybercrime, Hacked, Patch, Spear Phishing Protection

Multiple Credit Card Breaches, Smartphone DDoS Attack, Developer Applications Targeted, and more | TWIC - October 2, 2015

Posted by Lindsey Havens on Oct 2, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Malware, DDoS, Fraud, Hacker Tools, The Week in Cybercrime, Phone Fraud, Data Breach, Hacked, Breach

Did FFIEC guidelines curb account takeover? Survey says…

Posted by Lindsey Havens on Sep 9, '15

In a recent study conducted by Info Security Media Group (ISMG), respondents indicated that, despite efforts to comply with updated authentication guidance set forth by the Federal Financial Institutions Examination Council (FFIEC), account takeover (ATO) has not decreased. In fact, 71 percent of respondents said that account takeover incidents either stayed the same or increased over the past year.

Read More

Topics: Fraud, ATO, Account Takeover

Carbanak Banking Malware, State Tax Refund Fraud, Phone Spying and more | TWIC - February 20, 2015

Posted by Lindsey Havens on Feb 20, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Malware, Fraud, Trojan, The Week in Cybercrime, Android

Big data, big [illicit] business

Posted by Lindsey Havens on Jan 9, '15

True to form, cybercriminals not only stole funds, personally identifiable information, credentials, bank account information , health records and more in 2014 but they also poached legitimate business tactics and strategies to bolster illicit operations. In a recent interview with Dell SecureWorks’ David Shear, BankInfoSecurity’s, Tracy Kitten uncovers trends in the underground cybercrime market. Most notable is the growing trend of “Cybercrime-as-a-Service” or (CaaS).

In 2015, we can expect to see a continued increase in the number of underground operations offering full-service cybercrime. Just as in any marketplace, competition continues to rise in the underground resulting in the constant evolution of services and new features. Some key attributes of leading suppliers of CaaS closely resemble those of a valid business, including:

  • Superior customer service
  • Tutorials and training
  • Satisfaction guaranteed
  • Value-added data (personally identifiable information documentation such as a driver’s license or a utility bill to enable authentication)
  • Reputation for delivering quality services

Data reigns in the underground

Read More

Topics: Fraud, Account Takeover, Cybercrime-as-a-Service

Cybercriminals abuse charities to verify stolen credit card data


It should come as no surprise that cybercriminals have yet again displayed superior moral character with a scheme exploiting websites of non-profit organizations to verify stolen card data. PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) has uncovered an underground service that allows cybercriminals to use an interactive chat bot to automate the verification of stolen payment card data. The bot is a script programmed to login to an online chat channel and monitor it for messages containing data such as credit card numbers, cardholder names, and expiration dates using a special input syntax. Miscreants are purposefully targeting websites of non-profits with this service to verify stolen credit card data.

Bot design and implementation

When cybercriminals join the online channel and "chats," the bot uses the data provided (cardholder name and information) to input and run transactions against the websites of charities and other non-profits in order to verify that the card data is correct and the account is active. The bot then reports the results and any transaction details back the crook.

The bot interacts as a user on an IRC (Internet Relay Chat) channel. Functions like card verification are handled through private messages between a moderator, the criminal service's customer, and the bot's own "user" ID on the same chat channel. These messages contain bot commands formatted using a specific syntax recognized by the bot. Using the private message feature allows the service's users to chat openly with each other but keep messages that contain things like valuable card data out of the hands of the other criminals on the channel.

The bot itself is a program implemented in the perl programming language. Although based on a design for IRC interactions that dates back many years, this bot uses specific modules and code customized for cybercrime purposes first seen in 2011. This particular strain of criminal tailored code is known for its use of Portuguese for comments and variable names.

The source code to those bots is available, but compared to those older bots that were coded for a single main purpose, the bot used in this case is larger and more complex, handling many different functions that cybercriminals may find useful. Indeed, in addition to automated card verification, this bot also includes modules for tasks such as:

  • Checking tracking numbers on packages, for example, used by the channel members to track items purchased using stolen cards through a "reshipper" network
  • Address and ZIP code verification for cardholder identity data

However, card verification seems to be the primary use, and that's the main draw for the service's customers. See Figure 1 for a snippet of code showing the card verification data.

Figure 1 - Bot source code snippet showing card data approval messages

Read More

Topics: Fraud

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_