Earn £8,000 a MONTH with bogus apps from Russian malware factories

DIY SMS-scam kits anyone can use - even your grandparents!

Just 10 professionally run malware-making workshops in Russia are responsible for 30 per cent of the Trojans, spyware and other nasties infecting smartphones globally. That's according to a study by mobile security outfit Lookout.
These underground crime labs churn out DIY kits ideal for scriptkiddies looking to make a fast buck: the tools can be used to distribute malware and earn money from it with little or no coding experience or hacking skills. Once installed on a device, the malware is typically disguised as a legit, popular app and secretly texts premium-rate numbers, thus racking up charges on the victims' phone bill.

The Russian development centres are skilled at releasing new Android builds and configurations of their code every two weeks; organising hosting for the malware; registering short-code phone numbers that victims' mobes text; and creating marketing campaign management tools — the malware developers' customers get paid for marketing and distributing the bogus apps.
These affiliates customise their copy of the malware to make it look like the latest Angry Birds or Skype utility, for example. Then they use social networks, such as Twitter, to draw people into downloading the booby-trapped software. Almost all the malware targets Android smartphones.
"We reviewed 250,000 unique Twitter handles and of those, nearly 50,000 linked directly to these toll fraud campaigns," Lookout researcher Ryan Smith explained in a blog post.
"The victim of the scheme is usually a Russian-speaking Android user looking for free apps, games, MP3s or pornography.
"The victim may have been using search engine or click through links in tweets or mobile ads, then unwittingly download the malicious app which secretly adds a premium SMS charge to their phone bill."
A research paper from Lookout on its Dragon Lady* investigation explains the malware creation centres have taken many ideas on how to run their businesses from legitimate small software houses.
"Organised groups of Android malware authors are operating like startups: tapping multiple individuals or organisations for specialisation in different business areas, leveraging online tools for promotion and developing affiliate programs," the Lookout team explained.
"We’ve seen evidence that these affiliate marketers have earned between $700/month to $12,000/month [£450/month to £7,800/month] from these scams, and estimate that there are thousands of individual distributors and potentially tens of thousands of affiliate websites promoting these custom SMS malware in the same manner as traditional affiliate web marketers."
More than 50 per cent of Lookout’s total malware detections during the first half of 2013 were Russian-based toll fraud. And 60 per cent of this activity can be traced back to just 10 centres in Russia.
Lookout has been actively tracking SMS fraud since the first example was found in the wild in August 2010. Lookout has been classifying Russian SMS-swindling malware in individual groups or “families” based on similarities in code and key features in the three years since. The data has also allowed the security biz to track individual malware families back to affiliates and the programmers' headquarters.

 

Hacking with new DIY Google Dorks based hacking tool

new version of DIY Google Dorks based hacking tool has been released, it is an extremely useful tool for reconnaissance of targets.

A Webroot blog post announced that a new version of DIY Google Dorks based hacking tool has been released in the wild and it could be used for mass website analysis, the power of the popular search engine could be exploited for information gathering during the reconnaissance phase of an attack. Similar tools could be used to acquire information on target environments by an attacker or by the pen tester to evaluate the architecture is starting to test. The availability of the DIY Google Dorks based hacking tool allows to ill-intentioned to acquire precious information on remotely exploitable websites, data that could be collected to compromise them for example deploying a malicious exploit kit or exploiting known vulnerabilities. The tool relies on Google Dorks the tools to allow a target evaluation, in particular the DIY Google Dorks based hacking tool has built-in features that can be used to evaluate the possibility to perform a SQL injection attack or to discover all the targets that aren’t protected by a CAPTCHA challenge mechanism. As usual the project appears under continuous development and the authors are still working on it to improve its capabilities with new features such as the possibility to evaluate the vulnerability to a custom malicious exploits. Composing specifically crafted queries in Google it is possible to reveal sensitive information essential for the success of an attack, thanks to the use of the advanced operator, the dorking, is possible to retrieve a huge quantity of information on a target such as:

• User’s credentials.
• Sensitive documents.
• Admin login page.
• Email lists.

The syntax for using advanced operator in Google is

Operator_name:keyword

Following some sample of keyword/advance operator:

Allintext	Searches for occurrences of all the keywords given
Intext	Searches for the occurrences of keywords all at once or one at a time
Inurl	Searches for a URL matching one of the keywords
Allinurl	Searches for a URL matching all the keywords in the query
Intitle	Searches for occurrences of keywords in URL all or one
Allintitle	Searches for occurrences of keywords all at a time
Site	Specifically searches that particular site and lists all the results for that site
filetype	Searches for a particular filetype mentioned in the query
Link	Searches for external links to pages
Numrange	Used to locate specific numbers in your searches
Daterange	Used to search within a particular date range

Using more complex queries an attacker could obtain a series of information on the status of the target, for example to discover if it has been already “backdoored” and discovery which are the vulnerability that can potentially affect the system. The Google hacking database provides various examples of queries that can help a hacker to find vulnerable servers, to gain information on the target, to explore sensitive directories finding vulnerable files, to find password files or to find sensitive online shopping info.

inurl:”r00t.php”  – This dork finds websites that were hacked, backdoored and contains their system information allintext:”fs-admin.php“ – A foothold using allintext:”fs-admin.php” shows the world readable directories of a plug-in that enables WordPress to be used as a forum. Many of the results of the search also show error logs which give an attacker the server side paths including the home directory name. This name is often also used for the login to ftp and shell access, which exposes the system to attack. There is also an undisclosed flaw in version 1.3 of the software, as the author has mentioned in version 1.4 as a security fix, but does not tell us what it is that was patched. filetype:config inurl:web.config inurl:ftp – This google dork to find sensitive information of MySqlServer , “uid, and password” in web.config through ftp..filetype:config inurl:web.config inurl:ftp

The above dorks are just simple examples of the power of these search strings, just after 10 minutes playing with them user has the perception of the infinite possibilities that Google provides to an attacker. Now imagine a single DIY Google Dorks based hacking tool  that allows to automatize all this queries, without having particular knowledge on Google dorks … it’s the hacker heaven, what do you think about? The DIY Google Dorks based hacking tool proposed by Dancho Danchev offers a complete suite to automate the process of remote inspection of targets and their exploit, the instrument works on desktop and could be  also integrated with popular browsers to fool the search engines into thinking that generated traffic is legitimate traffic.

  The price for the DIY Google Dorks based hacking tool is very cheap compared to the advantage deriving from its use, one license costs $10 to pay using the Liberty Reserve currency, or $11 to pay using Western Union transfer. The license are linked to specific host due a hardware-based ID restriction, but the authors also offers an unlimited license for $20 in Liberty Reserve, or $20 in Western Union transfer.

 

Cyber criminals can exploit hundreds of thousands of legitimate Web sites is various ways and tools such as the DIY Google Dorks based hacking tool facilitate attacks. Dancho Danchev in his interesting post described the principal techniques used to compromise website:

• Use of search engine reconnaissance through DIY SQL/RFI (Remote File Inclusion) tools or botnets, the category includes a wide range of application that automatically exploit improper configured websites such as  blogging platforms or well known CMS.
• Use of data mined or purchased stolen accounting data, cyber criminals could gather information on malware infected machine, looking for login credentials to be automatically abused with malicious scripts and actual executables getting hosted on legitimate websites in an attempt to trick a security solution’s IP reputation process.
• Active exploitation of server farms – criminals try to infect the larger number of low profile websites as possible, a common practice observed by security researchers is the exploiting of servers that host large number of domains, for example using commercially available Apache backdoors.

Cybercrime underground is in offering all necessary to organize a fraud without having particular knowledge of various technological platforms (e.g. Mobile) and proposing a new efficient model of sales such as the FaaS… it is crucial to follow the black market evolution to avoid shocking surprises.