Hacking

Spamvertised ‘Confirmed Facebook Friend Request’ Themed Emails Serve Client-Side Exploits

15 Aug 2013 By Dancho Danchev

A currently circulating malicious spam campaign, entices users into thinking that they’ve received a legitimate ‘Friend Confirmation Request‘ on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular. Client-side exploits serving URL: hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab – detected by 3 out of 45 antivirus scannersRead More

Bogus “Shocking Video” Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains

20 Jun 2013 By Dancho Danchev

Bogus content populating Scribd, centralized malicious/typosquatted/parked domains/fraudulent infrastructure, combined with dozens of malware samples phoning back to this very same infrastructure to monetize the fraudulently generated traffic, it doesn’t get any better than this, does it? URL redirection chain: hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?epl=98EbooDNwLit-qQViA4tbYD7JMZAQuEUyV387pMYNBODms0CdAg9qAe5QvBgKTO6xW6jHW1iYo5F8yDIvYx 7Aavd8wLHmZwHDIltbG4Eta-GVtiO3i9LlnzyK0YgWmT2BOaEeaipahFlE8yB7mCEBrQzXXtQBVUSIMGIEwTo9iUp0IyDUOM 0mZKYzSpf6qGlAAgYN_vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqAAAADw -> monetization through Google/MSN   Domain names reconnaissance: papaver.in – 69.43.161.176Read More

Dissecting the Ongoing Mass SQL Injection Attack

20 Oct 2011 By Dancho Danchev

The ongoing mass SQL injection attack, has already affected over a million web sites. Cybercriminals performing active search engines reconnaissance have managed to inject a malicious script into ASP ASP.NET websites. From client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. In this intelligence brief, we’ll dissect the campaign and establishRead More

Spamvertised ‘Uniform Traffic Ticket’ and ‘FDIC Notifications’ Serving Malware – Historical OSINT

28 Sep 2011 By Dancho Danchev

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification. _Uniform Traffic Tickets Spamvertised attachments – Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip Detection rates: Ticket.exe – Gen:Trojan.Heur.FU.bqW@aK9ebrii –  Detection rate: 37/43 (86.0%) MD5   : 6361d4a40485345c18473f3c6b4b6609 SHA1  : 50b09bb2e0044aa139a84c2e445a56f01d70c185 SHA256:Read More

Keeping Money Mule Recruiters on a Short Leash – Part Eleven

29 Aug 2011 By Dancho Danchev

The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I’ll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs. Money mule recruitment domains: ACWOODE-GROUP.COM – 78.46.105.205 – Email: admin@acwoode-group.com    ACWOODE-GROUP.NET – 78.46.105.205 – Email: admin@acwoode-group.net ART-GAPSON.COM –Read More

Keeping Money Mule Recruiters on a Short Leash – Part Ten

07 Jul 2011 By Dancho Danchev

The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I’ll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs. Currently active money mule recruitment domains: ACWOODE-GROUP.COM – 184.168.64.173 – Email: admin@acwoode-group.com ACWOODE-GROUP.NET – 184.168.64.173 – Email: admin@acwoode-group.netRead More

Keeping Money Mule Recruiters on a Short Leash – Part Nine

30 May 2011 By Dancho Danchev

The following brief summarizes currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds. Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online: ATLANTALTD-UK.CC – 193.105.134.233 ATLANTA-LTD-UK.NET – 78.46.105.205 – Email: admin@atlanta-ltd-uk.net 3ATLANTA-UK.COM – 193.105.134.233 BLITZNET-GROUPINC.CC –Read More

Keeping Money Mule Recruiters on a Short Leash – Part Eight – Historical OSINT

25 May 2011 By Dancho Danchev

With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I’ll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented groupRead More

Dissecting the Massive SQL Injection Attack Serving Scareware

31 Mar 2011 By Dancho Danchev

A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites. What’sRead More

Unit-123.org E-shop Owner Information

Who is Dancho Danchev?

Unit-123.org

Focused on delivering daily batches of personally-produced never-ending supply of high-quality and never-published and released before classified and sensitive Intelligence Deliverables.

Latest Products