Recent Trends from the Russian Underground

Being a successful hacker can be a very demanding profession. Maybe the most important trait required for this job is being innovative and keeping updated of recent trends. Just like in physical fitness – a couple of weeks away from of the gym, and you feel left out of the loop – such is the case with hacking. You take sick leave from the cybercrime scene for a brief period of time and when you return, you feel like a lot has changed. This scene is very dynamic: new threats and vulnerabilities are constantly being discovered and then patches and security updates released; new Trojans are sold on the underground and then the source code is leaked, rendering them of no interest anymore. Something is always going on.

This time, we want to draw your attention to recent trends identified on the Russian underground, from leading forums and other web-platforms.


A Wider Variety of Crypt (Obfuscation) Services for sale on Trading Platforms

We have observed a sharp increase in threads offering crypt services for malware files lately. In the last month alone, we traced at least 20 active threads advertising crypt services for .exe or .dll files on different forums. There is a wide assortment and the prices are competitive. You can choose between a one-time service for $15 – $50 per file or a monthly subscription for a service starting at $150 for a new vendor and $500 for a well-known, time-honored service.

The main purpose of the crypt is to bypass AV, firewalls, browsers and malware detection, etc. and it is valid for 24-72 hours on average. Increased offerings of this service indicate a growing demand, which may be motivated by two main reasons: increased volume of activity linked to botnets and difficulty in bypassing security mechanisms that are becoming more sophisticated. Actually, we think it is a combination of the two – more and more cyber criminals are attracted to easy profits from running a botnet, while security firms try to fight back and refine their defense mechanisms. The crypt services happened to be in the right place at the right time to rake in the money.

More Malware Using Tor Browser

In recent months, new Tor-based malware has appeared on underground trading platforms. The newest is a TOR Android bot named “Slempo” and a TorLocker Ransomware (the first one rented for $500 per month after a connection cost of $1000 and the second one is sold for $200). Before that, we saw Atrax HTTP Tor Bot, whose admin panel is located on a TOR browser.

Using Tor hidden services provides anonymity to the botnet operator, as it is almost impossible to reveal the identities of TOR users. The disadvantage of this method is the large size of the malware files and the significant resources needed to manage such a botnet, owing to the integration of TOR.

As we see it, this may turn out to be quite an alarming trend, making the detection of botnets and their initiators that much more difficult.

Greater Focus Granted to Firmware Attacks

As previously mentioned, cyber-criminals wage a constant battle against evolving defense mechanisms. While more and more obstacles are placed in the path of the hacker seeking to access your PC, his path to firmware devices such as ATM and POS remains almost clear. The operating system of these devices is usually the common Windows XP, and due to their physical aspects (the possibility of inserting physical malware into an ATM, for instance), it is much harder to protect them.

Hackers have also discovered this vector – we were recently privy to numerous discussions about ways to attack ATMs, as well as an increasing number of POS malware for sale and download.

In our opinion, we may be witnessing a gradual shift in the main targets of cyber-criminals – from the personal PC to large-scale devices of organizations. Recent attacks executed via POS devices on Target, Neiman Marcus and other retailers merely corroborate this claim.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Cyber Threats to the Healthcare Industry

Written by Gal Landesman


The healthcare industry is advancing rapidly, linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms. Tremendous technological advancements in the medical industry bring with them a greater reliance on software-controlled devices and wireless technologies. These technologies are used in any visit to the doctor and in hospital wards. Many of them connect or have the capability to connect to the Internet. Alongside the opportunities presented, the industry is also a major target for cyberattack, mostly for financial motivationIn the following post, we will present some of the cyber threats currently faced by the healthcare industry.

In today’s environment, organizations are required to take responsibility for securing their networks and computers. Alarming vulnerabilities in medical devices have caused the FDA to issue guidelines for cyber security of the medical device industry. The U.S. Health Information Technology for Economic and Clinical Health Act, for example, permits the fining of hospitals and other organizations up to $1.5 million a year for serious security incidents. Unfortunately, the industry is falling short of complying with said security standards. Last year, for example, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) performed a random audit of 20 healthcare organizations, 19 of which failed.

(Note –  this blog post is an excerpt from our report: ”Cyber Threats to the Healthcare Industry”. If you are interested in receiving the full report, please write to:

Threats to the Healthcare Industry

According to security experts, cyber criminals are shifting their focus from the financial industry to the healthcare industry, today an easier and more profitable target. Healthcare records contain valuable information for cyber criminals, such as social security numbers and personal information. Credit card records sell for an average of $2, while medical records can fetch about $20 on the black market. According to the Experian 2014 Data Breach Industry Forecast, the healthcare industry is likely to make the most breach headlines in 2014, despite the fact that 2013 was a year of mega-breaches in the healthcare industry.

Hackers' ransom note, after breaking into a Virginia government website
Hackers’ ransom note, after breaking into a Virginia government website

Identity and Information Theft

Medical identity theft occurs when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and goods, or attempts to commit fraudulent billing. Information theft can include the theft of personal information for malicious use, such as selling it on the DarkNet. According to a Ponemon Institute 2013 survey, medical identity theft claimed more than 1.84 million U.S. victims in 2013. Medical identity theft is on the rise in the U.S., where the number of victims in 2013 increased by 19%.

Medical Device Breaching

Over the last 15 years, a growing number of medical devices have become interconnected through hospital networks, the Internet, smartphones and other devices, increasing their vulnerability. This has not escaped the attention of the FDA who recently issued new guidelines to biomedical engineers, healthcare IT and procurement staff, medical device user facilities, hospitals and medical device manufacturers.

The new FDA guidelines came in response to the 2012 findings of a governmental panel that revealed that computerized hospital equipment is increasingly vulnerable to malware infection that can potentially render these devices temporarily inoperable. Many of the devices run on Windows variants. They are interconnected through internal networks to the Internet and are also exposed to laptops in the hospitals, making them vulnerable to malware.

An example of the implications that could be caused by such systems was demonstrated by the medical-device panel from the NIST Information Security & Privacy Advisory Board, who described fetal monitors in intensive-care wards that were slowed down due to malware infection. This problem can affect a wide range of devices, such as compounders, diagnostic equipment, etc.

A report issued by the Government Accountability Office (GAO) warned mostly about vulnerabilities found in wireless implanted defibrillators and insulin pumps, but thousands of other network-connected life-saving devices are also vulnerable. Malware in medical devices is probably much more prevalent than we know, since most of it is not reported to the regulators and there are no records. The OS updating process for medical devices is an onerous regulatory process.

Cyber threats to medical devices (from the GAO report)
Cyber threats to medical devices (from the GAO report)


We believe that the healthcare industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

Don’t Forget What the Real Menace Is…

Written by Daniel Geifman

Previous posts on this blog have discussed several cases and scenarios of cyber-attacks perpetrated by hactivists with the potential to become terrorists, Anonymous affiliates, LulzSec or other individuals taking advantage of the lack of preparedness (or understanding) of state ministries, banks and industries personnel. This post will discuss the cyber-crime arena and more specifically, the threat of the web in drug trafficking and human trafficking. There is no doubt that these attacks represent a genuine menace – according to a recent report issued by Symantec, an estimated $113 billion is stolen from costumers around the world annually.

But let’s not forget that cyber-crimes can be divided into several different areas, from phishing or DDoS to more serious activities such as identity, debit and credit card number theft. In my point of view, this is not a strategic issue. These attacks, although important, have no point of comparison and social consequences compared with the use of the web for drug-and people-trafficking, as well as other painful issues, such as pedophilia. In my opinion, these are more relevant and strategic issues, which can bring any country and society to her knees.

In recent years, we have noted a tendency to place the cyber-crime topic in the spotlight, owing to mass media coverage or simply because is a new, sexy and not-very-well comprehended topic. But ordinary civilians are not the only ones to see the potential and the advantages of using the web to make their lives easier. Drug cartels in Latin America have also recognized the advantages of social networks and deep web, to save precious logistic time avoiding dangerous meetings with other dealers, sending messages and mostly, recruiting new members and attracting victims to their nets. These cartels have evolved into more than just drug producers and traffickers – they have become mafias, controlling not only the drug trafficking from Afghanistan, Colombia and Mexico to the United States and Europe, but they have also created a corruption, prostitution, kidnapping and gambling net, estimated to produce $320 billion in revenues every year, from drug trafficking alone.

Defining Priorities

Crimes ranging from phishing attacks through drug trafficking must all be fought; there is no doubt about that. But first we should define as a society what we expect in the future. At the end of the day, web or deep web is the same thing, just another communication device, not the problem itself. By fighting defacements with better anti-virus software or technicians we are not fighting a strategic battle, we are just patching up the real menace that lurks beneath.

The “Total Sting” – 419 Scam Evolved

Have you ever received a suspicious looking email, urging you to send money or provide your banking account details to someone you don’t know? Sure you have.

This is one of the Internet’s most common scams, and it has many names – “Phishing”, “advanced fee fraud”, “Nigerian sting” or 419 Scam (this name refers to the article of the Nigerian Criminal Code dealing with fraud).

The logic is simple – send numerous phishing emails, and you can expect that at least some people will be gullible enough to provide you with money or banking details. When you send millions of emails even a meagre return percentage is enough to generate hefty sums. But there’s a catch – most people are by now aware of this and are reluctant to reply or even open emails which do not appear to have been sent from a known acquaintance or organization. So 419 scammers have to evolve in order to survive. One way of doing so is utilizing social networks, and especially LinkedIn, since people tend to see it as a professional network and trust information and requests to connect which originate there.

Enter the “Total Sting”.

An open position as Senior Project Manager at Total Oil as published on LinkedIn

The story is simple yet entails great sophistication and creativity. As a LinkedIn member you one day notice a lucrative job opening – Total oil, one of the leading oil and gas companies are looking to opening new offices at your country and are recruiting a senior project manager.

You submit your application via LinkedIn and a few days later you receive a formal looking email from Gérard Lamarche at Total HR Dept. (even the email address looks legit: Out of curiosity you check who this gentlemen is and find that he is a director at Total (

The Invitation Letter (allegedly) received from Total Oil

Now comes the fun part. The email includes three attachments. Since you know that this is a reply email to a submission you’ve sent you don’t hesitate to open these PDF files. There’s a very attractive job description document, an officially looking invitation for an interview in London and another letter describing the technicalities of the interview. You are cordially invited to come to London and interview for the lucrative job at Total Recruitment offices, Human Resources department, TOTAL UK Limited, 40 Clarendon Road, Watford, Hertfordshire WD17 1TQ.

Out of curiosity you Google the address and find that this is indeed the official address of Total in the UK. There’s only one catch – you need to make the travel arrangements through a specific agency (but don’t worry, you will be reimbursed upon arrival). The contact person’s name is Dr. Kenneth Cole (hmmm) and the travel agency name is Belair travel and tours (located at Air Malta House, 314-316 Upper Richmond Rd, London SW1). Now things are looking a little more suspicious.

A letter requesting to arrange travel through a designated travel agency

You decide to look more carefully into this. You phone the number but there is no answer. You check the website of the company, located in east Kensington, London, and find that they are using completely different phone numbers. (

You search a little more on the web and immediate see that this is indeed a scam. (

So you were just one of many lured into a simple phishing scam? Not quite.

This is an evolution of the classic 419, and this is why: the perpetrators of this specific scam have done almost everything possible to overcome the identifiable pitfalls of Phishing emails.

This scam is reactive, it is targeted at specific audience, it is officially looking and does not ask directly for money or details in advanced. Someone had to create a fake company profile on LinkedIn, post an authentically looking position, receive and read emails, fabricate authentically looking documents (complete with logo and an actual executive name), enter the job seeker name into the documents title and send it all back. And since this is a reply to an email/job submission the recipient is much more likely to open and perhaps respond. The logical evolution to this scam is that the scammers will create a false website (which will appear completely real) and let you submit your details there, making this fraud almost perfect.

I would like to Thank Itay and Tanya who shared this with me and assisted me in describing this in detail.

P.S. we checked and the PDF files were not weaponized (i.e. carrying Malware). had they been, this would have been a Spear-phishing campaign and a darn good one too.

P.s. 2. if you ever notice this type of scam please notify the good people of LinkedIn at (we have).

Cyber Criminals “TARGET” Point of Sale Devices

In the wake of breaches at retailers from Target through Neiman Marcus, cumulating in CNET’s publication on January 12 that at least three more retailers have been breached, we can see a renewed focus on cybercrime in the retail world, always a prime target for credit card theft. Moreover, the carding and underground crowds have become so skilled in the theft and sale of credit cards that days after the attack on Target, the stolen cards were already on sale.

Powering this trend is Point of Sale (POS) malware. In recent years, we have identified increased underground activity in the sale and development of POS malware, with Dexter and Project Hook being the most notable. Howbeit, wherever there is a need, there is a market, so the world is not limited to these specific malwares. A case in point was versions of vSkimmer, POS.CardStealer and Dump Memory Grabber that our analysts came across last month. These are all dedicated Windows-based POS malwares developed in early 2013, but prevalent to this day.


A known POS-Trojan detected by anti-viruses since January 2013. The malware builder was uploaded to the closed Russian forum exploit in December 2013. This tool was analyzed in the blog in detail, revealing that it searches for Track 2 data from the magnetic strip of the credit card, which is stored in the POS device, and then sends it to the C&C.

vSkimmer POS Trojan

A POS-Trojan that was sold on the Russian underground during 2012 and early in 2013. In March 2013, the builder was uploaded to for free download but after a short time it was deleted and uploaded again in October 2013. The Botnet based on this tool was discovered in February 2013 and was widely considered to be Dexter’s successor, with additional functions. The malware detects the card readers, grabs all the information from the Windows machines attached to them, and sends the data to a control server.


A POS-Trojan sold in the Russian underground since February 2013 (a video of the malware in action is available upon request). The malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. The price ranges from $1,800-$2,300 (as of April 2013).

Original post uploaded by the malware seller
Original post uploaded by the malware seller

Conclusion and Recommendations

It seems that the Target breach is poised to be the TJX of the POS world. If TJX brought about a complete rethinking of how credit cards should be processed through the enterprise back-end and in turn gave us PCI-DSS, I think that it is clear today that progress in PA-DSS and the work performed by the POS machine providers is still insufficient to protect customers. It is very likely that we will start to see technologies that are today directed against APT detection in enterprise computers being shifted to POS networks, and perhaps even developing companies and retailers taking a step back from Windows-based machines toward more dedicated, hardened operating systems. Retailers (both large and small) that wish to take action against the threat of card theft should:

  1. Contact their POS supplier and make sure it complies with PA-DSS.
  2. Ensure the POS system is fully up-to-date (and with the death of Windows XP – installed on Windows 7 and up).
  3. Ensure there are security systems (both whitelist- and blacklist-based) installed on the POS system.
  4. Install network-based security systems on the POS network connection.
  5. Be aware of the threat and how to locate and mitigate it.

“Mega Breach” – So What?

We’ve all heard that the software company Adobe (maker of Flash, Acrobat and many more) was hacked and details of 150+ million users were stolen and then circulated on Russian Darknet forums.


So you ask yourself – so what?  How does this affect me and my organization? Do I even have an Adobe account?

Well, thechances are that your organization is using Adobe products and many have either opened an account when downloading a sample product or had one created for them by their procurement division when purchasing an Adobe license for them to use (usually without their knowledge).

First of all, let’s review what was actually stolen – a list containing (per each user) a serial number (not interesting), the user’s email (very interesting), an encrypted password (which is easy to break if you know how) and the retrieval question.

So the main risk here appears to be that a hacker will break into the account (by guessing or cracking the password), steal the credit card details and use them. Right?

Well, this is certainly possible (and happens more often than most of us think), but the real risk is email address exposure.

A large percentage of all intrusion into large organizations occur through the use of “spear-phishing”, meaning a targeted email sent to a person within the organization.  

The employee receives a credible-looking email, appearing to be sent from a business partner, conference organizer etc.

The email contains an attachment (most likely a PDF file, Excel sheet or Word doc) or a link.

Opening/clicking the link runs a malicious code that secretly installs itself, and from that moment forth, the network is open to the intruder.

Creating a spear-phishing email is easy. What was difficult until now was obtaining corporate email addresses (previously, hackers had to use social engineering to obtain these). No more! Literally millions of these addresses are now visible to all, making employees whose details have been leaked easy targets. So what needs to be done (because the breach and subsequent exposure can’t be undone)? Here are our actionable recommendations:

  • Cancel the credit card which was used to make the purchase on the site
  • Change the password of users of the Adobe site
  • Conduct a full scan of the computers for malicious files
  • Brief all employees that have leaked Adobe accounts/emails about this breach and the potential spear-phishing attempts that can follow it, and avoid opening any attachments from suspicious and unknown email addresses.

As the (even more recent) Target breach proves, we have not seen the last of these “mega information breaches”, so whenever such an incident is made public, we all need to ask ourselves – does this affect me? And, if so – what do I need to do? Remember, cyber security is not “the IT department’s problem”. We are all an important part of the solution.