There’s a well-worn saying in security: “If it’s too good to be true, then it probably isn’t.” This can easily be applied to the myriad of online stores that sell counterfeit goods—and now attract secondary fraud in the form of a credit card skimmer. Allured by great deals on brand names, many people end up buying products on

This blog post was authored by @hasherezade, with contributions from @siri_urz and Jérôme Segura. Security firm Proofpoint recently published a report about a series of malspam campaigns they attribute to a threat actor called TA2101. Originally targeting German and Italian users with Cobalt Strike and Maze ransomware, the later wave of malicious emails w

This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas. In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat

Note: This blog post is a collaboration between the Malwarebytes and HYAS Threat Intelligence teams. Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript code designed to steal any informa

<p>Since September 21, PhishLabs analysts have detected a number of phishing sites hosted on emoji domains. So far, all detected sites have a few things in common:</p> <ul> <li>They are hosted on the .WS Top Level Domain (TLD)</li> <li>They utilize domains with numerous subdomains (also emojis)</li> <li

A variant of Android/Trojan.FakeApp is stealing the identities of popular applications (apps) such as TrueCaller and Torque Pro.   As soon as the FakeApp is installed a shortcut with an icon stolen from one of these popular apps is created, and a notification pops up.  The notification also appears whenever the shortcut icon is clicked. The code that

After being defeated in April, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload – Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on different layers of the system and are used as alternatives. That’s why, we decided to dedicate more than one post to

The news has been full of leaked passwords for some popular services recently. We can see very big numbers being tossed around casually, both in accounts breached and potential dollar losses. But researchers like Brian Krebs (Link, Link) have noted that these numbers can be exaggerated for effect, and sometimes blatantly wrong. So where exactly do these numb

Graham Cluley drew my attention the other day to an issue that has apparently been known to some for years, but was new to me: clipboard poisoning, an issue where a website can replace what you think is on your clipboard with something else. Although this seems like an insignificant issue on first glance, it turns out that there are some very serious implica

From the beginning of this year, we are observing rapid development of DMA Locker. First, the threat was too primitive to even treat it seriously. Then it evolved to more complex but still decryptable ransomware. The 3.0 edition was very similar to the previous one that we described, so we skipped posting about its details (the only change was to fix the bug

At Malwarebytes Labs, we’re never short of PUPs to analyse and explore. As per our telemetry to date, SweetIM is one of the top PUPs Malwarebytes Anti-Malware (MBAM) detects and removes from our clients systems. In order to get to know what SweetIM software does on a user’s system, we have selected Bubble Hit by GamePacks (MD5: 0326564318717b9826c4b81eb5d342

After being defeated about a month ago, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload – Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on different layers of the system and are used as alternatives. That’s why, we decided to dedicate mor

Emol.com (El Mercurio On-Line) is a very popular information portal ranked 5th most visited site in Chile. El Mercurio, is a conservative Chilean newspaper with a troubled past including funding from the CIA in the early 1970s to undermine the Socialist government of Salvador Allende. In more recent times, Emol was serving a malicious advert that automatical

We don’t really hear about it that much, but malvertising can and does target free blogging platforms as well. Just this morning, our friends at Virus Bulletin Martijn Grooten and Adrian Luca wrote about some sites hosted on Google’s Blogspot service pushing tech support scams. We also caught some malicious activity on the Blogger platform this p

7ev3n ransomware appeared at the beginning of this year. In addition to typical features of encrypting files, it was blocking access to the system using a fullscreen window, and was difficult to remove. It also became famous for demanding an unrealistic price of 13 bitcoins. At that time the product looked like in early stage of development, however, the cod