Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Attacker Tracking Users Seeking Pakistani Passport

A few days ago we encountered a breach on a Pakistani government site which was compromised to deliver a dangerous payload- the Scanbox Framework. This compromise is exactly the kind of attack we were concerned about when discussing the danger in a previous compromise that we uncovered just a few weeks ago against another government site, at that time the Bangladesh Embassy in Cairo.

BEC Payroll Scam: Your Salary is Mine!

Con men have been exploiting human psychology since the dawn of time. Equipped with the capabilities of the digital age they now have the means to launch voluminous lucrative con schemes at a global scale.

Patch Tuesday, March 2019

his month's Patch Tuesday brings with it four advisories and patches for 64 CVEs including a patch for a zero-day actively exploited in the wild.

QRCode Used in Extortion Spam Campaign

Sextortion is a form of sex-themed exploitation via email where victims are coerced to give money to the scammer. Sextortion campaigns have become a large issue in the last year....

Sheepl 2.0: Automating People for Red and Blue Tradecraft

When I first released Sheepl 0.1 in September 2018 as part of a talk, I wanted to showcase a different approach to user emulation, and the initial idea was well received. Security and IT professionals could see the potential and.....

Detecting Malicious Behavior by Unmasking WebSockets

WebSockets allow a single TCP connection to have full duplexing communications.  This type of connection reduces the overhead of HTTP polling, where the client would have to constantly request information from the server in order to get updates.....

Bangladesh Embassy Website in Cairo Compromised

In the world of Phishing emails, we often see schemes which involve enticing users to open a malicious document, sometimes disguised as a form of some sort. In the world of web attacks, we see less of these, as it usually takes a lot more to convince a user casually browsing the internet to download and open a document. But what if the user is visiting a government site where forms are generally in abundance? It looks like this time attackers decided to try their luck and find out.

Digging Deep Into Magecart Malware

Last week, one of my SpiderLabs colleagues was working on a PCI forensic triage for a website. During his investigation, he asked me to check out some HTTP traffic he captured during an online retail store checkout session.

Patch Tuesday, February 2019

With today's Patch Tuesday for February, things are back to normal with patches for 76 CVEs and four advisories. Twenty of the CVEs are rated "Critical," 53 are rated "Important," and three are rated "Moderate."

Money Laundering: Washing Your Greens in the Underground

In the first two parts of our investigative series into the cybercriminal underground, we examined its social structure as well as the types of jobs and opportunities that exist for those with ill intent. We have learned that the dark web’s ecosystem is vast and well-coordinated, with a low barrier to entry due to widely available hacking and malware distribution tools for those with limited technical knowledge. But a life of digital crime by its very nature leaves a long trail for investigators – so what happens once a cybercriminal succeeds in their nefarious schemes and turns a profit?

Sextortion Scam Now With Malicious Downloader

Sextortion scams were a hit campaign last year and are continuing in  2019 with a new trick – the inclusion of an archive attachment which contains a malicious JavaScript downloader as “proof”.

Latest Flash 0-Day (CVE-2018-15982) Leaves its Office Doc Friend Behind

CVE-2018-15982 is the Flash 0day that was patched by Adobe at the beginning of December. At the time it was used by an APT group with the delivery mechanism being an Office document with the malicious Flash file residing inside, Qihoo360 published a good analysis of this attack...

Living off the LAN

When an attacker uses tools native to the operating system it is referred to as Living off the Land. Personally, I think it should be called Living off the LAN because it’s a techy play on the acronym for Local Area Network. This blog post will cover Living off the Land activity associated with Carbanak/FIN7 that Trustwave SpiderLabs encountered during a recent investigation. The post will include:

Spam Masters of Extortion, Illusion and Evasion

In 2018 we saw a rise in sextortion scams in which cyber-criminals notified their victims via email that they have hacked or infected the victim’s computer with malware. Or the perpetrators had procured evidence in the form of personal recordings of the victim performing sexual acts or having illegal files of sexual content on their computer. The scammers then threatened to publicly expose the victim unless a ransom demand is paid in cryptocurrency (bitcoin) within a given time.

Kernel Buffer Overflow in Trusteer Rapport for MacOS

Trustwave recently reported a Kernel based vulnerability in a driver bundled along with IBM Trusteer Rapport for MacOS. The vulnerability is a signedness bug leading to a Kernel stack memory corruption issue in a call to memcpy. IBM Trusteer Rapport is security software advertised as an additional layer of security to anti-virus software. It is designed to protect confidential data, such as account credentials, from being stolen by malicious software (malware) and via phishing.

Rise of the Webminers

About a year ago webminers began to appear on more and more website. It was popularized by CoinHive and a couple of high-profile scandals revolving around ThePirateBay and Showtime and, in the span of a year, it has evolved into the most common consequence a compromised site suffers- a webminer injection, or “cryptojacking”.

Hacking Online Coupons

We all shop online. How many times, just before placing an online order, have you noticed the Coupon Code option and wondered – Could I get it cheaper if I had a coupon code? Most of us will drop the order to go and look for an available coupon code. Some will skip this thought and continue with the purchase, feeling a bit gullible. A hacker, on the other hand, will probably have other ideas in mind...

Microsoft Patch Tuesday, December 2018

The last Patch Tuesday of 2018 is here and we are easing into the New Year with only 40 CVEs to address. Nine of these are rated "Critical" with the other 31 rated "Important". The "Critical" list includes the typical Internet Explorer and the scripting engine vulnerabilities, but also include Remote Code Execution (RCE) vulnerabilities in the .NET Framework and the Windows DNS server. Another RCE exists in the Microsoft Text-To-Speech feature in the Windows OS.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics