@BushidoToken Threat Intel

  Android banking Trojans are an interesting threat because if successful, it can be a huge payday for a cybercriminal and a terrible loss for the victim. The latest wave of Android banking threats have a range of advanced features, all designed to clear out a victim's bank account.  The majority of these threats are distributed via malicious SMS text messages, the Google Play Store, Social Media, or watering hole sites. These types of threats also largely require the users to be unaware of the danger of granting unsafe permissions to apps, such as Android Accessibility Services - one of the main functions that Android malware heavily relies on to perform financially motivated attacks. The Android Banking Trojan Nexus (see above) is supposed to help fraud teams and security researchers identify and track Android banking Trojans designed to steal funds from their customers' accounts. Tracking the latest and greatest Android threats is a valuable venture. From my experience of ...

Online shopping sites are prime targets for cybercriminals. Large sites can process vast quantities of personal information and payment data, making them a high-value reward if successfully hijacked. On 29 April, Malwarebytes Threat Intelligence shared a JavaScript web skimmer their team discovered on a compromised French Canadian online shoe store. The skimmer was injected into the online store's checkout page and used to siphon off payment data and billing info. Data entered into the site was exfiltrated to a domain in Russia. I pivoted off this domain and looked at what was hosted on the same IP with a similar naming convention. This led to uncovered multiple other domains used for web skimming. I mapped the domains on VirusTotal graph here: I then chucked these domains into URLscan and uncovered at least five other sites that have been compromised in these attacks: Some additional pivoting uncovered a skimmer masquerading as a Bing Analytics domain that was injected ...