Which providers have the most phishing content?

Phishing is an efficient method for an attacker to deliver malware or harvest credentials from unsuspecting victims. By sending out a mass or targeted email designed to look like it came from a bank or other legitimate source, an attacker can acquire a fair number of user credentials or deliver malware. Credentials can be used for identity theft, additional compromise or to send more seemingly legitimate phishing emails and convincing a user to install malware can give attackers access to ...

Infosecurity Europe and Intelligent Defence Wrap-up

The first week of June saw Dr. Dhia Mahjoub and I (Andrew Hay) hopping on a plane at SFO and waking up in London – well, I was able to sleep, Dhia wasn’t able to. We were both in London to speak at Infosecurity Europe and at the new Infosecurity Intelligent Defence conference.

This was the first time the conference was held at the Olympia Conference Centre in London. It was a good thing the event moved from the Earls Court Exhibition Centre as I’m ...

Deploy Your Own Cuckoo Sandbox

Enter the mighty Cuckoo Sandbox

Whether you’re an amateur cyber-sleuth or a seasoned reverse engineer, having the right tools in the toolbox is essential for the task. Running samples on your main system is just, in general, a bad idea all around. I won’t attempt to cover all of possible items out there, as the list is long. I will, however, go over a simple setup involving Cuckoo Sanbox that will allow you to get some good insight into malware behavior.

So ...

Massive router leak causes internet slowdown

This is a crosspost from our recent acquisition of BGPmon posted here.

Earlier today a massive route leak initiated by Telekom Malaysia (AS4788) caused significant network problems for the global routing system. Primarily affected was Level3 (AS3549 – formerly known as Global Crossing) and their customers. Below are some of the details as we know them now.

Starting at 08:43 UTC today June 12th, AS4788 Telekom Malaysia started to announce about 179,000 of prefixes to Level3 (AS3549, the Global crossing AS), ...

Spikes and Query Patterns

A spike in DNS queries can sometimes be an indicator that a certain domain is either hosting malicious content (such as an exploit kit) or serving as a command-and-control (C2) server. However, relying solely on spiking traffic is often not enough. Many benign websites have spikes in traffic that are not related to malware activity but instead a popular blog post or a referral from a big traffic website (reddit, NYTimes, etc). This blog post will be examining the different types ...