Threat Intelligence Feeds from ANY.RUN provide a continuously-updated stream of the latest indicators of compromise. They enable SOC teams to quickly detect and mitigate attacks, including the emerging malware and persistent threats.

But how do ANY.RUN’s feeds get enriched with fresh and, most importantly, unique indicators that cannot be found elsewhere?

Let’s find out.

About ANY.RUN’s Threat Intelligence Feeds

ANY.RUN’s Threat Intelligence (TI) Feeds offer an extensive collection of Indicators of Compromise (IOCs) designed to enhance the threat detection capabilities of security systems. These feeds provide detailed information beyond the basics, including malicious IPs, URLs, domains, file hashes, and links to actual analysis sessions. This comprehensive data helps you understand how threats operate and behave in real-world scenarios.

Where does this data come from?

An international community of over 500,000 researchers and cybersecurity pros who upload and analyze real-world malware and phishing samples every day to ANY.RUN’s Public submissions repository.

With TI Feeds from ANY.RUN, organizations can:

• Expand and speed up threat hunting with enriched up-to-date data 
• Enhance alert triage and prioritize most urgent issues. 
• Improve incident response thanks to better understanding threats and their behaviors. 
• Proactively defend against new and evolving threats.   

IOCs Provided by ANY.RUN TI Feeds 

TI Feeds contain indicators along with additional info like the threat score, which signals the reliability:

• 100: Highly reliable
• 50: Suspicious
• 75: Trustworthy

Here are the indicators you can find in ANY.RUN’s TI Feeds.

IP addresses

Compromised IPs instantly signal of cybercriminal operations, they are often linked to Command-and-Control (C2) servers or phishing campaigns. By analyzing IP addresses, cybersecurity teams can proactively block suspicious traffic and analyze attack patterns and tactics.  

Domains  

They provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign.  

ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes. 

URLs  

URL addresses serve as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content.   

By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data. 

How ANY.RUN’s TI Feeds Are Enriched with Unique IOCs 

There are several features of Threat Intelligence Feeds stand out, but the one of the key factors is the way we collect indicators. Here are the two methods we use to get the latest and the most accurate indicators.

IOCs Extracted from Malware Configurations 

TI Feeds are fueled by the data from ANY.RUN’s Interactive Sandbox. Which provides, among others, the option to extract malware configurations from memory dumps.

Configurations are crucial for understanding malware’s behavior and functions, tying it to a family and an adversary, and identifying all types of Indicators of Compromise (IOCs), which are then used for detection purposes. Such IOCs are particularly valuable as they contain hardcoded details such as command and control (C2) server addresses, encryption keys, and specific attack parameters.

Take a look at this sandbox session.

By opening the MalConf tab we can observe the extracted configuration of an AsyncRAT sample. One of the pieces of data found here is the malicious IP address used by the malware for communication with its C2 server.

ANY.RUN automatically extracts this crucial indicator and sends it to TI Feeds, which then get fed into the clients’ detection systems. This helps them identify the threat early and minimize its potential impact.

IOCs Detected with Suricata IDS Rules 

Indicators detected with Suricata rules are valuable because they focus on identifying patterns in network traffic rather than specific details like IP addresses or domains. This means Suricata can recognize threats even when attackers change their infrastructure.

Thanks to ANY.RUN’s extensive integration of Suricata rules for traffic analysis, we can consistently extract fresh network indicators of numerous malware families and cyber threats.

Check out this report, which shows analysis of a FormBook sample.

When we navigate to the Threats tab and then click on one of the triggered Suricata rules, we can see that the system has detected connection to domain controlled by the attackers.

As you expect, this domain is sent directly to TI Feeds, strengthening our clients’ defense capabilities.

Integrate ANY.RUN’s TI Feeds 

You can test ANY.RUN’s Threat Intelligence Feeds in STIX and MISP formats completely for free by getting a free demo sample here. 

ANY.RUN also runs a dedicated MISP instance that you can syncronize your server with or connect to your security solutions. To get started, contact our team via this page. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post Enriching ANY.RUN’s TI Feeds with Unique IOCs: How It Works appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

You’ve probably heard the rumor — our smartphones are always listening. But the truth is, they don’t need to. The information shared with data brokers by virtually every app on your smartphone — from games to weather apps  is more than enough to create a detailed profile on you. For a long time, “online tracking” had meant that search engines, ad systems, and advertisers all knew which websites you visited. But since smartphones appeared on the scene, the situation has become much worse: now advertisers know where you go physically and how often. So, how do they do it?

Every time any mobile app prepares to show an ad, a lightning-fast auction takes place to determine which specific ad you’ll see based on the data sent from your smartphone. And although you only see the winning ad, all the participants in the auction receive data about the potential viewer — that is, you. A recent experiment showed just how many companies receive this information, how detailed it is, and how ineffective built-in smartphone features like “Do Not Track” and “Opt Out of Personalized Ads” are at protecting users. Nevertheless, we still recommend some protection methods!

What data do advertisers receive?

Every mobile app is built differently, but most start “leaking” data to ad networks even before displaying any ads. In the experiment mentioned earlier, a mobile game immediately sent an extensive array of data to the Unity Ads network upon launch:

• Information about the smartphone, including OS version, battery level, brightness and volume settings, and available memory
• Data about the network operator
• Type of internet connection
• Full IP address of the device
• Vendor code (the game developer’s identifier)
• Unique user code (IFV) — an identifier linked to the game developer and used by an ad system
• Another unique user code (IDFA/AAID) — an ad identifier shared by all apps on the smartphone
• Current location
• Consent for ad tracking (yes/no)

Interestingly, the location is transmitted even if the service is disabled on the smartphone. It’s approximate though, calculated based on the IP address. However, with publicly available databases matching physical and internet addresses, this approximation can be surprisingly accurate — down to the city district or even the building. If location services are enabled and allowed for the app, precise location data is transmitted.

In the same experiment, the consent for ad tracking was marked as “User Agreed”, even though the experiment’s author did not provide such consent.

Who gets the data, and how often?

The data stream is sent to all ad platforms integrated into the app. There are often several such platforms, and a complex algorithm determines which one will be used to show the ad. However, some data is shared with all connected networks — even those that aren’t currently showing ads. In addition to the above-mentioned Unity (whose ad platform generates 66% of revenue for developers using this game engine), other major platforms include those of Facebook, Microsoft, Google, Apple, Amazon, and dozens of specialized companies like ironSource.

Next, the ad network currently displaying ads in the app sends a large set of user-data to a real-time bidding system (RTB). Here, various advertisers analyze the data and bid to display their ads, all at lightning-fast speeds. You view the winning ad, but information about your location, combined with the exact time, IP address, and all other data, is shared with every auction participant. According to the experiment’s author, this data is collected by hundreds of obscure firms, some of which may be shell companies owned by intelligence agencies.

This video from the experiment shows how connections to ad servers were made dozens of times per second, and even Facebook received data despite the fact that no Meta apps were installed on the experimenter’s smartphone.

The illusion of anonymity

Ad-network owners love to claim that they use anonymous and depersonalized data for ad targeting. In reality, advertising systems go to great lengths to accurately identify users across different apps and devices.

In the data set mentioned above, two different user codes are listed: IFV and IDFA/AAID (IDFA for Apple, AAID for Android). A separate IFV is assigned to your device by each app developer. If you have three games from the same developer, each of these games will send the same IFV when showing ads. Meanwhile, apps from other developers will send their own IFVs. The IDFA/AAID, on the other hand, is a unique advertising identifier assigned to the entire smartphone. If you’ve agreed to “ad personalization” in your phone’s settings, all games and apps on your device will use the same IDFA/AAID.

If you disable ad personalization, or decline consent, the IDFA/AAID is replaced with zeros. But IFVs will continue to be sent. By combining the data transmitted with each ad display, advertising networks can piece together a detailed dossier on “anonymous” users, linking their activity across different apps through these identifiers. And as soon as the user enters their email address, phone number, payment details, or home address anywhere — such as when making an online purchase — the anonymous identifier can be linked to this personal information.

As we discussed in our article on the Gravy Analytics data leak, location data is so valuable that some companies posing as ad brokers are created solely to collect it. Thanks to IFV — especially IDFA/AAID — it’s possible to map out the movements of “Mr. X” and often de-anonymize him using just this data.

Sometimes, complex movement analysis isn’t even necessary. Databases linking ad identifiers to full names, home addresses, emails, and other highly personal details can be simply sold by unscrupulous brokers. In such cases, detailed personal data and a comprehensive location history form a complete dossier on the user.

How to protect yourself from ad tracking

In practice, neither strict laws like the GDPR nor built-in privacy settings provide complete protection against the tracking methods described above. Simply pressing a button in an app to disable ad personalization is not even a half-measure — it’s more like a tenth of a measure. The fact is, this only removes one identifier from the telemetry data, while the rest of your data is still sent to advertisers.

Cases like the Gravy Analytics data leak and the scandal involving the Datastream data broker demonstrate the scale of the problem. The ad-tracking industry is enormous, and exploits most any apps — not just games. Moreover, location data is purchased by a wide range of entities — from advertising firms to intelligence agencies. Sometimes, hackers obtain this information for free if a data broker fails to adequately protect their databases. To minimize the exposure of your data to such leaks, you’ll need to take some significant precautions:

• Only allow location access for apps that genuinely need it for their primary function (e.g., navigation apps, maps, or taxi services). For example, delivery services or banking apps don’t actually need your location to function — let alone games or shopping apps. You can always manually enter a delivery address.
• In general, grant apps the minimum permissions necessary. Do not allow them to track your activity in other apps, and do not grant full access to your photo gallery. Malware has been developed that can analyze photo data using AI, and unscrupulous app developers could potentially do the same. Additionally, all photos taken on your smartphone include geotags by default, among other information.
• Configure a secure DNS service with ad-filtering functionality on your smartphone. This will block a significant amount of advertising telemetry.
• Try to use apps that don’t contain ads. These are typically either FOSS (Free Open Source Software) apps or paid applications.
• On iOS, disable the use of the advertising identifier. On Android, delete or reset it at least once a month (unfortunately, it cannot be completely disabled). Remember, these actions reduce the amount of information collected about you but don’t entirely eliminate tracking.
• Where possible, avoid using “Sign in with Google” or other similar services in apps. Try to use apps without creating an account. This makes it harder for advertisers to collate your activity across different apps and services into a unified advertising profile.
• Minimize the number of apps you have on your smartphone, and regularly delete unused apps — they can still track you even if you’re not actively using them.
• Use robust security solutions on all your devices, such as Kaspersky Premium. This helps protect you from more aggressive apps, whose advertising modules can be as malicious as spyware.
• In the Kaspersky settings in your smartphone, activate the Anti-Banner and Private Browsing options on iOS, or Safe Browsing on Android. This makes it significantly more difficult to track you.

If smartphone surveillance doesn’t concern you yet, here are some chilling stories about who is spying on us and how:

• Who are geolocation data brokers and what happens when they “leak”
• How advertisers learn which apps you use
• Running without being tracked: privacy in running apps
• I know how you drove last summer
• and many more similar stories…

Kaspersky official blog – ​Read More

If you are a student, you might be several years away from getting a degree and a profession – and about a month away from becoming a malware analyst. The latter is made possible by ANY.RUN’s Security Training Lab.

There is no point in advertising a career in cybersecurity nowadays. Money talks louder: ransom sums, possible financial costs of operational disruption, and reputational losses hint that investing in cybersecurity teams is a wise solution for any business.   

Security Training Lab can be a step towards a specter of career paths that imply cybersecurity literacy and understanding of malware analysis. It also can be a valuable addition to an academic course on threat detection, malware analysis or other cybersecurity subjects.

So, let’s take a closer look at the program.  

What is Security Training Lab  

It is an interactive digital course on malware analysis produced by ANY.RUN. It comprises 30 hours of academic content on cyber threats, including written materials, video lectures, tasks and tests.

Learn more about Security Training Lab
 
ANY.RUN is a cybersecurity company with 9 years of experience in providing malware analysis and threat intelligence services to individual security researchers, Managed Security Service Providers (MSSPs), and SOC departments of the largest companies around the world. 

Security Training Lab stands out from other courses on malware analysis by focusing on teaching you practical skills with real-world examples of the latest cyber threats.

• Comprehensive Learning: 30 hours of academic content with written materials, video lectures, interactive tasks, and tests.
• Hands-On Experience: Full sandbox access with special plans for teachers and team licenses for students.
• Real-World Practice: Learn through real-world threat samples and labs.
• User-Friendly Platform: Easy-to-use and fast management system.
• Community Support: Private Discord community with tips, lifehacks, and news

What Security Training Lab is Not 

Security Training Lab is not just a manual for ANY.RUN’s Interactive Sandbox. As part of the program, a student gets acquainted with a variety of professional tools and more importantly, with the key concepts and methods of cyber threat analysis and research.  

Skills You’ll Learn to Analyze Real-World Threats 

In the course of Security Training Lab, you’ll acquire several key analytical skills, including, but not limited to, the following. 

Conducting Advanced Static Analysis

Static analysis examines a suspicious file without executing it. You will learn to understand the structure and the source code of executable files, the functions of Windows API, use file hashes to identify and track threats, and evaluate files’ entropy.

This data defines whether a file is malicious, what its real functions are, how it behaves, and how exactly it threatens the target. 

Advanced static analysis implies disassembling malware’s code to see its structure, variables, loops, conditional operators, and other elements of the program, which helps to better understand the logic of its operation. 

During the course, you will practice using a free tool for advanced static analysis and will become able to navigate through the code, set breakpoints for debugging, change values in memory and registers, gaining full control over the program being analyzed. 

Static Analysis Skills You’ll Learn

• Dissecting binaries to extract indicators of compromise (IOCs)
• Understanding and modifying assembly code for deeper analysis
• Using disassemblers and decompilers to reconstruct malware logic

Dealing with Encryption in Malware 

While encryption is a reliable shield to protect confidential data, it is also a tool in hackers’ hands that allows them to hide malicious activity and bypass protective mechanisms.  

You’ll discover the principles of encryption, different approaches to its implementation, the most popular encryption algorithms from XOR to RSA and RC4 with their strengths and weaknesses, and the basics of decryption. 
 
The acquaintance with encryption algorithms helps to detect the signs of software’s malicious nature: code obfuscation, encrypting network traffic for hiding activity or data for extortion. Knowing how data is decrypted allows one to bypass malware’s protection against analysis. 

Malware Decryption Skills You’ll Learn

• Identifying and analyzing obfuscated and encrypted payloads
• Extracting encryption keys and decrypting malicious payloads
• Bypassing malware encryption techniques to reveal hidden threats

Identifying Malicious Behavior 

Understanding and predicting malware behavior is the main task of malware analysis. The more we know about the stack of current malicious capabilities, the easier it is to deal with future threats. 

When executed, the malware generates files, establishes connections, and modifies processes. It also takes measures to avoid detection and analysis, maintain persistence, to hide its launch, and enhance its privileges.

These actions are traceable and can help to identify an ongoing attack, assist in the analysis process, or develop a cybersecurity strategy to protect against known malware strains. 

You will explore MITRE ATT&CK — a constantly updated database of attacker tactics and techniques — and practice using it in malware behavior analysis.  

Malware Behavior Analysis Skills You’ll Learn

• Mapping malware actions to MITRE ATT&CK techniques
• Detecting persistence mechanisms and evasion tactics
• Using sandbox environments to log and analyze malware activity

Performing In-depth Dynamic Analysis 

For dynamic analysis we need to watch malware in action, so we let it loose within a safe virtual machine environment. Basic dynamic analysis gives us a first glimpse of how the malware interacts with the system. Advanced dynamic analysis is like examining the behavior of a malware under a microscope: we get into the intricacies of the malicious code to understand its algorithms and find weaknesses.

Security Training Lab will equip you with powerful tools for advanced dynamic analysis (API Monitor and x64dbg) and guide you through debugging and anti-debugging techniques. You will learn to combine debugging with static analysis to maximize its efficiency.

Dynamic Malware Analysis Skills You’ll Learn

• Utilizing debugging tools to trace malware execution
• Bypassing anti-analysis techniques used by advanced threats
• Extracting runtime indicators and identifying malicious system modifications

Analyzing Script- and Macro-Based Attacks 

Malicious scripts require our close attention: they have become incredibly popular with attackers in recent years, mainly because they effectively bypass traditional endpoint defenses and are easy to obfuscate.  
 
Macros are small programs written in scripting languages and embedded in other applications. They get direct access to the Windows API, making them incredibly powerful both for legitimate use and for hackers. 

You will get to know the two main approaches to dissecting scripts — viewing the source code or dynamically executing it and observing it — and master ANY.RUN’s built-in tools for analyzing script-based malware and compiled malware that uses scripts. 

Malicious macros are given special attention since they are used in a number of real-world attack scenarios, and their code usually is heavily obfuscated which complicates analysis. You will learn to use tools like ANY.RUN can help you identify their behavior without resorting to tedious deobfuscation.

Scripts and Macros Analysis Skills You’ll Learn

• De-obfuscating malicious scripts to extract payloads
• Analyzing PowerShell and JavaScript-based malware
• Detecting macro-based threats in Office documents and emails

Get Access to Security Training Lab 

Interested in trying Security Training Lab yourself or bringing it to your educational institution?  

Send us a message and our team will get in touch to discuss your specific needs and provide a customized quote.

Conclusion

Security Training Lab provides a comprehensive and hands-on learning experience for mastering malware analysis. Completing this course will equip you with essential skills to detect, analyze, and mitigate real-world cyber threats.

With in-depth knowledge and practical exercises, you will gain the confidence to navigate the ever-evolving landscape of cybersecurity threats and contribute effectively to digital defense strategies. 

For students looking to begin a career in cybersecurity, this course serves as a solid foundation. The skills you acquire will prepare you for roles such as malware analyst, security researcher, or SOC analyst, helping you take the first step toward a successful and impactful career in the field.

By mastering real-world threat analysis techniques, you will stand out in the job market and be ready to face the challenges of modern cybersecurity. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Learn to Analyze Real-World Cyber Threats with Security Training Lab appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. 
• Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
• Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
• Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
• There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

The emergence of online marketplaces has facilitated the convenient exchange of goods between individuals and organizations around the world. It has also provided a means for people to easily resell items, enabling them to recapture value from assets they may not otherwise wish to maintain ownership of. The type of new and used items sold via marketplaces varies widely, and platforms such as Ebay, Facebook Marketplace, Reverb, and others are extremely popular avenues for selling everything from $15 vintage tissue boxes to $40,000 Gibson Les Paul guitars. You can even find $70,000,000 domains targeting affluent individuals with above-average BMIs being sold on online marketplaces.

When we think about online safety in the context of these platforms, we often concentrate the majority of our efforts and recommendations on the threats targeting buyers. In many cases, scammers are also actively targeting the people selling items on these platforms as well. From an adversarial perspective, it makes sense to target sellers, as these are likely to be individuals with large amounts of cash sitting in their accounts as they frequently receive payments for items they sell. Likewise, adversaries can easily monitor the public listings of seller accounts to identify when high-value items are listed, as well as when they are sold, so that they can identify when a target could reasonably be expected to receive an influx of cash into their accounts. 

Likewise, many platforms train their sellers to expect frequent, unsolicited account verification prompts delivered in any number of ways, which provides the perfect pretext for scammers seeking to take advantage of this pool of targets. From a detection and analysis standpoint, these types of attacks are often difficult to effectively combat, as platform providers, intelligence analysts, and law enforcement agencies are forced to primarily rely on self-reporting from victims to quantify the scope and impact of these types of threats. Let’s break down a few examples of some of the most common scams that target the individuals or organizations selling products on online marketplaces.

Phishing and malware scams

While some scams attempt to fraudulently steal items, others are primarily aimed at stealing financial information from sellers by leveraging the platform’s messaging feature(s) as a mechanism to directly communicate with them for the purposes of phishing or malware distribution. In some cases, phishing is used to compromise the seller account itself, enabling the attacker to manipulate listings, shipments, modify automated payout settings, and communicate with current and previous buyers to conduct additional fraudulent activities. In other cases, phishing is used to obtain financial information, such as bank account or credit card information, that can be used to steal money from the seller.

Payout account verification scams

In a recent example, a /r/guitarpedals user reported that they had received a suspicious direct message on their Reverb seller account. The message was crafted to appear as if it was sent from the Reverb team itself. It informs the seller that their item has sold and prompts them to complete account verification to ensure that they receive payment for the item(s) they have sold.

A hyperlink, present in the message (and shown below), attempts to leverage Reverb’s own redirection functionality to direct victims who click on the hyperlink to a malicious web server under the attacker’s control.

This technique uses percent encoding, an obfuscation technique, to mask the destination of the redirect and make it appear as if the link is pointing to the legitimate Reverb website.

This URL, when accessed, returns an HTTP/302 redirection to another attacker-controlled web server, but ultimately the victim receives the following landing page. The attacker has put effort into making sure it appears legitimate and mimics what the victim expects to see. A chat message prompts the victim to complete the verification process by following the on-screen instructions.

A “Receive Funds” button has been positioned behind the chat popup shown in the previous screenshot. When the victim clicks this button, they are presented an input form and prompted to provide the credit card information necessary to verify their desired payout account. Throughout this process, additional chat message popups are delivered to lend credibility to the process.

Since this is the account the seller would like to use to receive payments for items sold on the platform, it likely also contains any funds associated with previous sales, and will likely frequently receive lump sums when future items are sold, presenting a myriad of opportunities for attackers to monetize the account and assets within it, now or in the future. For example, if a threat actor successfully obtains credit card details for a seller account with multiple high-value items actively listed, they can simply wait until an item sells before attempting to monetize it.

Assuming the victim enters valid credit card details, a message will be displayed requesting additional information.

The additional information in this case is the balance of the account that is being “verified.” A new chat message appears, prompting the user to enter the balance in their account, presumably so that the attacker can more effectively prioritize which accounts to empty first.

Assuming the victim enters their balance information, they are presented with the following message letting them know that it will take a period of time before they notice any changes to their accounts.

At this point, the adversary has obtained credit card details that they can then monetize however they choose. It’s important to note that while this particular example targeted sellers using the Reverb platform, most other online marketplaces experience similar threats as well. We have also observed Reverb often taking rapid response actions when attempting to send messages containing percent-encoded hyperlinks, indicating that the platform is aware of the issue and has put in place some mechanisms to help reduce the frequency and quantity of these types of messages on the platform.

Reverb also presents warning messages to let users know when they are being redirected to a third-party domain, as shown in the screenshot below. 

It is important to always validate the destination of hyperlinks received from unsolicited sources and to limit access to off-platform resources when conducting business on online marketplaces.

It is also important to note that direct messaging within marketplaces is not the only mechanism used for this type of scam. Below is a screenshot of an email received by a Shopify storefront owner attempting to convince them to verify their payout account information, similar to the previous example described above.

Below is another example. In this case, the threat actor has sent an email claiming that the seller has received a chargeback claim from a customer and prompting them to take action. Since chargebacks are often received for a variety of reasons, sellers may be more easily convinced to provide account or credit card information when prompted with a claim related to a chargeback.

If an email is received from an online marketplace, the platform will typically also provide warning messages, banners, and other mechanisms to alert sellers of the same issue. In the case that a seller receives an unexpected email related to payment issues, sellers should attempt to resolve issues directly on the platform rather than accessing content or responding to the email. 

Scams to remove seller protection

When selling new or used items using online marketplaces, one of the most important elements influencing platform and payment method selection for many people are the seller protection policies in place. These policies often provide protection from common types of fraudulent claims that may be made by buyers, such as non-receipt, damage, etc. In order to remain in effect, they generally require both the buyer and seller to perform the transaction following certain requirements that enable proper resolution should an issue arise. 

In an effort to remove these protections and make it easier to successfully monetize their scam(s), scammers posing as buyers will often attempt to convince sellers to conduct portions of the transaction “off-platform,” as this will void the protection policy that would otherwise be in place using a variety of different pretexts and themes. Likewise, some scammers target the shipping part of the transaction process, attempting to convince sellers to modify the shipping to void the seller protection policy afforded by the platform. By removing the ability for the seller to leverage the protection policy afforded by the platform used to sell the item, many of the normal recourse steps usually taken when dealing with fraudulent buyers are no longer available to the seller.

Off-platform transactions

Scammers also frequently use a variety of pretexts to attempt to convince sellers to perform the financial transaction associated with an item purchase using third-party platforms separate from the one on which an item was originally listed. They will attempt to trick victims into moving to an alternative mechanism for performing the transaction so that the seller loses most of the protection(s) afforded by the marketplace. 

In many cases, scammers will use additional pressures, such as time sensitivity, urgency, or manipulated screenshots showing failed transaction attempts, to convince sellers to perform transactions using alternative means, such as wire transfers or money transfer platforms, where seller protections are limited and—in the case of fraud—most recourse options are no longer available. 

There are countless examples of different pretexts being used in varying capacities, all ultimately for the same purpose, to convince sellers to leave the marketplace to perform the transaction elsewhere so that seller protections against fraudulent activity on the part of the buyer are removed.

Shipment detail changes

Since a seller account’s past and current item listings are easily accessible from the seller’s profile, it is easy for adversaries to leverage information contained within these listings (including photos) when building pretexts that are used to target the individual operating the seller account. One common way that adversaries leverage this information is by tailoring their messaging to account for both active and recently sold listings related to the seller they are communicating with. 

In the screenshot below, a scammer is contacting sellers on Ebay claiming to be an individual who purchased an item recently sold by the seller(s). The scammer hopes that by timing their message properly, they can take advantage of sellers who may not be paying close attention to the username listed in the message. For many sellers who are managing large numbers of listings, it can often be overwhelming to maintain many different streams of communication and/or multiple transactions simultaneously, leading them to respond quickly or otherwise take action (like modifying shipping instructions) without properly validating the content of the message.

Online reports indicate that it is not uncommon to receive these types of unsolicited messages, regardless of whether a seller has recently sold an item, which may be due to some level of automation being used to generate and transmit the messages. 

If the seller is convinced to change the destination address for the shipment due to receipt of one of these scam messages, the item that was sold may be shipped to an address under the attacker’s control. The attacker is then able to monetize the item while the original buyer does not receive the item that they purchased. Many of the protections afforded by online marketplace are lost when the shipping address used does not reflect what was present on the order at time of purchase, opening the seller to additional exposure as the buyer’s loss will still need to be resolved.

The “friends and family” option

Social media sites like Reddit have become very popular for posting used items to solicit interest from other users of a given subreddit. In some subreddits, there are even official or unofficial “Want to Buy / Want to Sell” (WTB/WTS) threads, where users can list items they are selling or items they would like to purchase. This creates an ideal pool of potential victims for scammers seeking to target users of these platforms.

Since Reddit is not an online marketplace, the transactions associated with this activity typically take place using money transfer platforms, such as Paypal, Zelle, or Venmo. Scammers will often leverage compromised accounts on these money transfer platforms when communicating with sellers (or buyers), often attempting to convince them to use the “friends and family” (or equivalent) payment option available on many of these platforms. Often, sending or receiving money with this option enabled removes many of the mechanisms in place to protect sellers from chargebacks and other fraudulent activity. Sellers should never enable this option when processing payments for goods they may sell via online marketplaces, social media sites, or in any transaction where protection against fraud is desired. 

In some cases, this method may be combined with other methods seeking to convince sellers to perform transactions outside of established platforms, then once the seller has agreed, scammers can leverage this option to further remove seller protections.

Recommendations

Most of the online literature related to defending against the scams pervasive on online marketplaces is geared towards the buyer experience. Recent trends in social media reporting indicate that sellers are also being increasingly targeted. While some of the scams faced by sellers resemble those faced by buyers, there are many that are unique. It is important that individuals or organizations leveraging online storefronts and/or marketplaces be aware of these threats so that they can prevent themselves from falling victim. 

It is extremely important that online marketplace accounts be protected with multi-factor authentication (MFA) whenever the platform supports this capability. This will provide an enhanced layer of security in cases where the account credentials are compromised as an additional authentication factor will still be needed to successfully access the account. 

When posting listings for items, be mindful of any photos that accompany the listing. Not unlike posting images to other social media platforms, items or objects in the background may unintentionally disclose sensitive information that could be used for malicious purposes. The information provided could also be leveraged to create more convincing or effective pretexts for later scam activities targeting the seller(s).

Avoid using third party services or platforms when conducting business transactions on online marketplaces. Take advantage of the protections afforded by the platform and avoid taking any actions that may jeopardize them. Reasonable buyers will be willing and able to conduct business following the standard platform transaction process. Sellers should avoid feeling pressured or worried about losing a sale and insist that the transaction take place in accordance with the policies of the online marketplace platform.

Verify the account associated with any messages received on online marketplaces. Always spend the time to validate that the message was actually received from the account of the buyer who purchased any recently sold items. Likewise, most platform support teams will not contact users via direct messaging for account verification or other sensitive processes as most of the time, these processes are directly supported by the platform itself. If a seller receives a direct message purporting to be from the platform itself, caution should be exercised and the message should be validated by contacting the support team separately using the information published on the marketplace website.

Sellers should also avoid modifying destination shipping addresses after orders have been placed. If a buyer asks to change the shipping address for an item they recently purchased, sellers should consider suggesting that they change their address using the online marketplace itself and contact support facilitate the change prior to shipping. This helps ensure that the seller is not deviating from the order that was placed, and helps ensure that they do not lose the seller protections afforded by the platform.

Share this document

We created this handy guide for you to share with anyone you know who sells online:

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise

IOCs for this research can also be found at our Github repository here.

Cisco Talos Blog – ​Read More

We live in the age of AI hype. Artificial intelligence is here, there, and everywhere – so promising, slightly mysterious, but undeniably guiding humanity toward a brighter future of technological singularity that’s still somewhat incomprehensible and potentially a black hole.

Some readers might detect sarcasm in this statement – but that would be a mistake. Machine learning-driven automation (ML), neural networks, and other AI technologies have already taken over many industries. And there’s more to come in the evolution of Homo sapiens. If you’re interested in diving deeper into this topic, check out the history of the various industrial revolutions: first, second, third, and even fourth.

In line with this trend, cybersecurity was perhaps one of the pioneers in adopting new, smart technologies. And what makes me particularly proud of this process is that our company was one of the first in the industry to successfully implement this bright AI-driven future. How else could we possibly handle nearly half a million new malicious programs emerging every single day as of early 2025? No educational system in the world can produce enough experts to keep up with that. The only solution is to create intelligent systems capable of independently and highly accurately neutralizing cyberattacks. Experts are then left with only the most complex cases – and, of course, the challenging task of inventing and continuously improving these systems.

A few days ago, we celebrated an exciting anniversary. Twenty years ago was born the prototype of our first AI/ML technology for automatic malware analysis and the creation of “detections” – antivirus updates that protect computers, gadgets, and other devices from new attacks.

The technology was given a name that’s rather odd at first glance – Avtodyatel, which translates as Auto-Woodpecker! But there’s a simple explanation for it: within our team, security analysts were affectionately referred to as woodpeckers – tirelessly pecking away at viruses and processing streams of suspicious files. And then we added the “Auto” to “Woodpecker” for the name of the tech designed to do this job automatically (incidentally, I was a woodpecker myself back then).

After digging through our archives, we found not only the birthdate of this first automation baby, but also some fascinating photos of the original plans for its creation. We even recalled its birthplace – the 14^th floor of the Radiophysics building near the Planernaya metro station in northwest Moscow where we rented office space at the time. So get comfy, and I’ll tell you a fascinating story. It all started kinda like this…

A quarter of a century ago, malicious programs were much rarer – and, paradoxically, much more advanced – than today’s typical malware, despite being written by pioneering enthusiasts, inventive lone programmers, and cyber pranksters. This made researching them a real pleasure – each new virus taught you something new. Back then, like my fellow woodpeckers, I manually analyzed the stream of malicious programs – what would now be called “malware research”.

By that time, it was already difficult to compile all existing malware into a single reference book as had been done back in 1992. But we still managed the flow, and at the end of each work week, I manually compiled antivirus database updates.

However, over time, malware creation evolved from mere mischief and boundary-pushing into a full-fledged criminal industry. Cybercriminals no longer just wanted to infect as many computers as possible – they sought to profit from it. For example, they harvested email addresses from infected machines and sold them for spam distribution.

Sensing profit, these bad actors triggered exponential growth in malware production. But instead of inventing fundamentally new threats, they started mass-producing slightly modified versions of existing ones. And I realized we couldn’t keep up manually; if we were to continue down this path, we’d drown in an endless flood of cyber-garbage.

Fortunately, technological advancements at the time required much smaller investment and less development time. You could just buy some pizza (pineapple-topped, of course!), gather a few brilliant minds in a meeting room, and spend a couple of hours brainstorming project ideas. And so, on February 22, 2005, I assembled my colleagues to develop plans for automating our malware analyst work.

Just take a look at this beauty!

We had some primitive automation tools before, of course. But Auto-Woodpecker was the first system with a fundamentally new level:

1. It freed up valuable experts from repetitive tasks, allowing them to focus on more advanced challenges.
2. It massively scaled up operational efficiency.
3. It helped highlight similar (or related) incidents for further analysis.

In simple terms, the system automatically received new files from agents (“crawlers”) that scanned websites, email traps, and network sensors. These files were then automatically unpacked and executed in a secure environment – an artificial setting designed to observe malware behaviour.

There, the samples were analyzed by automated scanners, classified, and then compiled into antivirus databases.

The key challenge when encountering a new malware sample was determining whether it was a never-before-seen threat, or simply a variation of a known one. This is where the file auto-classifier (marked as “FF” in the diagram above) came into play, utilizing AI/ML principles – now an essential feature in nearly every cybersecurity product (except for fraudulent ones).

It didn’t work perfectly at first, but it quickly improved. We systematically documented all our ideas, detailed how subsystems would interact, how data would be exchanged, and how false positives would be handled. Then we rolled up our sleeves and got to work.

A few months later, the first version of Auto-Woopecker went live.

The results were instant and dramatic. Previously, five of us manually analyzed around 300 malware samples per week – an impressive number at the time. But with Auto-Woodpecker our productivity skyrocketed. And as the technology improved, this skyrocketing just kept on… skyrocketing!

Before long, Auto-Woodpecker was processing the entire incoming stream – leaving only 2-5% of all suspicious files for manual expert review. Today, of course, our tools are far more advanced, and AI-driven technologies play an even bigger role in cybersecurity.

To give you a glimpse of how far we’ve come, here are just a few recent examples:

• Kaspersky MLAD (Machine Learning for Anomaly Detection): A predictive analytics system that detects early signs of equipment failure, process disruptions, cyberattacks, and human errors in industrial telemetry signals – long before they cause real damage.
• Kaspersky MDR (Managed Detection and Response) This service has been using an AI analyst for several years to filter out false positives, reducing the workload on SOC specialists and allowing them to focus on complex threat investigations.
• Kaspersky Threat Lookup: Just last week we integrated a tool for finding contextual information on indicators of compromise using an AI-powered large language model.

The results speak for themselves, and we have even bigger plans ahead!…

Happy 20th Anniversary, Auto-Woodpecker!!

Cin cin!

Kaspersky official blog – ​Read More