The continuing increase in visitors to the Pinterest site may be a primary cause why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams. This new wave of survey scams I found came from my search using “pinterest” as keyword.

Users who re-pin the posts from the sample above will most likely spread the post.

In addition, I also spotted posts using URL shorteners such as bit.ly and goo.gl. When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

• http://pinterest.co{BLOCKED}t.info/?419
• http://pinterest.com-{BLOCKED}key.info/Thank-You/fb/
• http://pinterest.co{BLOCKED}s.info
• http://pinterest.{BLOCKED}one.info
• http://pinterestgift.{BLOCKED}hing.info
• http://pinterests.{BLOCKED}onus.info

Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are not clickable. The clickable links are those that redirect to survey scams such as Body Age Quiz.

After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message.

And Via Email, Too

Another thing I’ve noticed is that the fake site requires an email address:

Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages.

Upon closer investigation of these attacks, I noticed that before users are redirected to the fake Pinterest sites, the connection passes through ad-tracking sites. This way, the number of visitors are tracked, determining the supposed earnings of the scammers. Based on our data, the fake Pinterest URLs are being visited since May 2. Fake Pinterest posts hosting scams are likely to spread within Pinterest via users who re-pin the posts. The “offers” in these fake Pinterest posts look enticing after all. Plus, some users would want to ask the rest of the Pinterest community to verify such offers, like this user.

Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

Recently, Trend Micro researchers encountered a potential vulnerability that affected users of Yahoo! Mail. We discovered several emails used in targeted attacks that contained JavaScript in the “From” field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack against the recipients of the email. However, we were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem.They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks.

This is not the first time that vulnerabilities have been found in popular webmail providers. We discussed almost a year ago that some of the major webmail providers – Gmail, Hotmail, and Yahoo! Mail – were all found to have some sort of vulnerability that compromised either the user’s email account or their system. It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own.

As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened. This is extremely useful to attackers as the content compromised email accounts can be stolen by attackers and the account can be used to launch further attacks against the victim’s contacts.

We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www.facebook.com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www.facebook.com” and uses the extension “.COM”.

Once executed, this malware (detected as WORM_STECKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STECKCT.EVL also connects to specific websites to send and receive information.

Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.

Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites. To know more on how you can prevent these threats targeting Facebook and other social media sites, you may read our comprehensive e-guide A Guide to Threats on Social Media.

Furthermore, with our recent partnership with Facebook, Trend Micro™ protects users via Smart Protection Network™, which blocks access to the related malicious link. The file reputation technology in Smart Protection Network™ detects and deletes both WORM_STECKCT.EVL and WORM_EBOOM.AC.

Not long after we found sites offering rogue versions of Instagram and Angry Birds Space, another malicious site hosted in Russia was found to peddle fake Farm Frenzy 3 versions. The perpetrators behind this fake app are hoping that users who are not discriminate enough may download their malicious version, which is detected by Trend Micro as ANDROIDOS_FAKE.DQ.

If users would try to play the said app, the malware displays the image below:

Clicking the first button on the image triggers an SMS message to be sent to the premium numbers listed below:

• 8883
• 8887
• 6151
• 1
• 2855
• 9151
• 9685
• 9684

In turn, affected users incur unnecessary charges for the said message. Unfortunately, paying fees for unauthorized messages is only half the problem for users. Choosing the said button also changes the display on the screen (see below), wherein choosing the top button may lead users to a malicious website.

This incident is just one of the several Android malware we’ve seen spoofing popular apps. Aside from the previously mentioned bogus Instagram and Angry Birds Space, we recently uncovered a malware that masquerades itself as an Adobe Flash Player app for Android OS.

Trend Micro protects your Android OS phones via Mobile Security Personal Edition app, which prevents access to these malicious sites and blocks the download of malicious .APK files into mobile devices.

To know more on how to better protects yourself from these rogue apps and other threats hovering Android OS, you may read our comprehensive e-guide “5 Simple Steps to Secure Your Android-Based Smartphones” .

We recently found some suspicious looking URLs which suggest that a malicious file named ChromeSetup.exe is hosted in domains like Facebook and Google.

The finding, which we were able to flag during our analysis of data processed by the Trend Micro™ Smart Protection Network™ definitely caught our attention.

Looking at data from the Smart Protection Network™, we were able to find 3 different binary files that appear to be downloaded from the following URLs:

• hxxp://br.msn.com/ChromeSetup.exe
• hxxp://www.facebook.com.br/ChromeSetup.exe
• hxxp://www.facebook.com/ChromeSetup.exe
• hxxp://www.globo.com.br/ChromeSetup.exe
• hxxp://www.google.com.br/ChromeSetup.exe
• hxxp://www.terra.com.br/ChromeSetup.exe

When we took a closer look at the downloads, we identified that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. What’s more noteworthy is the fact were seeing access in clients from the Latin American region, mostly in countries Brazil and Peru.

An analysis of the file ChromeSetup.exe done by my colleagues Roddell Santos and Roland dela Paz verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ.

Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

When a user opens a targeted bank’s site, TSPY_BANKER.EUIQ intercepts the page request and displays the following message, tricking users into thinking that the website is loading security software where in fact it is already redirecting users to the spoofed banking website:

It then opens Internet Explorer to go to the new link depending on the browser’s title. Screenshot of a fake site is below. Notice the “_” before the name in the window title, as well as the URL of the banking site:

TROJ_KILSRV.EUIQ, a component of this TSPY_BANKER.EUIQ, on the other hand, uninstalls a software called GbPlugin–a software that protects Brazilian bank customers when performing online banking transactions. It does this through the aid of gb_catchme.exe–a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas.

Further Investigation

A more in-depth investigation allowed us to gain access on the page index where TSPY_BANKER.EUIQ downloaded configuration files from. The same index page hosted the three binary files that the malware used aside from the configuration file that we saw in the same location.

Roland analyzed the IP to where TSPY_BANKER.EUIQ sends the infected system’s IP address and operating system name, and found a panel that appears to show logs related to the attack.

During the time the C&C panel was analyzed, we have observed an abrupt increase on the registered logs. In fact, the phone home logs jumped from around 400 to nearly 6000 in a span of 3 hours. These logs are comprised of 3000 unique IP addresses which translates to the number of machines infected by the malware.

The server, unfortunately, soon became inaccessible. However, the abrupt increase in the malware C&C logs could either mean that there was an outbreak of the malware or they might be migrating their C&C server at the time. It also appears that the attack is targeting Brazilian users and it is targeting Brazilian banks.

Since the start of this analysis, we have also been seeing variations of the BANKER malware we analyzed during this investigation in the wild. The first few samples that we got installed the three components separately, but now we are getting new samples that are able to install the different components in one package. It looks like this malware is still under development and we may still see improvements in future variants. Roland also mentions that he came across a likely related C&C that surface last October 2011 which indicates that the perpetrators behind this threat aren’t new in the scene.

Missing Piece

While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware. We will continue our investigation related to this incident and will update this blog with our findings.

Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google.

This is where a telemetry such as the Trend Micro™ Smart Protection Network™, which provides intelligence derived from a global network of threat data, becomes vital. This technology not only allows us to identify and correlate emerging attacks worldwide, but also lets us instantly deploy the proper threat mitigation solutions on customer environments.