TrendLabs recently spotted a new phishing site spoofing CenturyLink’s secure login page from one of its anti-phishing resources.

CenturyLink, created by the merger of CenturyTel and Embarq on July 1, 2009, is a leading provider of high-quality voice, broadband, and video services through its advanced communication networks to consumers and businesses in 33 states in the United States. It is the currently the fourth largest local exchange telephone company in the United States in terms of access lines. It has more than 7 million access lines in service and more than 2 million high-speed Internet connections as well as its own 100 percent digital network, Centrex, ISDN, and advanced intelligent network.

Even though CyberLink’s real secure login page looks very similar to the spoofed one, there are still at least three major differences. First, the URL of the real login page is https://secure.centurylink.net/login.php begins with one of the first marks of a secure login page (https), followed by the company name, unlike the spoofed one, http://www.{BLOCKED}gsoo.com/g4/data/file/news/CenturyLink.net.html, which begins with http, followed by a suspicious-looking domain name before the company’s own name.

Next, a secure login page always has a padlock icon on the lower-right portion of the page while the fake page only has an exclamation point, indicating that something is wrong.

Finally, look at the lower-left portion of the spoofed page, though it is marked as “Done,” it clearly contains errors, as evidenced again by the exclamation point.

Users who unknowingly end up in the malicious site and enter their credentials are at risk of losing critical personal credentials or maybe even their identities, as clicking the Log In button sends the user data to the cybercriminals behind this attack. As of this writing, however, the phishing page is no longer active.

There are several ways by which you can tell if you are being phished, the three techniques mentioned above are just some of the more noticeable ones, particularly in this attack. But there are also several ways by which users can protect themselves from being phished. Awareness, in this regard, is clearly key.

Trend Micro™ Smart Protection Network™ protects users from this kind of attack by blocking user access to malicious sites and domains.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

It seems that cybercriminals will really stop at nothing to further their malicious activities. Trend Micro fraud analysts received yet another spammed message obviously designed to catch unwitting Caisse d’Epargne, a French semicooperative bank, customers into their phishing trap.

Founded in 1818, with around 4,700 branches in France, Caisse d’Epargne is active in both the retail and private banking segments. It also holds a significant stake in the publicly traded investment bank, Natixis.

The spammed message informs customers that the bank found some problems with their accounts. It then informs the recipients that the bank needs them to fill in additional information by clicking an embedded link in the email to keep them protected. Clicking the link, however,  redirects users to a phishing page that looks a lot like the bank’s official website.

As expected, the phishing site asks users to enter their personal identification numbers (PINs) to validate their accounts. There are, however, noticeable differences between the phishing site (marked in red in Figure 2) and the bank’s legitimate site (marked in green in Figure 3) if only users take time out to make sure they are not being victimized by wily cybercriminals.

In fact, the bank’s legitimate site even has a security warning (marked in green in Figure 4) to all of its customers regarding the said phishing attack since January 28.

The continued proliferation of phishing attacks, as evidenced by this, supports the “2009 Third Quarter Report” released by the Anti-Phishing Working Group (APWG). Based on the group’s global phishing survey, the third quarter of 2009 broke the record with 40,621 unique phishing reports as of August.

However, what is more often overlooked can be summarized by the question, “What really happens after a phishing attack?” Trend Micro partner, RSA Security, gave some really frightening answers to this question. The article describes a real-life scenario that shows how cybercriminals buy credit card information, which they use to purchase high-end merchandise online. Fraudsters then resell these products, enabling them to make substantial profits.

Considering the persistence with which cybercriminals operate, users should thus be extremely cautious every time they conduct online transactions. Fortunately, Trend Micro™ Smart Protection Network™ already protects product users from this particular threat by preventing the spammed message from even reaching their inboxes and by blocking user access to the phishing site.

Non-Trend Micro product users can also stay protected from malicious URLs by using one of Trend Micro’s free tools, Web Protection Add-On.

The PUSHDO botnet has been in the news lately as the culprit in a distributed denial-of-service (DDoS) attack against a variety of well-known websites. Some publications even documented this recent attack extensively. After spending some months last year studying and monitoring the PUSHDO/CUTWAIL botnet and after checking the latest samples, we can affirm that this particular attack is not PUSHDO related.

First off, PUSHDO variants are usually downloaders that often report to a command and control (C&C) server. The DDoS malware in the attack, on the other hand, is a spambot. Though the PUSHDO botnet uses a spambot (dubbed “CUTWAIL” by the security industry) to massively spam users, when we compared our CUTWAIL samples with the DDoS spambot used in this attack, we did not see a convincing reason to believe that they are related.

Security experts commonly detect this new spambot variant as “Harebot” or “Shgray.” Some security vendors also detect it as “Pandex,” which was another name used for PUSHDO variants. We believe this is the reason why people think this new threat is PUSHDO related.

Though this may seem like a small point to make, it is a rather important one. Even if the new spambot is indeed an evolved version of CUTWAIL variants (something that has not yet been proven), this still does not mean that the PUSHDO botnet owners are the ones behind this massive DDoS attack.

These two groups may be one and the same or two entirely different organizations. In any case, the reason to create a DDoS-capable spambot is still an enigma even to security researchers.

Feel free to comment on this blog if you have any interesting theories about it.

A new spam campaign gives the phrase “too good to be true” a whole new spin: spammed messages purporting to come from Google in response to job applications. While most spammed messages take advantage of a specific special occasion, holiday, or even a currently newsworthy item, spammers have hit a new low with their latest scheme.

Taking the form of job application responses from Google, the email even sports the official Google logo with an accompanied legitimate From: address. With close-to-perfect grammar and syntax (unlike most known spammed messages), it is becoming even trickier to distinguish real email messages from fake ones. And why would users not want to believe what the message says? Google has always been commended for being a more-than-ideal workplace. Receiving word regarding a job application from the company is thus great news indeed. But is viewing a suspicious-looking email message, especially if you did not even send an application in the first place, worth infecting your computer?

The latter part of the spammed message is even more suspicious, as it asks the recipient to download a .ZIP file attachment, CV-20100120-112.ZIP, which then opens a prompt to download the file with a different name (document.doc) and a hidden extension (.EXE), detected by Trend Micro as WORM_SPYBOT.MCP.

Cybercriminals have also been known to make use of spaces to hide the real extension names of file attachments. The same technique was used in this scam, making it seem that the extension is .DOC when it is actually .EXE.

Trend Micro™ Smart Protection Network™ protects users from this kind of threat by preventing the spammed messages from even reaching their inboxes and detecting and deleting files detected as WORM_SPYBOT.MCP.

Non-Trend Micro product users, on the other hand, can also stay protected via HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware from infected systems.

Today, I was scanning through various industry blogs when I stumbled upon an entry from Kaspersky Labs.  What was interesting was that under the veil of improving testing quality, the blog openly admitted that the organization in question had been trying to play tricks on competing organizations just to position itself more favorably among the media.

The organization explained that it deliberately created clean files and added fake detections in order to “show” that other vendors copied it. This was a risky decision. Across the industry, research organizations share a level of trust and participate in sample-sharing programs in order to protect customers, which for Trend Micro, is what always comes first.  (I should just add here, that Trend Micro was not one of those companies affected by this, as we always QA our own detections and never rely on those of another vendor).

Aside from the organization’s cheap prank, we were very pleased that the other resounding message that came from the blog post was that it finally understood and supported the message Trend Micro has been promoting for a long time now—the need for change in testing methodologies to include real-world testing such as those delivered by NSS Labs.

The need to change testing methodologies was also a primary reason for the foundation of the Anti-Malware Testing Standards Organization (AMTSO), which aims to come up with more realistic and useful benchmarks.

This story really shows just how influential the media is on the antivirus industry in that even a respected vendor should manipulate detection rates just so it can positively position itself with the press rather than focus on its customers.

But another more positive learning is also that the path that AMTSO is taking is the right way. Pure detection rates based on numbers or one-to-one comparisons are yesterday’s methods when verifying the value and performance of a security solution.

Customers need holistic reviews, giving them a real-world scenario-based feedback about what different solutions can offer them instead of pure “I detect more then you” headlines. I am glad to see that testing organizations like NSS Labs, AV-Comparatives, and AV-Test meanwhile understood and started to pick up these principles.