Yes. And that is not a typo of “Myspace” in the title; although that is what it is actually meant for – a typo. The domain, myspaace.co.uk(with two a’s), has been bought for 100 GBP just last October 25, 2006.

The said social networking site’s popularity is now at its peak, just like all domains that fall under the umbrella of Web 2.0, and with this kind of surge of activity from users, there’s almost always a dark side just a few feet away.

A couple of examples of the abuse of Myspace’s popularity includes but is not limited to the Myspace worm last year; the bunch of adwaresthat infected more than 100M users last July, 2006; or just the recently discovered 0day Myspacevulnerability.

This write-up is not aimed at jumping the gun, so to speak…

But with the rising incidents of typo-squattingusing popular sites such as Googleand Trend Micro, it wouldn’t take long enough for malicious hacker groups to take advantage of the popularity of Myspace, and the fact that users may just type in an extra letter such as the letter ‘a’ to go to the Myspace site… and then WHAM! It could be another big malware infection incident – considering the numbers of Myspace users and would-be users around the globe!

With that said, let us take extra care in and check what we have typed in our browser windows before hitting on the Enter button. And rest assured too that the Trend Micro Incident Response Team will be monitoring any malicious use of this newly-bought domain, Myspaace, or any other typo-squatting incident for that matter.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Just an FYI, we are currently being spammed with emails containing a trojan as an attachment.

The attachment name is New_Folder_01NOV2006.rar, you can begin filtering this out on your systems for proactive protections.

I have to say, the social engineering tactics made by the malware author to fool users into executing the attachment is above standards, so customers will have to be extra careful to keep them from being fooled.

The contents of New_Folder_01NOV2006.rar are shown below

As you can see, there are two objects

• New Folder – an actual folder (nothing to it)
  
• New Folder_01NOV2006(215 SPACES).exe (an exe file with a folder icon, the 215 spaces is there to fool users into thinking that it is not an exe file. This is the same logic used by worms like WORM_MYTOB.)

I can only guess that the folder “New Folder” is inside the archive for more social engineering. As the user extracts the files from the archive, he clicks on “New Folder” which will open as a folder as it really is one. Raising the chances of the user clicking New Folder_01NOV2006(215 SPACES).exe under the assumption that it is a folder too.

The exe file has already been given to the service team for detection and has been given the name TROJ_DLOADER.HAP.

Again with good social engineering TROJ_DLOADER.HAP downloads http://www.[blocked]nrg.org/tmp/about.html, making anyone watching the network think that the file downloaded is just an html file when it actually is an exe file which will be downloaded as iexplore.exe in your C: directory.

The great thing is that this is already detected by Trend as TROJ_DLOADER.FUO.

From TROJ_DLOADER.FUO begins a stream of downloads ultimately ending in phishing attempts on several banks.

Here is a list of files that were downloaded beginning with TROJ_DLOADER.FUO, all files come from a single ip address.

• http://[blocked]/ieschedule.exe (TROJ_DLOADER.FUX)
  
• http://[blocked]/ib14.dll (TSPY_VB.BRF)
  
• http://[blocked]/smss.exe (TROJ_DELF.DSJ)
  
• http://[blocked]/iexplore.exe (TROJ_DLOADER.FUO)
  
• http://[blocked]/ieserver.exe (TROJ_DELF.DSH)
  
• http://[blocked]/dsrss.exe (TROJ_DELF.DSF)
  
• http://[blocked]/preredir.exe (TROJ_DELF.DSI)
  
• http://[blocked]/ieredir.exe (TROJ_DELF.DSG)

All files except for ib14.dll (TSPY_VB.BRF) have an internet explorer icon, another social engineering tactic which will elevate the chances of a user executing the file.

Although it is great to note, that all malwares used by TROJ_DLOADER.HAP have all been previously detected by Trend Micro. The URLs of the files have also been given to the url blocking team.

With all the social engineering tactics that has been used by these malwares, it is important for users to be more vigilant and make sure to only execute files that are known to be good.

More and more of these cases are showing up. Different malwares working together for profit just like the case with TROJ_LINKOPTIM. We are continually seeing this trend on malwares. No more fast spreading worms but trojans downloading trojans ultimately leading to profit by the malware author.

As security and AV companies scramble to put out protection against Internet fraud and spam, phishers take attacks deeper: targeting high-income Internet consumers.

Gartner Research, in its recent study on phishing attacks, found in a survey of 5000 adults residing in the US that high-income (earning over $100k/year) adults are targeted by phishing attacks.

Public service announcements (PSAs) online and through other media, as well as consumer education campaigns launched by government agencies did not help curb consumer non-awareness. Although high-income respondents tend to successfully avoid phishing attacks, once they are hit, their losses skyrocket.

Also featured in this research is the not-so-new way of survival for phishers: constant changing of URLs. Phishers host malicious URLs for a limited time only. And by the time cyber law enforcers get a lead on the URLs, the phishers have already dumped these URLs and moved on.

Read more here: http://asia.internet.com/news/article.php/3642971

Additionally, phishing is also a booming problem in the UK. Losses to online fraud not only tripled but grew “16-fold”, as measured by UK’s Association of Payment Clearing Services based on recorded losses by banks with online facilities.

Read more here: http://news.bbc.co.uk/1/hi/business/6122116.stm