Here’s another proof that sex really sells: A new Trojan, which Trend Micro detects as TROJ_PUSHDO.AD, was found to be spammed via email messages bearing a Hentai image. A sample of the email is shown below:

When executed, this Trojan creates a registry entry to enable the automatic execution of a possibly malicious file. This indicates that samples of this Trojan may also arrive bundled with other files (read: malware), thus opening an affected system to more threats.

This serves as a warning to users–especially the Hentai enthusiasts–out there: Be cautious of the email messages that you open. Don’t let the enticing images fool you. They just might be tickets to the latest malware show.

Phishers celebrate Eid ul-Fitr (Feast of Breaking the Fast, a.k.a. End of Ramadan) with much activity, casting their nets on the Internal Revenue Service (IRS) and PayPal users using a Philippine-based Web site. What fits the Eid more is that the Web site used belongs to a university in the Mindanao region, where the largest population of Muslims are found in the Philippines.

The phishers created folders that were appended to the Western Mindanao State University URL (wmsu.edu.ph). The exact URLs appeared to be the following:

• wmsu.edu.ph/{BLOCKED}s/*
• wmsu.edu.ph/www.{BLOCKED}l.com/*
• wmsu.edu.ph/{BLOCKED}s/*
• wmsu.edu.ph/.us/{BLOCKED}r.php%3f*

When users access the said URLs, spoofed login pages to the IRS and PayPal are displayed:

TrendLabs Manila has contacted WMSU regarding this matter. WMSU, in turn, has already taken steps to clean their site and investigate the root cause of this incident. Meanwhile, Trend Micro users are assured that the abovementioned URLs are now blocked by Trend Micro products.

At least a couple of security experts from TrendLabs Manila have received emails supposedly coming from a local bank, the United Coconut Planters Bank (UCPB). The email messages were immediately considered suspicious as the recipients were not members of the said bank. These messages also employed the usual tactic of warning recipients that unauthorized attempts were made to log in to their online accounts (which are in reality non-extant), possibly by third parties with malicious intent.

Clicking on the link within the email leads users to either of the following sites:
http://www.{BLOCKED}1.org
http://www.{BLOCKED}1.biz

Both look pretty much the same, with a news feature about a recent partnership with an Indian BPO (Business Process Outsourcing/Outsourcer) and even an advisory that warns against a certain company using the bank’s name in other doubtful dealings. Needless to say, these are phishing sites that aim to collect banking credentials from unwitting users.

The Login button on the left column of the sites directs users to this spoofed login page:

This is not the first time that Philippine banks have been targeted by phishers. Early this year, two major Philippines banks also fell victim to phishing scams: the Bank of the Philippine Islands (BPI) on February 2 and Equitable PCI Bank on February 7.

Trend Micro customers, especially in the Philippines, have no reason to worry as these domains are now blocked by the Content Security (CS) Web Blocking Team. The CS Team is also on the lookout for more of the same domains that target UCPB users and non-users alike.

Thank you to Project Manager Menard Osena for the heads-up.

Additional information provided by CS Team Leader Jenifer Olaco and CS Web Blocking Engineer Aivee Cortez.