How do you know if the Web site you’re visiting is legitimate or not?

Given the rise of Web-based (and money-driven) attacks, an average Internet user would probably have a hard time telling. After all, hackers have gone to lengths making sure they trick as many users as possible: URL redirection, IFRAME injection, phishing…and all that jazz.

Of course, the more cautious Web surfers have also noticed these malicious tactics and have since found means to make sure that they are protected from such scams/attacks. Perhaps one of the most popular techniques is the use of third-party “validation” sites, which help ensure that online transactions–e.g., products and sellers–are legit, and that customer data (and money) do not fall into the wrong hands. But what happens when these security measures are also spoofed?

The Register reports of an info-stealing Trojan spyware that steals eBay account information by masquerading as–in a sense–eBay itself. No wonder it has already robbed one eBay user her $8,600.

Indeed, according to the said report, the spyware installs a “scaled down” Web server that hosts several spoofed eBay pages, as well as pages related to “motors” validation sites like Carfax.com, Autocheck.com, and Escrow.com. Simply put, this spyware (detected by Trend Micro as TSPY_BAYROB.B) does not simply monitor specific pages…it goes to another level and spoofs an entire transaction.

Engineers at TrendLabs have analyzed the sample of the spyware that we’ve received, and it seems that it doesn’t really “install” the Web server–or from the looks of it, servers–but rather accesses them by connecting to the following sites:

• {BLOCKED}dealsusa.com
• {BLOCKED}on.com
• {BLOCKED}s.com
• {BLOCKED}c.com

As of this writing, though, these sites are already inaccessible.

What is also notable about this spyware is that it appears to be an updated version of TROJ_BAYROB.A, which first made rounds last March. Symantec has posted a blog entry regarding the said Trojan…and it seems the authors behind these threats are really into vehicle scams. Indeed, it connects to the Web site https://signin.ebay.com/ebaymotors/ws/ebayISAPI.dll and attempts to place a bid.

Below is a diagram depicting how TSPY_BAYROB.B infects:

Notice that it even attempts (albeit unsuccessfully) to launch Kodak Viewer Express in order to hide its malicious routines, so users may get an error message instead:

Nevertheless, Trend Micro continues to provide solutions to protect users from such scary dopplegangers. Of course, safe computing practices is still the key, so users are still advised to be wary when performing online transactions. Otherwise, becoming roadkill in the hands of these online doppelgängers would be an understatement.

A couple of days after a PoC exploit code for a critical flaw in Adobe Reader and Acrobat was discovered (which Trend Micro detects as EXPL_PIDIEF.A), TrendLabs has received reports of Trojan-downloading PDF files making rounds in email inboxes. And yes, the said malicious PDFs use the exploit code. Incidentally, Adobe has just released a patch for this flaw about a day ago, so it seems that the malware authors are banking on the idea that most Reader and Acrobat users haven’t downloaded and installed the critical update yet.

Based on the initial analysis of Senior Threat Researcher Ivan Macalintal, the PDF files bear “business-sounding” file names such as YOUR_BILL.PDF or INVOICE.PDF. Once it successfully exploits the Adobe vulnerability, it proceeds to disable the Windows firewall, downloads an .EXE file, and steals information from the affected system.

Ivan further notes that the servers and file names used by this malware are the same as those used by the VML exploit attacks September last year, and are related to the CWS, Snifula, and UrSnif attacks in the past. In addition, it seems that the spammed messages carrying the malicious PDFs are from the Russian Business Network (see related blog entry here and an interesting article from The Washington Post here). Again.

Trend Micro detects the PDF file as EXPL_PIDIEF.B, and the downloaded .EXE file as TSPY_PAPRAS.CF.