Archive for January, 2008
January 31st, 2008 by Jake Soriano (Technical Communications)
What is Storm up to these days, you ask?
This time it seems to be sending out the following spammed email message:
Curious victims who click on the link are redirected to fraudulent pharmaceutical sites hosted on nodes in the fast-flux Storm botnet.
Trend Micro researcher David Sancho believes that the fake online pharmacy, which purports to be Canadian, has been a “customer” of Storm for many months now.
The domains involved in this spamming operation seem to be pointing to the same IP, so at first it does not look like a fast-flux network is involved. However, the links in the spammed messages are indeed changing such that detection is harder.
Sancho adds that the fraudulent pharma “company” might only be customers of the spamming operations of Storm, but this is only speculation at this point.
The suspected intention appears to be promotion of the pharma company through the spammed email campaign.
Sancho further warns that Storm is now sending Valentine’s Day-themed messages, too, so it continues to morph.
As of this writing, the links are down and cannot be accessed (well, maybe not all of them).
As always: Users are advised to be ever cautious in clicking links in email messages.
January 31st, 2008 by Carolyn Guevarra (Technical Communications)
Earlier today, Trend Micro Advanced Threats Researcher Paul Ferguson discovered these fake “sponsored” banner ads that were showing up in certain Google searches:
Apparently, these ads point to the domain name TRENDMICRO2008.COM, a fraudulent Web site that is posing as a legitimate Trend Micro Web site (note that the legitimate domain name of Trend Micro is TRENDMICRO.COM).
According to a Google representative, the fraudulent ad was removed last night. “Luckily, Google Checkout halts any transactions for these fraudulent purchases,” noted Ferguson while analyzing the fake ad.
Since early last year, cyber criminals have been investing on pay-per-click ads in Google to spread their malicious code on the Web. They take advantage of the fact that users treat sponsored results as safe because the latter think that it’s a legitimate business advertising them. They also realize that paying to advertise their malicious or fraudulent Web sites in trusted search engines, as in this particular case, is quite an effective way to trick users into clicking the malicious links. Adding Trend Micro to the equation just makes their social engineering ploy even more convincing.
Users seeking to purchase Trend Micro Internet Security 2008, or any other Trend Micro products, are advised to visit the one and only official Web site of Trend Micro, i.e. http://www.trendmicro.com.
January 30th, 2008 by Jovi Umawing (Technical Communications)
The ease of use and availability of tools used for malicious schemes have always been a problem for security companies, since these greatly contribute to the quick proliferation of codes and files that can affect Internet users. Web sites that represent an individual or group of individuals giving away free code and software for the whole community to use as they please are available almost anywhere.
Netcraft recently reported of a certain “Mr. Brain” — actually a group of Moroccan fraudsters who recently launched a dedicated Web site for free phishing kits that anyone can use for their phishing activities. They lure interested parties by packaging the code as “easy-to-use” and “programmer-friendly,” since only a requirement on basic programming is needed to deploy this kit. Visitors of this site would hardly think twice in going for the bait, but upon closer inspection, it turns out that, though powerfully alluring, most good things are just too good to be true.
Certain codes were found to reveal the true nature of the email addresses where the phished information are to be sent once they were retrieved from the phishers’ victims: though the phished information are sent to the phishers, a copy of the phished information is also covertly sent back to Mr. Brain. Further analysis reveals what look like Mr. Brain’s email addresses from these code snippets:
<input type=”hidden” name=”niarB” value=”32970696f6e6565722e627261696e40676d61696c2e636f6d” />
and
<input TXItQnJhaW5ARXZpbC1CcmFpbi5OZXQ=”);?>” name=”Send” type=”hidden” />
These code segments translate to the email addresses where the stolen information is sent.
Suffice it to say that the phishers who thought they had their victims didn’t know they have been had by Mr. Brain. This con saves Mr. Brain the more arduous task of hacking and compromising Web sites and deploying the phishing pages by himself: clearly a classic one-uppance the likes of which have never been seen before with regard to online theft.
Research Project Manager Ivan Macalintal itemized the following banking and other establishments that can be affected by the Mr. Brain phishing scheme:
- Abbey.Co.Uk
- BankofAmerica.Com
- Chase.Com
- E-Gold.Com
- eBay.Com
- HSBC.Co.Uk
- LloydsTSB.Com
- MoneyBookers.Com
- Nationwide.Co.Uk
- NBK.Com.Kw
- PayPal.Com
- Regions.Com
- Stgeorge.Com.Au
- Wachovia.Com
- Westernunion.Com
Further investigation reveals that these phishing kits are now being actively used. More information will be povided regarding this so stay tuned to this post. Investigation about this operation is currently underway, and the authorities have been contacted for the proper action regarding this.
Thanks to Ivan Macalintal and Senior Threat Analyst Robert McArdle for providing information
January 29th, 2008 by Bernadette Irinco (Technical Communications)
For a time, online advertisements have been a constant source of not only nuisance but of malware as well. Earlier this month, we’ve seen malicious banner ads being served on popular Web sites, such as Myspace, Excite, and Blick. This time, TrendLabs was alerted to malicious banner ads infiltrating legitimate special interest Web sites such as Expedia.com and Rhapsody.com.
According to Trend Micro security experts, certain malicious .SWF banners have hacked their way into Expedia.com, a popular site for travel enthusiasts worldwide. Trend Micro detects the said malicious flash banner as SWF_ADHIJACK.A. Based on initial analysis, clicking on this ad leads to several redirections, which eventually result to the installation of a rogue antispyware detected as TROJ_GIDA.A.
Music lovers are also targeted by mal-banners as Rhapsody.com, a music site owned by RealNetworks, is found to be carrying malicious flash banners as well. The malicious .SWF URL found in Rhapsody.com is said to be similar to the notorious Skyauction advertisements that were also found to infiltrate the Blick Web site mentioned earlier.
In any industry, advertising has proven to be an effective way to sell products. Apparently, this holds true in the malware industry as well. It provides another means for malware authors to effectively spread their malicious codes, and earn profits at the same time. With this knowledge, there’s no doubt that malware authors shall do more malvertising, targeting more and more popular Web sites to “advertise” their malware.
Be a smart buyer and don’t fall for false advertising. Not only might you not get your money’s worth, you might also end up spending more without you knowing it.
January 29th, 2008 by JM Hipolito (Technical Communications)
Better keep an eye on your brand new microwave. It seems like there are no electronic devices that will be spared from off-the-shelf malware infection.
Three digital photo frames, small flat-panel displays for digital images, were discovered to each contain a malware, Security Focus reports.
The photo frames were apparently received as presents during the past holidays, and installed malicious code on the systems of the recipients. All three cases involved the same product and chain of stores, suggesting that infection occurred either during shipping or at the factory.
This hitchhiker malware, detected by Trend Micro as WORM_AGENT.TBH, is reported to drop malicious files on the affected system as well as an AUTORUN.INF file to execute the said dropped files.
Earlier this month, China-made media players were discovered carrying a file infector detected as PE_FUJACKS.FL-O. Such incidents are only the most recent of a string of incidents concerning electronic devices shipped with malware. Other USB media such as iPod videos and McDonald’s Japan MP3 player freebies, shipped in 2006, were found to be infected by malware (more details here and here).
Yet again dawns the fact that new devices aren’t always malware free.
Previous Posts
