January 31st, 2008 by Jake Soriano (Technical Communications)
What is Storm up to these days, you ask?
This time it seems to be sending out the following spammed email message:
Curious victims who click on the link are redirected to fraudulent pharmaceutical sites hosted on nodes in the fast-flux Storm botnet.
Trend Micro researcher David Sancho believes that the fake online pharmacy, which purports to be Canadian, has been a “customer” of Storm for many months now.
The domains involved in this spamming operation seem to be pointing to the same IP, so at first it does not look like a fast-flux network is involved. However, the links in the spammed messages are indeed changing such that detection is harder.
Sancho adds that the fraudulent pharma “company” might only be customers of the spamming operations of Storm, but this is only speculation at this point.
The suspected intention appears to be promotion of the pharma company through the spammed email campaign.
Sancho further warns that Storm is now sending Valentine’s Day-themed messages, too, so it continues to morph.
As of this writing, the links are down and cannot be accessed (well, maybe not all of them).
As always: Users are advised to be ever cautious in clicking links in email messages.
January 31st, 2008 by Carolyn Guevarra (Technical Communications)
Earlier today, Trend Micro Advanced Threats Researcher Paul Ferguson discovered these fake “sponsored” banner ads that were showing up in certain Google searches:
Apparently, these ads point to the domain name TRENDMICRO2008.COM, a fraudulent Web site that is posing as a legitimate Trend Micro Web site (note that the legitimate domain name of Trend Micro is TRENDMICRO.COM).
According to a Google representative, the fraudulent ad was removed last night. “Luckily, Google Checkout halts any transactions for these fraudulent purchases,” noted Ferguson while analyzing the fake ad.
Since early last year, cyber criminals have been investing on pay-per-click ads in Google to spread their malicious code on the Web. They take advantage of the fact that users treat sponsored results as safe because the latter think that it’s a legitimate business advertising them. They also realize that paying to advertise their malicious or fraudulent Web sites in trusted search engines, as in this particular case, is quite an effective way to trick users into clicking the malicious links. Adding Trend Micro to the equation just makes their social engineering ploy even more convincing.
Users seeking to purchase Trend Micro Internet Security 2008, or any other Trend Micro products, are advised to visit the one and only official Web site of Trend Micro, i.e. http://www.trendmicro.com.
