Archive for February 22nd, 2008
February 22nd, 2008 by Paul Oliveria (Technical Communications)
Ancient Chinese belief has it that a lunar eclipse occurs because a great dragon swallowed the moon. People must therefore beat their mirrors (which represented the said celestial body) because doing so will cause the dragon to cough the moon out and return it to the sky.
In the age of Web threats, a lunar eclipse would mean a cybercrook “swallowing” an affected system to perform his bidding. No amount of mirror-beating will resolve that.
Yes, a total lunar eclipse just happened yesterday and miscreants are already trying to take advantage of the said celestial event — not set to happen again until 2010 — to lure users into downloading a malware into their systems.
TrendLabs has received samples of email messages promising a video of the eclipse. Below is a screenshot of one of the said message:
Once the user clicks on the link however, a backdoor detected as BKDR_AGENT.AKJZ is downloaded instead.
This is yet another example of cybercriminals riding on interesting events in order to spread threats. Those who may have missed the event or are unable to see it in the first place due to geographical reasons (i.e., if it happened during the day in one’s time zone) would probably be tempted to click the link. After all, such events do happen rarely, but that does not mean we throw all caution to the wind and click on suspicious links in email messages (or even in search results pages for that matter, given the recent malicious SEO tactics).
Here’s a tip: there are two more eclipses in 2008. Again, not all may have the chance to see them, but best mark your calendars if you really want to see one. Solar eclipses are the best, by the way.
February 22nd, 2008 by JM Hipolito (Technical Communications)
The growing sophistication of phishing email has recently gone up another notch as reports of a very convincing voice phishing (aka “vishing”) attempt surfaced.
TrendLabs was alerted of a phishing email disguised as, ironically, a warning against phishing attempts. The message is actually quite convincing, with all the links even leading to the corresponding legitimate target pages.
The catch in this facade is that the message also gives a phony phone number that the recipient has to call in order to reactivate their account, which supposedly has been placed “on hold”. Upon calling the said phone number, it connects to a system which asks the user for their bank card number and PIN. After which, the rest, most especially the affected user’s fund, is history.
Below is a screenshot of the email message:
This phishing email follows the footsteps of a similar attempt reported last week. While these developments are something to continually watch out for, users should be reminded that awareness and cautious browsing works like a charm against such attempts. As a rule, most financial institutions and organizations do not ask for one’s PIN or password to verify or reactivate an account.
February 22nd, 2008 by Joseph Pacamarra (Threats Analyst)
As I was doing my routine of going through my inbox, I found a phising site for the Bank of America. Looking into the actual email, I found a Korean site masked within the phishing link.
From the email, the link hxxps://sitekey.bankofamerica.com/cgi-bin/sas/enrollWithDebitCard.do?state redirects to the the following URL, which is the phished site of Bank of America:
hxxp://blocho.com/image/owner/wysiwyg/images/banners/cgi-bin/us/update.info/bankofamerica.alert/login.aspx/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin
This site poses as a legitimate site for the Bank of America to lure their customers into disclosing their online banking ID with their corresponding states - which limits the targets only to North America. When a customer tries to sign in to the said site, he is advised that the ID he entered is invalid. The site http://blocho.com is actually local to Korea, as seen in its domain registry details below:
———————————————–
Myung San Jun msjun@nate.com +82.1062969485
Myung San Jun
604-902
Sinnae Apt,Sinnae Apt,KOREA, REPUBLIC OF 131130
Domain Name:blocho.com
Record last updated at 2007-11-28 02:35:31
Record created on 2006/5/25
Record expired on 2008/5/25
Domain servers in listed order:
ns1.zzori.com ns1.staredong.com
This site appears to be legitimate, except for the specific tier where the redirection/phishing occurs. The specific part of the said site was already tagged as phishing by Trend Micro Web Reputation Services.
February 22nd, 2008 by Roderick Ordoñez (Technical Communications)
After Ron Paul, spam writers are now campaigning for Hilary Clinton. The spammed emails inform readers of the presidentiable’s visit to the state of Virginia, and entice users to download a video of the event.
However, clicking on the link shows no video, but rather downloads a malware possessing the capability to turn a system into a lean mean spam-spewing machine, which, ironically, is just the perfect tool to gain popularity among the voting population — though obviously in bad tastes. Reaching out to people is a spammer’s high priority as well.
As the election heats up, so does spam.
