Trend Micro warns users of the latest spam campaign that targets US taxpayers with Foreign Bank and Financial accounts. The said spam rides on the September 23 extended deadline set by the Internal Revenue Service (IRS) for filing ‘FBAR’ or the Report of Foreign Bank and Financial Accounts.

The spammed message bears the subject “Notice of Underreported Income” and lures users to click the link that supposedly contains the tax statement. Users who click the URL are led to a site where they get infected by various ZBOT variants. ZBOT variants are notorious for their information theft routines.Trend Micro detected these ZBOT variants as TSPY_ZBOT.BZJ, TSPY_ZBOT.BZT, TSPY_ZBOT.BZS, and TSPY_ZBOT.COB.

Ever since this spam run began, ZBOT creators have been generating new binaries, probably to avoid detection and removal.

Spammers often ride on the tax season to trick users into giving their credentials and even infecting their PCs with malware. We blogged about it in the following posts:

• Fake Form W-8BEN Used in IRS Tax Scams
• Tax Season is Phishing Season
• Phishers Hit Multiple Banks with One Stone
• IRS Used by Spammers Again

Trend Micro already detects and blocks this spam attack with its Trend Micro Smart Protection Network. Users are advised to get only their tax statement straight from IRS.

We have encountered a new phishing scam that targets ClickandBuy. The London-based competitor to eBay offers both billing ang payment solutions, so it’s no surprise cybercriminals would be interested in stealing the login information of ClickandBuy users.

Phishers have created a duplicate of a legitimate German-language ClickandBuy login page on at least one malicious website. The fake site can be seen below:

Figure 1. Phishing website

After entering their credentials, users would be redirected to the legitimate ClickandBuy site. Users would then think everything was normal, when nothing could be further from the truth. The phishing website is a very close match to the legitimate site, which is shown below for comparison:

Figure 2. Legitimate website

Users are advised to be very careful about where they enter their login credentials to guard against attacks like this. For example, the user’s connection to the phishing site was not encrypted, whereas the connection to the legitimate website was encrypted. (All browsers show this in their user interface, usually using a padlock.)

The phishing URL in this attack is already blocked by the Trend Micro Smart Protection Network.

Industry experts have previously estimated that, on average, a compromised machine remains infected for 6 weeks. However, our latest research indicates that this estimate is far from accurate. During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month. This data can be seen graphically below:

Figure 1. Infection data by country

The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belongs to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests.

Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information.

Currently, the three most dangerous botnets in relation to information, financial and identity theft are:

• Koobface
• ZeuS/Zbot
• Ilomo/Clampi

Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam.

While there isn’t exactly a 1:1 correlation between the top ten countries with compromised machines and the top spamming countries, some correlation does exist:

Figure 2. Compromised systems by country

Using Koobface as an example of a typical botnet, Trend Micro threat experts have established that about 51,000 compromised machines are currently part of this particular botnet. At any time, Koobface uses 5 or 6 command and control centers (C&C) to control these compromised machines. If one C&C domain is taken down by a particular provider, the Koobface gang simply re-registers the same C&C domains with other providers. Between mid-March 2009 and mid-August Trend Micro researchers recorded around 46 Koobface C&C domains.

In comparison, while studying the Ilomo botnet, 69 C&C domains were identified. However this number is difficult to confirm as new domains are added while others removed daily. In addition, the number of infected machines within the Ilomo botnet cannot be ascertained owing to the structure of the botnet itself.

Trend Micro threat experts are committed to ongoing technical research and analysis. Technical reports of the Koobface and Ilomo botnets have been published and can be found in the research and analysis section of TrendWatch.

Fortunately, new technologies are becoming available to counter these ever growing threats. The Trend Micro Smart Protection Network prevents over 1 billion threats from infecting its customers daily.

Trend Micro uses the power of Smart Protection Network to detect and protect against infections. The Smart Protection Network is made up of 3 core areas: Email Reputation, Web Reputation and File Reputation combined with more traditional endpoint anti-spam and anti-malware protection techniques.

Processing over 5 billion customer queries per day, the Trend Micro Smart Protection Network is a next generation cloud-client content security infrastructure designed to block threats before they reach a network. By combining in-the-cloud technologies with smaller, lighter-weight clients, users have immediate access to the latest protection.