People who get their regular dose of news from the New York Times website were recently told to be careful when browsing through the said site as malicious advertisements—also known as “malvertisements”—are found on its pages and are displaying pop-up windows that falsely report malware infections on their systems.

As reported in detail by Trend Micro researcher Rik Ferguson in the Counter Measures blog, the New York Times issued warnings through both Twitter and its website’s front page about malvertisements that trigger the display of a malicious pop-up window. The said pop-up window displays the typical fake antivirus warning indicating malware infection. This forces the affected user to purchase a full version of a rogue antivirus software. Of course, the reported infections are in reality nonexistent. The alarming messages are mere distractions to convince the user into giving away important information.

Not only is good money wasted on purchasing a useless software. Important information such as credit card details are also compromised and made available to cybercriminals.

However, this attack turns out to be short-handed when placed against the Smart Protection Network. Not only are the fake antivirus software used so far already detected as TROJ_FAKEALE.SMF and TROJ_FRAUDPAC.LH; the URL to which the malvertisement redirects to is also blocked. These prevent the whole infection process from even starting.

Other users are advised to ignore such pop-up messages.

We have received samples of a new phishing mail targeting users of MSN Messenger inviting them to see who deleted or blocked them from their contact list. Users would be interested to know who among their friends have deleted them from their lists.

Figure 1. Phishing email

Clicking on the link displays the following fake login page asking the user to input his or her password:

Figure 2. Phishing website

It is obvious that the intention of the cybercriminals is to harvest the user’s MSN Messenger login credentials. Afterwards, they can then continuously sends spam messages to the account or, worse, they can use the account for their malicious intent.

Getting in touch with friends is now much easier than before. Because of the growth of social networking sites, we can stay connected with our old friends, or even find new ones. This may include reading the profile pages of other members, sending and receiving invitations to fun games, videos and other applications. However, users must be on guard when interacting within online social networks. Spammers are now abusing these in their phishing attacks.

Always be mindful in accepting “invitations”, especially when it concerns your personal information. This particular spam message, and the associated website, are already blocked by Trend Micro products via the Smart Protection Network.

Research Manager Ivan Macalintal found a bogus profile in LinkedIn that appears as one of the search results when the keyword “obama” is used.

Cybercriminals riddled the profile page with links. The .cn links lead to a URL under the y0utybe domain (notice similarity with the legitimate video-sharing site), which in turn leads to a URL (under the .com domain localtubeonline). Finally, the links land the user on familiar malicious territory–an .EXE download (file name flash-plugin_update.40069.exe).

The said landing page is actually one of the landing pages used in the blackhat SEO attack leveraging 9/11 memorials.

Trend Micro detects the binary as TROJ_RENOS.BGI. The Trojan’s primary payload is to connect to other URLs to download other components for the attack’s completion. At the time of analysis, the URLs in the malware’s code are unavailable.

Users are advised to refrain from clicking on links coming from untrusted sources. Social networking sites–even a business/corporated-oriented one such as LinkedIn–can easily be used by cybercriminals to get into people’s circle of trust. We have seen this in the following attacks:

• Scammers Dive in to LinkedIn
• Bogus LinkedIn Profiles Harbor Malicious Content

The best protection is to make sure security applications are updated with the latest patterns to avoid the effects of these latest threats.

As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint.

Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware detected by Trend Micro as TROJ_FAKEAV.BOH.

Figure 1. Poisoned Google search results

As shown in the image above, TROJ_FAKEAV.BOH may arrive on the system as Scanner-7c545a_2031.exe from several malicious Web sites that can all be found in the poisoned Google search results.

Trend Micro users are already protected from this threat, as the malicious file(s) are already detected and the download links are already identified and blocked by the Web Reputation Service.

The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results  and rely on reputable news agencies instead.

September signals the onset of holidays and as early as this month, spammers are already gearing up for the said season as they “spamvertise” their products.

Just recently, Trend Micro discovered several spammed messages that used “Christmas” as its subject. The said spam email entices users to avail the “best gift” for their loved ones by clicking the URL.

Figure 1. Sample spam

Figure 2. Sample spam

After the users clicked on the link, it points them to a website that sells replica watches for a discounted price. Although the redirected site does not infect users with malware, it could possibly lead to information theft.

Figure 3. The website where users are redirected to.

Cybercriminals often use the holidays as part of the social engineering ploy. Trend Micro recently blogged about these tactics in the following blog posts:

• ‘Tis the Season to Stay Secure
• Greeting Cards Spread No Cheer
• Holidays Proving Stormy

Trend Micro protects users from this spam attack via the Trend Micro Smart Protection Network. Users are also advised to stay vigilant especially in the upcoming holidays as spam (that may even contain malware) is very rampant.