The month of October in the threat landscape is often associated with scary social engineering tactics in time for Halloween. As in years past, the threats that lurk in and plague the current threat landscape are real. Most of them can cause irreparable damage, often resulting in information, or worse, identity theft as shown in the following blog entries:

• Weather Report for Halloween: High Chances of a Storm
• “Halloween Costumes” Bring More Fright Than Expected

But just how scary is the Web 2.0 environment nowadays? Let us run down a list of the scariest threats thus far:

• 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theft—Koobface, ZeuS, and Ilomo. Botnets control more compromised machines than previously believed. Only a handful of cybercriminals have more than 100 million computers under their control. This means they have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90% of all email worldwide is now spam.

Koobface is most known for preying on social networking and micro-blogging site users. It has transcended from its original design of taking over accounts to spread malicious links using the affected users’ credentials to spreading a FAKEAV or its variant to users who just happen to visit a compromised site or to click anywhere on a malicious page where a copy of the malware is hosted.ZeuS/ZBOT

The ZeuS botnet, on the other hand, is best known for ebanking attacks targeting small businesses that do not have full-time IT staff and only 1–2 payroll personnel. It was first introduced by Rock Phishers this April, paving the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. Its latest components, also known as “ZBOT variants,” now come compressed in more and more complex packers.

Ilomo, the third most dangerous botnet, Ilomo, also known as “CLAMPI” or “LOMOL,” is known for injecting code into an affected user’s browser to wait for him/her to connect to one of over 4,000 banking, financial, or Web mail sites so it can steal his/her credentials. It can, however, also “piggyback” on the user’s session to transfer funds from his/her account to a remote one while making a mockery of the bank’s secure login system. The botnet also sells “anonymity as a service” as every infected machine can act as a proxy, allowing cybercriminals to route their illegal activities through different networks and countries, thereby evading detection.

• Tricking users into downloading FAKEAV has been an age-old cybercriminal tactic that apparently has not stopped working. Hence the continuous rise in the number of FAKEAV pushed to unwitting scam victims up to this day. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.Apart from its ability to rake in a lot of dough, it is also hard to detect due to its numerous domains and redirectors, giving security experts a hard time tracking all related activities down. FAKEAV will thus continue to plague users for a long time because its ploy works.

• In June 2009, Microsoft broke its December 2008 record of releasing patches for 28 vulnerabilities with the release of 10 security advisories to address 31 vulnerabilities in its OSs and other software.
  Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.Microsoft was not alone in this predicament though. Adobe and Firefox have had their share of exploited vulnerabilities as well.

Why do more and more people join the cybercriminal bandwagon? The answer is plain and simple, because there is a lot of money to be made in infecting users. FAKEAV, for instance, sell for an average price of US$50 each. Just imagine how much money cybercriminals can make even if they just sell to a fraction of their target user base!  Our threat research papers provide detailed information of such cybercrime activity, if you’re interested, you can read them here.

And if that isn’t scary enough, Trend Micro’s threat researchers found that the going rates for stolen data (credit card information and user credentials) and for infecting users’ systems continue to rise each year. Cybercriminals never seem to run out of tricks to spread threats to users throughout the Web. No wonder U.S. President Obama officially announced October as the “National Cyber Security Awareness Month!”

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

We often associate Halloween with pumpkins and costumes but for cybercriminals it’s merely another avenue to exploit, steal, and trick users into giving away their personal identities. Treats are fun but we all need to be on the lookout for the sneaky and tricky ways cybercriminals slither into our computers.  Below are the TrendLabs, top 7 scariest threats that might be knocking on your door:

1. Tailor-made ZBOT spam makes its way to employees’ mailboxes
   
   The Zeus botnet is well-known for e-banking attacks that target small businesses without a dedicated IT staff and only 1–2 payroll personnel; the most notorious ZBOT attack to date sent out tailor-made spam to the employees of several of these types of small companies. The spammed messages were made to look legitimate and non-malicious when, in fact, they contained Trojan spyware designed to steal information and identities.
2. Vulnerabilities hit critical mass: Patch me if you can 

   Microsoft set a record in December 2008 of 28 patches for its OS vulnerabilities. In June 2009, the company broke that record with the release of 10 security advisories for 31 OS and other software vulnerabilities. What does this mean for users? It means that unpatched vulnerabilities can allow cybercriminals to exploit their systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.

3. FAKEAV: Surrender hard-earned money for fake security 

   We’ve seen several strains of FAKEAV abound on the Web. Most employ “scareware” tactics, displaying a blue screen or bogus graphical user interfaces (GUIs) to warn users of infection. Some of the most dangerous variants, however, employ “ransomware” tactics. Users who fall victim to FAKEAV scams end up buying useless applications or may even be robbed of critical information apart from their hard-earned money. Sold at an average US$50 apiece, it is clear that big money can be made from pushing FAKEAV to users. This is why we can expect the debut of more FAKEAV in the future.

4. Expand your circle of friends but beware of KOOBFACE malware 

   This year, we saw the emergence of the KOOBFACE botnet that specifically targeted social networking and micro-blogging site users. Facebook and Twitter, two of the top-ranking social networking/micro-blogging sites today have millions of users worldwide, making them favorite cybercriminal targets. The popularity of these sites may be unprecedented but so is the rise in number of malware targeting them. Victims of KOOBFACE variants can end up with FAKEAV infections, wrangled into being a part of the widespread KOOBFACE botnet, or owners of compromised profiles, take your pick.

5. More sophisticated attacks = More victims 

   Cybercriminals continue to up the stakes as they come up with more sophisticated attacks to lure more victims into their traps. A new variant of the BEBLOH family of information stealers went well beyond logging keystrokes and sending it to a server to exploit. It stole user information and used it right away while effectively avoiding detection. The latest BEBLOH variant produces static pages that show remaining account balances and previous transactions to cover its tracks. Victims will not know they have been robbed unless they accessed the online banking site from an uninfected machine or used separate facilities such as ATMs.

6. No system is immune from security attacks, certainly not Macs 

   The days when Mac users felt safe from today’s threat landscape are over. The recent proliferation of Mac attacks reiterates what security researchers have been saying all along—that no system is immune from security attacks, certainly not Macs. The number of Mac users continues to increase, unfortunately so does the number of cybercriminals targeting the Mac OS. Cybercriminal attacks on the growing Mac user base are becoming more and more complex, preying on the earlier belief that the OS X is malware-free.

7. Blackhat SEO attacks climb the charts 

   Just as cybercriminals strive to make their malware-ridden pages climb to the top of search results, so has the number of documented blackhat SEO attacks. As if the usual blackhat SEO techniques were not crafty enough, cybercriminals just learned to use new nifty gadgets—Google Trends and GeoIP tracking—to increase the chances that users will click on links that direct them to specifically crafted malware-ridden pages. This kind of attack can affect anyone searching for information on the Web. All it takes to get infected is click a top-ranking search result.

If you are concerned that your computer may have been affected by a cyber attack, try our free prevention and clean up tools, available here.

Trend Micro researchers found over 200 email samples that spamvertised male sexual enhancement pills. These bore subjects like “Re: Go wild in bedroom,” “Re: Let your lever straight up,” and “Re: Be her concrete-rod satisfier” and contains a URL that points to all-too-familiar Canadian pharmacy websites.

While spammed messages that lead to Canadian pharma sites are not new, there are notable things in this particular spam run. For one, it employed random messages in the email content to avoid spam filters. The spammers also put “Re:” in the subject to make it appear as though it was a reply of sorts. In addition, the FROM and TO fields bear the same email address. It particularly used dictionary form of spam attack where spammers randomly send spammed messages to a generated list of email addresses. Upon further analysis, the domains used were just recently registered.

As usual, users are advised not to open emails that spamvertise sexual enhancement pills. Trend Micro users are secure from this spam attack with the Smart Protection Network. Non-Trend Micro products users can stay protected from this by using free tools like eMail ID.

Trend Micro threat analysts found several phishing sites registered in China that target specific people or companies. The said email can customize phishing URLs using the names of intended recipients via a technique called “spear phishing.”

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

A new spam campaign that purports to be from Facebook is making rounds today. It bears the subject, “Facebook Password Reset Confirmation,” and informs users that their passwords have been changed for security purposes. It then asks them to open the attached .ZIP file that supposedly contains their new passwords, which in actual fact is a malware detected by Trend Micro as TROJ_BREDLAB.SMF.

Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV.

Users are advised to be wary of bogus notifications even if comes from a known source. Trend Micro product users are protected from this attack via the Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.