Users who are currently planning to go or return to Brazil, especially with the holidays coming up, should watch out for a recent spam run. Spammed messages fashioned to look like an email from a Brazilian airline are offering users tickets to Brazil for just US$1.

Here is a rough translation of the text in the spam:

Promotion Voegol the $1.00 is back, buy tickets or return for all of Brazil to only $1.00.
Visit our online service through the website:
http://www.voegol.com.br/Atendimento/ and mention code: VG1R
After that, wait for contact from a clerk, and make the purchase.
Further promotion visit:

The spam run seems to take advantage of the promotions currently being offered by the said Brazilian airline. As enticing as the offer is, however, the links in the said email leads to nowhere near cheap tickets. The link leads to a URL that downloads TROJ_DLOADR.APX. TROJ_DLOADR.APX then connects to other URLs to download TSPY_BANKER.NGN. TSPY_BANKER variants have been known to take special interest on Brazil. They are known to steal banking information specifically related to Brazilian banks.

Users are advised to ignore similar spam they receive and instead check out the airline’s website for promos and other offers. On the other hand, Trend Micro users are protected from this attack through the Smart Protection Network.

Threat researchers have been alerted to the discovery of a new exploit targeting Internet Explorer. Analysts have conducted tests and confirmed that the exploit affects versions 6 and 7 of the browser. Although the exploit is currently unreliable, cybercriminals may be able to create a reliable exploit in the near future. This may allow them to exploit websites and infect visitors. However, an attack may only succeed if hackers lure victims to specially crafted malicious Web pages or compromised websites. The attack also requires JavaScript in order to exploit Internet Explorer.

The exploit targets a vulnerability with regard to how Internet Explorer uses cascading style sheet (CSS) information. Trend Micro detects this exploit as HTML_SHELLCOD.WT and protects users via the Smart Potection Network.  

Internet Explorer users are advised to make sure their antivirus definitions are up-to-date. Disabling JavaScript and visiting trusted sites until fixes become available from Microsoft are also suggested.

Update as of 23 November 2009, 7:56 AM UTC:

Microsoft issued a security advisory on this vulnerability and confirmed that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are all affected.

According to the advisory, successful attempts to exploit the vulnerability results in the attacker gaining user rights to the system as a local user does.

TrendLabs researchers were alerted to the discovery of spammed messages that contained Twitter URLs. The spam uses subjects such as N3 Earn Extra Income! 7L, C2 Exrtra Income Daily 4P, and Q0 $$$ Oppurtunity 6O. It informs users about supposed work-from-home opportunities for Google that pay good sums of money. It then entices users to click the Twitter URL to view the details of the bogus ‘opportunities.’

When users click the link, they will land in the sender’s Twitter page where another URL is posted in a tweet along with a message that encourages them to work online. The said URL points to a bogus site about working online and some success stories. This spam attack used Twitter as a technique to lure users into clicking the link. Since Twitter is a trusted source, users may think the email they received is legitimate.

Users are advised to be wary of opening any suspicious-looking emails. Trend Micro protects users via the Trend Micro Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use free tools like eMail ID to stay secure.

Media reports have revealed the existence of fake blogs that were used to spread FAKEAV malware. The blogs do not actually contain any useful content. Instead, they have posts that contain nothing but images with post titles that use a wide variety of topics. The images used appear to have simply been taken from a Google Images search with the post title in question as the search term.

If a user visits the blogs in question by merely entering their URLs, they will see the harmless images. If they came from search engines such as Google, however, they will instead download a new FAKEAV variant, which is detected as TROJ_FAKEAV.FFGZ.

The JavaScript file that is used by the fake blogs is detected as JS_FRAUDLOAD.AP.  The domains or actual FAKEAV drop sites involved in this attack are already blocked by Trend Micro Smart Protection Network.

TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request.

The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA.

Users are advised to be wary before opening any attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate. Trend Micro secures users from this attack via the Trend Micro Smart Protection Network™, which detects and blocks the spammed emails and prevents the download of the malicious file.