Trend Micro’s Web Reputation Services (WRS) Operations Team recently received a phishing email claiming to be from Blogger (see Figure 1), a free blog publishing tool from Google.

The spammed message instructed users to update their Blogger accounts by clicking the embedded link, which leads them to a fake login page. At first glance, the site’s URL seems legitimate enough. It began with the same domain name as the real Blogger login page. Upon closer examination, however, TrendLabs engineers found that the fake site was not really hosted on the same URL as the real one. It was, instead, hosted on a remote site, thus convincing them that this was indeed a fake login page or a phishing site (compare Figures 2 and 3).

Users basically use blogs as ongoing chronicles of information about anything and everything they are interested in. Some use blogs to promote their businesses or to show what their companies can do. Some use theirs as personal online diaries where they can save their thoughts and feelings in. Whatever use blogs may serve to users, however, signing in to and updating their account records on the bogus login page, will certainly allow phishers to take advantage of them. This kind of attack can lead to not only data theft but also identity theft. This is the reason why we always urge users to be wary of suspicious-looking email messages and sites. Always check the URLs of the sites you are being led to. It never hurts to be paranoid once in a while if it means not falling prey to cybercriminals’ ever-evolving social-engineering tactics.

Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by preventing the spammed messages from even reaching their inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can stay protected as well by using free tools such as eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes. It helps users avoid opening and acting on phishing messages attempting to spoof real companies.

News of another plane crash shook Americans on Thursday morning. Reportedly, a begrudged pilot, furious with the Internal Revenue Service (IRS), intentionally crashed a small plane on the building that housed the agency’s office in Austin, Texas. Although the said incident was tagged “an isolated event” and not an act of terrorism, cybercriminals launched their own “terrorist” attack by scaring unknowing users using another FAKEAV variant to gain profit.

Using the usual blackhat search engine optimization (SEO) techniques FAKEAV peddlers use, this variant immediately tops search results when users try to find news updates about the said incident. Clicking the malicious link leads to the download of TROJ_FAKEAV.LGJ.

This similar tactic has also been seen to take advantage of recent notable news and events like the “Superbowl 44” and Bill Cosby’s alleged death, the Winter Olympics, and even the February Microsoft patch release.

Apart from being scammed into buying a useless application, users who are tricked into clicking the malicious link and filling up the order form can also fall prey to data or, worse, identity theft should the perpetrators decide to sell their credentials (i.e., credit card numbers and other pertinent personal information) to the highest bidders in underground markets.

Trend Micro™ Smart Protection Network™ protects product customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service and by detecting and preventing the download of malicious files like packupdate_build6_195.exe, aka TROJ_FAKEAV.LGJ, via the file reputation service.

Non-Trend Micro product users, on the other hand, can also stay protected from such threats via free tools like Web Protection Add-On, which has been designed to block access attempts to potentially malicious websites in real-time.

Trend Micro security experts have not seen pump-and-dump spam campaigns in a fairly long time. In fact, some of the most recent attacks of this kind were last seen last year:

• Pump-and-Dump Spammers Take on Amazon
• “Storm Pump and Dump”: The Musical
• Taking Stock of Spam

In a pump-and-dump attack, spammers raise the stock prices of companies they own shares in by sending spammed messages with misleading or outright untrue positive news about the said companies. Once the companies’ real stock prices have sufficiently risen, the spammers will then sell or dump their own shares to gain profit.

TrendLabs engineers, however, recently saw the recent comeback of this tactic hit the popular VoIP application, Skype. Spammers used the application’s instant-messaging (IM) feature to send the pump-and-dump spammed messages below.

Spammers tried to promote two companies—EcoBlu Products, Inc. and Terra Energy & Resource. Like other spam runs using IM applications, Skype users received these email messages from users who were not in their lists of contacts.

As usual, we urge users not to click any link in messages sent via email or IM applications that come from people they do not know.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from reaching their inboxes via the email reputation service and by blocking access to malicious sites via the Web reputation service.

Non-Trend Micro product users, on the other hand, can also keep their systems safe by using free tools like eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes.