In the last 24 hours, there has been much coverage of a data breach that affected an estimated 35 million users of SK Comms in South Korea. SK Comms is the largest service provider in the region that offers three types of service—social networking, mobile phone, and instant-messaging (IM) services. The breach affected user accounts of Nate portal and Cyworld, both under SK Comms.

SK Comms Breach

Given the breadth of services that SK Comms offers, the service provider is committed to provide user security and, as such, requires higher levels of personal information to secure and link user accounts compared with many other service providers. Unfortunately, these very measures are also the same ones that greatly affected its users. The stolen information include user names, email addresses, contact numbers, and some encrypted information that include the users’ blood types.

The online landscape in South Korea is interesting and gives us an idea of the impact of the breach. The country’s Internet penetration is high and its Internet speed is fast enough to sustain mobile banking (i.e., conducting online banking transactions using mobile devices and smartphones). As such, mobile banking is pretty commonplace in South Korea. If users submit the same information and use the same password for all of their online accounts, it would not take too much creativity for hackers to conduct subsequent attacks.

SK Comms issued an advisory to users of the affected sites. In the said post, it extended apologies with regard to the incident and gave users instructions in case they receive voice phishing calls and spammed messages. More information can be found in http://www.nate.com/nateInfo/noticeInfo.aspx.

Read the rest of this entry »

We were recently able to analyze a certain attack that compromised numerous e-commerce websites in order to steal credit card information from potential customers.

The affected websites were found using osCommerce, an open source e-commerce solution that allows users to easily manage their online shops.

Based on our analysis, more than 90,000 pages were compromised. The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections. The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems:

• CVE-2010-0840
• CVE-2010-0188
• CVE-2010-0886
• CVE-2006-0003
• CVE-2010-1885

Successful exploitation of the above-mentioned vulnerabilities triggers a connection to another URL in order to download a final payload that we now detect as TROJ_JORIK.BRU. This malware searches for Internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions. TROJ_JORIK.BRU then forwards the stolen information to specific websites.

Customers as the Biggest Target

This attack greatly affects not only the site owners whose businesses get disrupted by a compromise. Even worse, it attacks their potential customers who get their credit card information stolen just for visiting a supposedly trusted site. As Trend Micro threat response engineer Karl Dominguez observes, “This attack is quite efficient. It specifically targets users who visit e-commerce sites since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems.”

The attacker also seemed to use the “get it and go” approach, as he immediately deleted the malicious file after execution. “This is not like ZeuS attacks wherein the malware hides in the system for continuous monitoring. The malware just executes, takes the information that it wants to steal, then deletes itself. This may be done to prevent detection by the victims,” Dominguez explains.

Read the rest of this entry »

This blog post is based on my talk at the annual “IDC Asia/Pacific CIO Summit” held last July 28, 2011. I regularly blog about this topic at the Trend Micro Consumerization Blog.

The world of enterprise IT is going through lot of changes right now. One of the most important trends that’s causing these changes is consumerization.

Now, what is consumerization? Simply put, it’s the trend wherein employees use their own personal IT devices for work. The most obvious consumerization devices are smartphones. More and more smartphones are being sold to consumers today. In fact, 92 million computers were sold in the last quarter of 2010 but more than 100 million smartphones were sold within the same time frame.

These devices are ending up in the hands of tech-savvy users who have never known a world without the Internet… or a world without immediate connectivity and access. Businesses are going to have to make some real adjustments to lure this new wave of talents and that’s going to require offering them more choices than traditional, standard-issue office laptops.

However, consumerization is about so much more than just smartphones. There are also so many online services that people are using for work. These can range from social networking sites like Facebook and Twitter to storage services like Dropbox and YouSendIt to voice over IP services like Skype. Skype is a perfect example of the “bring your own IT” concept, as it allows employees to save on roaming fees. Instead, they just need to spend on “premium” Skype subscriptions, which only currently costs about US$20 per month.

Read the rest of this entry »

We encountered another LICAT variant that is spreading via fake Internal Revenue Service (IRS) spam to people from specific organizations, including Trend Micro. As you may recall, LICAT is known for using the dynamic domain generation algorithm (DGA) technique.

The spammed message informs recipients about a certain issue with regard to their tax payments. It contains a link that supposedly leads to the recipients’ tax reviews. Once users click the link, they will be prompted to download an executable file, which, when executed, installs the malware now detected as TSPY_ZBOT.WHZ in their systems.

Like any other LICAT variant, TSPY_ZBOT.WHZ generates URLs using a computation based on the current date. TSPY_ZBOT.WHZ connects to dynamically generated URLs in order to download its configuration file, which contains information on the sites that it will monitor as well as on the site to which it will send stolen information. This malware also appears to concentrate on the typical ZBOT routines that involve information theft and uses the DGA technique to evade blocking by antivirus products.

Read the rest of this entry »

Cybercriminals quickly took advantage of news of Amy Winehouse’s death by staging online attacks. Amy Winehouse—a multi-awarded English singer and songwriter—passed away at age 27 over the weekend.

This is actually a standard behavior of cybercriminals. One attack we’ve seen on Facebook is the usual survey scam that involves an age verification page and a fake video page before getting the victim to take part in a supposed survey.

We noted that the survey involved in this attack is similar to the one described in the blog entry, “Survey Scam Offers Google+ Invites.” Users who are familiar with these types of survey scam attacks on Facebook are in a better position to protect themselves and to warn their contacts if they find malicious posts in their News Feeds.

The details of the Amy Winehouse Facebook survey scam are as follows:

• The user clicks a Wall post that supposedly features an Amy Winehouse video taken before her death.
• The user is then led to the following page:

Read the rest of this entry »