One-click billing fraud, a scheme known for targeting PC users in Japan, now appears to target smartphone users as well.

The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. Instances of successful attacks have been increasing in Japan since 2004, which already amounts to 903 inquiries to the Information Technology Promotion Agency Japan in November 2009.

A typical attack involves a spam sent to the victim, which includes a link to a website that hosts free videos. The website lists videos with sensational titles to catch users’ attention. Trying to view any of the video displays a trailer, which explains why viewing it is free.

Once the trailer ends, a link that says “view more” is displayed, which the users must click to supposedly see the video they originally wanted to view. Instead, users are redirected to a page that they should register first to in order to become a member and are told to pay a fee. The window that informs users to pay will continuously be displayed on the screen unless they pay the said amount.

Read the rest of this entry »

Hurricane Irene surely turned New York City into the “city that never sleeps,” as it brought floodwaters, knocked out power for more than 4 million people, and was even responsible for at least 15 deaths in six states.

What’s worse is that cybercriminals are taking advantage of the incident by spamming a fake video on Facebook.

The page, which contains the alarming title “VIDEO SHOCK – Hurricane Irene New York kills All,” displays a clickable image of a fake video player.

The text displayed on the succeeding pages is written in Italian, which suggests that the attack specifically targets Italian users. Clicking the image of the video displays a prompt that says, “Per Vedere il video devi prima condividere,” which translates to “To see the video you must first share,” as well as two options that say “Share” and “See the video.”

Read the rest of this entry »

The operators of malicious networks are continuously monetizing their activities by propagating rogue security software that use scare tactics to trick unsuspecting users into installing and purchasing fake antivirus software, aka FAKEAV.

Although there has been a decline in the FAKEAV volume as a result of the increasing pressure on payment processors that handle credit card transactions for FAKEAV providers, FAKEAV distribution is likely to increase once new connections are made to cooperative payment processors. The money generated through this malicious activity is enormous and those behind the distribution of FAKEAV are continually trying to stay one step ahead of law enforcers and of the security community.

Today, Trend Micro released a research paper that focuses on how FAKEAV affiliate networks operate, what propagation strategies they use, and how much they earn from their malicious activities.

The complexity of these affiliate networks poses significant challenges to law enforcement agencies and to the security industry. Unlike direct fraud such as stealing money from compromised bank accounts, the damage that FAKEAV infections inflict is considerable in the aggregate, the amount of criminal activity conducted in any one jurisdiction and against any particular victim is still small. As a result, many smaller malicious operations connected with FAKEAV affiliates are able to avoid scrutiny.

Read the rest of this entry »

When talking about social media threats, the focus tends to be on the notorious KOOBFACE malware, which has recently turned a “new leaf” and now propagates via peer-to-peer (P2P) file sharing.

However, KOOBFACE is not the only threat that hounds social media. These social networking sites also have features that can become threat vectors. A seemingly harmless wall post from a friend, a video shared by an online contact, or an instant message from a colleague can potentially lead to an attack.

These features are meant to make socializing effective and meaningful. However, they have also been used by cybercriminals in their attacks.

In Facebook, the wall is the riskiest region of the user interface. Cybercriminals have concocted several threats leveraging popular news items such as the deaths of Osama bin Laden and singer Amy Winehouse; even the hoax that is Lady Gaga’s death.

To give avid users a rundown of potential threats they may encounter, here’s an infographic on the current landscape or geography of social media threats. Click here to see a bigger version of the infographic below.

Our team recently came across a spam run that leads to the download of a ZBOT variant that uses a domain-generation technique. The spam run involves messages that arrive in users’ inboxes as Facebook friend request notifications.

The message bears a link that the users must click to approve the friend request. Clicking the said link, however, will only lead to a page informing the users that they need to install the latest version of Adobe Flash Player in order to proceed. Unsurprisingly, the downloaded file is not the Adobe Flash Player installer but a malicious file detected as TSPY_ZBOT.FAZ.

TSPY_ZBOT.FAZ, like most ZBOT variants, accesses a certain site in order to retrieve a configuration file. The said configuration file contains the list of URLs that the malware will monitor in order to steal related credentials. What makes this particular variant noteworthy, however, is that it employs a domain-generation technique. This means that unlike other ZBOT variants that already have a preset URL to access in order to download the configuration file, TSPY_ZBOT.FAZ randomly generates URLs to access through a randomizing function that is computed based on the system’s current date.

Read the rest of this entry »