The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.

On the other hand, Trend Micro customers are already protected from this by the Trend Micro™ Smart Protection Network™, which blocks the related malicious files and URLs.

We will update this blog entry once more information is available.

Update as of January 26, 2012, 7:50 a.m. (PST)

Trend Micro Deep Security shields this vulnerability using the specified rules. For more information on the Deep Security rules, users can visit our vulnerability page here.

Trend Micro Deep Security customers are protected by the rule 1004899 – Microsoft Windows Media Player MIDI Remote Code Execution Vulnerability (CVE-2012-0003). This rule prevents download of MIDI files, containing bad records, which could allow an attacker to execute arbitrary code if the user opens a link to a midi file or visits a page with embedded MIDI file.

Update as of January 27, 2012, 2:55 a.m. (PST)

Upon further processing, we found that TROJ_DLOAD.QYUA uses two other components for its routines. It drops RTKT_MDIEXP.QYUA for its rootkit capabilities, and connects to a certain URL to download its main payload — BKDR_EAYLA.QYUA. Currently, we are analyzing this threat and we will update this blog post once analysis is complete.

Update as of January 27, 2012, 8:15 p.m. (PST)

Further analysis of BKDR_EAYLA.QYUA revealed that it is not a backdoor, but an info stealer which we now detect as TSPY_ONLING.KREA. This particular malware steals credentials related to certain Korean online game sites. Once credentials are captured, they are sent to the attacker’s C&C.

Update as of January 30, 2012, 12:30 a.m. (PST)

Below is a behavior diagram on how this particular threat works.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Leveraging MIDI Remote Code Execution Vulnerability Found

Contrary to the name, you need more than just one click to become a victim. This type of attack primarily targets users who want to view adult videos.

1. Users either go to video-sharing websites or adult blogs in order to watch adult videos online. Links to these sites are also spread via spam, blog comments, and social media. Once users stumble upon one-click fraud sites, users click around to explore the site.Eventually, users are asked to download a program in order to watch a certain video. In reality, however, either no video will be played on the user system, or just a few seconds of it. Instead, the user will be confronted by multiple windows that ask the user to click an item on the screen to view the video in its entirety.After this, they will reach a point where they can “download” the video. What ends up being downloaded is the main one-click fraud malware. These malware are often of the HTML/HTA (HTML Application), JS, and VBS file types, among other file types.. They are also detected by Trend Micro as HTAPORN or PORNY variants, among others.
2. Once on the system, the one-click fraud malware on user systems will display some sort of alarming, obnoxious, and impossible-to-ignore alert, such as the following:In earlier versions, it was impossible to close the windows. However, because this was recognized as a symptom of one-click fraud later versions no longer did this. These alerts will all say the same thing: demand that the user pay to see the adult video. The most common payment method offered is direct deposit to bank accounts.Amounts involved can be significant, but always only up to 100,000 yen (approximately 1300 US dollars). This might be because Japan banking rules do not allow transactions that go beyond 100,000 yen.

Has this threat evolved?

Traditionally, these kinds of threats were confined to the desktop. Last year, however, we first found these sorts of attacks hitting mobile platforms as well. When we encountered these attacks in late August, they did not require or use any sort of app: trying to view a video would lead to a website where the user would be told how to pay. At this time, billing fraud couldn’t use the sorts of tactics (pop-ups, annoying alerts, etc.) that was already known to desktop variants.

How many users are affected by this attack? Where are they located?

One-click fraud is essentially unknown outside of Japan. Within Japan, however, it is frequent enough that government agencies keep track of cases that have been filed with their offices. Typically, around 400 new cases are reported every month. It is certain, however, that many other cases go unreported—users may be afraid of going to law enforcement.

It has been suggested that the reason these attacks work is because it succeeds so well in instilling shame and guilt, embarrassing users enough that they will be forced to pay.

Are there any other attacks like this in other countries? What are the differences between these attacks?

Conceptually, there are similarities between one-click fraud and scareware/FAKEAV attacks found elsewhere. In both cases, users are paying money to get something they want: “antivirus software” in the former, and pornography in the latter. Ransomware attacks are broadly similar as well, although that is more a situation of avoiding something highly undesirable (loss of data).

In addition, the tactics that one-click fraud uses are very similar to ZLOB/fake video codec attacks in the past. These attacks also entice victims with videos, but they will need to download a codec (which is the malware) in order to view them.

There are two key differences between one-click fraud and similar attacks. Firstly, the money involved is much higher: users are scammed out of up to 100,000 yen. Contrast this to scareware attacks, which often are priced below $100.

This first factor directly influences the second: it is highly unusual for this category of scams for the payment to be made via direct deposit. This may be attributed to the larger amount of money involved, as well as a desire to avoid automated fraud detection schemes.

What can users do to protect themselves?

In general, searching for pornography online will always raise the risk for users, because cybercriminals are keenly aware how many people are looking for it and plan their attacks accordingly. However, for one-click fraud, a key sign of trouble is the multiple hoops that the user must pass through before being able to download the “video”. If users encounter such a situation, they are strongly advised to proceed with caution.

Trend Micro blocks both the websites and files associated with these sort of attacks with Trend Micro™ Smart Protection Network™. Web Reputation Technology blocks malicious URLs before entering users’ systems, while File Reputation Technology checks the reputation of each file against an extensive database before permitting user access.

Users are also protected on their mobile phones with Trend Micro Mobile Security, a complete security solution for tmobile devices. Trend Micro Mobile Security is powered by the Trend Micro™ Smart Protection Network™.

Here are some more links about this threat:

• Computer Virus / Unauthorized Computer Access Incident Report – July 2011 (Information-technology Promotion Agency of Japan)
• Smartphones: The Next One-Click Billing Fraud Target
• One-Click Billing Fraud Scheme Through Android App Found

For more information about one-click billing fraud, view our infographic here.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Ins and Outs of One-Click Billing Fraud

As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

What happens when you click on the link? You are redirected to a page for a “Followers Monitor”, which leads eventually to a page asking you to authorize an application to use your Twitter account. This rogue application is able to carry out such “minor” operations as reading your tweets, updating your profile, and even posting tweets on your behalf. If you actually give the app access, of course, the first thing it will do is post its own version of the spammed Tweet.

Be careful with clicking on links from Twitter, particularly ones like these that claim you can learn who unfollowed you – they are always a scam. If you do inadvertently click links like this, you can undo some of the damage by removing the app’s authorization to access your Twitter account. This can be found under the Applications tab of your settings. Trend Micro already blocks the above page, so users are already protected from this threat.

Update as of 7:30 PM (UTC-7), December 20, 2011

We’re still seeing spammed Tweets that are similar to this attack, although some variants seem to have stopped mining the trending topics for hashtags to use. Please consider any link that comes from s0rt(dot)tk to be malicious and don’t click on them.

Post from: TrendLabs | Malware Blog - by Trend Micro

New “Unfollowed You” Scam Hits Twitter Trending Topics

Mobile computing is also starting to play a bigger role in terms of online shopping, as 43% of all Web-enabled smartphone owners said they use their mobile devices to help them shop. This percentage will likely increase in the coming years, or even as soon as the next couple of months considering the upcoming holiday season.

As online shopping becomes widely preferred as a primary method for purchasing items, online shoppers will also become preferred cybercriminal attack targets. Cybercriminals are continuously launching attacks, any or all of the following shopper information: credit card credentials, online banking personal identification numbers, and other personal data. The attack types seen include:

• blackhat SEO attacks – search results for hot items such as gadgets and others can be poisoned to lead users to malicious sites
• scams – coming off as online promos, scams trick users into becoming victims of their malicious schemes that can lead to information and financial theft. A good example of this is a spam run we recently saw leveraging Black Friday.
• session hijacking – users who do their shopping while connected to unsecure networks put themselves at risk of this attack, which involves sniffing through networks for certain kinds of information such as account credentials, and using the said information to impersonate the users and execute actions

Shoppers need not be helpless against these attacks, however, as they can implement security measures and can use solutions that help them avoid being victimized. In our guide, “Online Shopping Safety Made Easy,” and infographic, “Online Shopping Tips,” we discuss things online shoppers need to know in order to protect themselves from online shopping-related attacks.

 

As we get closer to Christmas, instances of the above-mentioned threats increase in number, thus users need to keep themselves protected. For more information on threats leveraging the holidays, and for ways to prevent being victimized, check our reports, and our ebook:

• Season’s Warnings: iPhone 4S Scam and Other Holiday Threats
• Beware of Holiday-Themed Multi-component Online Threats
• Season’s Warnings

Post from: TrendLabs | Malware Blog - by Trend Micro

Online Shopping Safety Made Easy

Targeted Campaigns

Targeted malware attacks are rarely isolated events. It is more useful to think of them as campaigns – a series of failed and successful attempts to compromise targets over a period of time. An attacker’s prior knowledge of the victim, possibly from a previously successful attack, affects the level of specificity associated with a single attack in a malware campaign. In this case, the attackers used messages with an IT security theme that appeared rather generic but were customized for various targets. The download link in the email messages was made to appear as if it were pointing to the target’s own website. Often, this less-specific level of targeting focuses on communities of interest and is aimed at acquiring information to be used in a future, more precise attack.

Moreover, there is generally a diversity of targets. In this case, the Nitro attackers targeted a concentration of chemical companies but also targeted human rights NGOs, motor companies and defense contractors.

Human Interaction

The backdoor used in the Nitro campaign is known as Poison Ivy. It is a freely available Trojan that provides an attacker with full, “real-time” access to a compromised computer. One often overlooked component of targeted malware attacks is the reliance on real time human interaction. This distinguishes them from automated botnets. When the Poison Ivy backdoor connects to the attackers command and control infrastructure there is a human at the other end that can begin exploring the compromised computer and the network to which it belongs. This attacker can steal information, install additional malware and compromise other machines on the same network. Most importantly, the human on the other end of the Poison Ivy Trojan can react to defensive measures taken by the victim.

Segmented Infrastructure

Attackers need to deploy command and control (C&C) infrastructure in order to maintain connectivity to the computers they compromise. The attackers sometimes maintain distinct sets of C&C infrastructure making it difficult to uncover the full extent of their operations. Using the initial malware samples, domains and IP addresses provided by Symantec, we were able to map out three distinct sets of command and control infrastructure.

The first set of command and control infrastructure contains three domains provided by dynamic DNS services. Attackers often use dynamic DNS services in conjunction with RATs, such as Poison Ivy. These services make it easy for the attackers to update their C&C domains to new IP addresses thus maintaining consistent connectivity with the compromised computers.

The second set of C&C infrastructure centers around three domains which all resolved to the same IP address. The C&C domain, domain.rm6.org was also used in an attack. on the UK government in August 2011.

The third set centers on the domain antivirus-groups.com and the IP address 204.74.215.58 which Symantec has associated with a specific actor which they’ve codenamed “Covert Grove”.

This segmented infrastructure allows the same set of attackers to target different potential victims without having all the attacks linked together. Without additional information, it can be difficult to link together the full scope of targeted malware campaigns. This illustrates how important threat intelligence is to defensive strategies.

Here are some examples of MD5s connecting to the Nitro infrastructure:

• 37f70717f549f1938e5785527e56978d
• 5d075e9536c5494745135c1176981c96
• 64a4ad90a55e7b6c30c46135435f50a2
• 6e99585c3fbd4f3a55bd8f604cb35f38
• 70fcb3446fce23b18d9a12b2ed911e52
• 76000c77ea9a214f5b2ae8cc387809db
• 87aeec7f7c4ec1b6dc5e6c39b28d8273
• 8d36fd85d9c7d1f4bb170a28cc23498a
• a98d2c90b9494fc885c7cd35d43666ea
• c128c40bd8acb282288e8138352ce4e1
• 841ec2dec944964fc54786a1167713ff
• 22f77c113cc6d43d8c12ed3c9fb39825
• 6f6d6a848f87fbf26f71549d73da61f4
• b2b9702164512a92733939343275245b
• 2173b43a66070aadf052ab66dd6933ce
• f18c7639dbb8644c4bca179243ee2a99
• 9ff1e8e227e1be3dbfc55f17d2e97df8
• 31346e5b39ddb095d76071ac86da4c2e
• 20baa1cbacdab191c717f4ef5626de93
• ffa73b9f9e650f50b8568a647a9a35cf
• 070d1e5c9299afa47df25e63572a3ae8
• d558e1069a0f3f61fedcf58a0c1995fe
• 27103c6c9a80b6cf23789e2f51a846eb
• 2ffe59a6a047b2333a1f3eb58753f3bc
• 0f54a9757f1a2fef2b04b776714a7546
• c2864aff6360feb36f2ff6a6c634ddb4
• cca3af36dff79b27de093a71396afb8d
• 4a35488762f70170dc0d3f46f94a7bcb
• 3037049411db0453c91e60393a248be2
• dd5715cb3b0cdddbe131f03cc08f0f57
• 4fd6453a606e17e5efb166ad80eba5e0
• 091457444b7e7899c242c5125ddc0571
• 6e99585c3fbd4f3a55bd8f604cb35f38
• 07e266f7fb3c36a1f3a5c5d2d229a478
• 17e7022496d8092d3ca76ae9524a7260
• 2f37912e7cb6e5c478e6dc3d0e381a24
• 5d075e9536c5494745135c1176981c96
• 76000c77ea9a214f5b2ae8cc387809db
• a98d2c90b9494fc885c7cd35d43666ea
• c128c40bd8acb282288e8138352ce4e1
• cab66da82594ff5266ac8dd89e3d1539
• 70fcb3446fce23b18d9a12b2ed911e52
• c53c93a445d751387eb167e5a2b901da
• dd5715cb3b0cdddbe131f03cc08f0f57
• 0f54a9757f1a2fef2b04b776714a7546
• 37f70717f549f1938e5785527e56978d
• 31346e5b39ddb095d76071ac86da4c2e
• 330ddac1f605ff8abf60880c584ed797
• 457a2a8d0784e9fc8e49f6ef60f7f29e
• 87aeec7f7c4ec1b6dc5e6c39b28d8273
• 8d36fd85d9c7d1f4bb170a28cc23498a
• de7e293aa9c4d849dc080f3e87573b24
• 64a4ad90a55e7b6c30c46135435f50a2

Defensive strategies can be dramatically improved by understanding how targeted attacks work as well as trends in the tools, tactics and procedures of the perpetrators. Since such attacks focus on the acquisition of sensitive data, strategies that focus on protecting the data itself, wherever it resides, are extremely important components of defense. By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better positioned to detect and mitigate targeted attacks.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Significance of the “Nitro” Attacks

According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.

Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that DUQU has codes very similar to that of STUXNET.

Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:

• avp.exe (Kaspersky)
• Mcshield.exe (McAfee)
• avguard.exe (Avira)
• bdagent.exe (Bitdefender)
• UmxCfg.exe (CA)
• fsdfwd.exe (F-Secure)
• rtvscan.exe and ccSvcHst.exe (Symantec)
• ekrn.exe (ESET)
• tmproxy.exe (Trend Micro)
• RavMonD.exe (Rising)

If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.

TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:

1. Drive information such as:

• FreeSpace
• Drive device name

2. Screenshots
3. Running Processes and Owner of Running Processes
4. Network Information such as

• IP address
• IP routing table
• TCP and UDP table
• DNS Cache table
• Local Shares

5. Local shared folders and connected users
6. Removable drives serial number
7. Window names
8. Information on open files on local computer using NetFileEnum

We will be updating this blog entry for further developments. While our investigation is currently ongoing, preliminary information indicates that Trend Micro’s products protect against TROJ_SHADOW.AF. Smart Feedback from the Smart Protection Network™ indicates that no Trend customers have been affected by this threat. Trend Support has not received any infection notifications.

Trend Micro products have been updated to provide protections against this latest threat through updated signature as well as by blocking access to malicious control servers with Web Reputation Services.

Users may refer to our Knowledge Base page to read up on how to protect systems from this threat.

Update as of October 20, 2011, 8:00 a.m. (PST)

Upon execution, RTKT_DUQU.A decrypts a configuration file in its body to get the registry path containing the location of TROJ_DUQU.ENC, and the process where to inject the DLL. From our analysis, the decrypted registry path in the two samples are HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3 and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432, respectively.

These registry paths contain the “FILTER” entry, which contains encrypted data which RTKT_DUQU.A will decrypt to get the path of TROJ_DUQU.ENC, as well as a process name where TROJ_DUQU.ENC will be injected.

Decrypting TROJ_DUQU.ENC results into a DLL file that is injected in the process specified in the registry. The decrypted DLL is detected as TROJ_DUQU.DEC. Once TROJ_DUQU.DEC is loaded, it accesses TROJ_DUQU.CFG to get configuration information.

Information contained in the configuration file include:

• Service registry key
• File path of component files
• Websites it will try to connect to for DNS checking
• Processes wherein TROJ_DUQU.DEC will inject itself into

TROJ_DUQU.DEC communicates with the C&C server to receive and execute commands. These commands include downloading other malicious files, which in this case, appears to be the infostealer TROJ_SHADOW.AF.

We’re still continuing to monitor this threat, and will update this once more info becomes available.

Update as of October 21, 2011, 5:02 a.m. (PST)

Enterprise networks are also protected from DUQU through the Trend Micro Threat Discovery Appliance, which detects the malware’s connection to the C&C server through the rule 473 TCP_MALICIOUS_IP_CONN. Also, Deep Security is able to detect the changes made inside the Drivers folder (%Window%\system32\drivers) by DUQU variants,through the rule Integrity Monitoring Rule: 1003517 – Microsoft Windows – System driver files modified.

Post from: TrendLabs | Malware Blog - by Trend Micro

Keeping Tabs on the Next STUXNET

We were able to find spam that contain the text, “Steve Jobs Alive” or “Steve Jobs Not Dead.”

Subject: Creator of Steve Jobs of Apple’s Mac, iPod and iPad dies
Steve Jobs, died of cancer aged 56
The death of Steve Jobs left an orphan of most of his creations, the Apple, a company shaped in accordance with their technological dreams and now faces the challenge of surviving in the absence of its visionary leader.
More news portal in direct U.S. in Portuguese
[LINK]

All of the said messages came with a link that when clicked redirects users to a blank site. We were unable to continue our analysis at this point. In cases like this, however, a blank page is rarely ever truly blank and is often a sign that something else is happening in the background, away from the user’s view. For this particular attack, we found reports suggesting that the said site previously contained a script that loads the BlackHole Exploit kit.

We are currently monitoring all of the sites for any further development. Trend Micro product users are already protected from this threat, as the spam and the URLs are already being blocked with the aid of the Trend Micro™ Smart Protection Network™.

Based on Smart Protection Network spam data for the first half of 2011, the volume of traditional spam has been decreasing though these are still being regularly used for malicious schemes. Attacks that involve spam heavily rely on social engineering techniques as well as more advanced methods that render IP blacklisting and content filtering insufficient. For more information on the state of spam and how Trend Micro protects product users from this type of threat, please check out our security focus report, “Spam in Today’s Business World.”

Post from: TrendLabs | Malware Blog - by Trend Micro

Steve Jobs Proclaimed Alive by Spam

In the course of conducting research, we found one specific attack that targeted Facebook users through a different route—malvertisements.

We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain based on this finding:

Upon accessing the application, the malvertisement gets loaded, triggering a series of redirections. The redirections finally lead to a malicious site, which then loads several exploits, particularly those related to Java and ActiveX:

• CVE-2006-0003
• CVE-2010-4452
• CVE-2010-1423

The exploits were loaded to download more malicious files although we weren’t able to trace these anymore since the URLs they accessed were already inaccessible. Nonetheless, Trend Micro already provides protection for this kind of threat by not only blocking access to malicious URLs but also by protecting against the execution of the said exploits.

Malvertisements are considered grave threats, especially since much like website compromises, attacks related to these usually involve trusted sites that users already typically visit without risk of system infection. In 2009, visitors of the NYTimes were exposed to threats when malvertisements were found on its pages, leading users to FAKEAV variants. Earlier this year, Trend Micro researchers also found malicious ads being displayed in a Web-based email service, directing users to URLs serving PDF exploits.

For this particular incident, users are advised to be careful when it comes to installing Facebook applications and, more importantly, to utilize a security product with a strong Web reputation technology that can help determine bad links from good ones within a social networking environment.

Post from: TrendLabs | Malware Blog - by Trend Micro

Facebook Malvertisement Leads to Exploits

At present, Trend Micro sees 3.5 new threats per second. As more and more businesses and home users take the inevitable journey to the cloud, risks of data and financial loss are greater than ever. Trend Micro also continues to uncover cybercrime operations and how bad guys earn millions of dollars, pointing to an underground economy that matures with time.

Our new infographic, “Threat Morphosis: The Shifting Motivations Behind Digital Threats,” offers a look into the evolving cybercrime motivations and the resulting shifts in the threat landscape through the years.

Click here for a detailed look at the thumbnail image below.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Shifting Motivations Behind Digital Threats [INFOGRAPHIC]