The fake Web portal asks users to enter their surname, shareholder reference number, postal code, telephone number, date of birth, and employer. After entering the said information, the page will redirect them to another login page that requires them to enter their account information—first name, middle name, last name, address, city, country, mother’s maiden name, and email address. Only after filling in the information will the users be redirected to a legitimate page of the Capita website.

Phishers will indeed do whatever it takes just to prey on unwitting victims. For this reason alone, users must be careful in giving out their credentials online. The phishing website used in this attack is already being blocked by the Trend Micro Smart Protection Network™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Beware: Never Share Your Capita with Phishers

 
Once the users hit the “Login” button, it will redirect them to another fraudulent page where a link to download a suspicious update tool file is provided. Trend Micro detects this as TROJ_ZBOT.CDX.

As of this writing, the phishing URL as well as the malicious file has been blocked and detected already via the Trend Micro Smart Protection Network.

This is a great example showing just how cunning cybercriminals can be just to steal precious information. They even claimed to offer recipients security, which is really ironic. Not everyone though may be as hard to fool as, say, security experts. So how can you tell if your personal information is being phished? Here are some useful tips:

• Check the email’s content. Misspellings and grammatical mistakes are very common in spammed messages.
• Do not click embedded links. If you need to update your login credentials, go to the site’s homepage and log in from there.
• Check the URL in the message body. A legitimate Facebook link will not continue beyond .com as in the two bogus email messages.
• Check the time stamps. Facebook has millions of users worldwide so it really is very unlikely that the site’s administrator will send out email messages to all users within the same day.
• Check the sender’s email address. A legitimate Facebook email sender will have a facebook.com and not a facebookmail.com address.

Don’t be just another victim. Keep in mind that cybercriminals will do just about anything to fool those who let their guards down.

Additional text by Det Caraig

Post from: TrendLabs | Malware Blog - by Trend Micro

Are You Being (Facebook) Phished?

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Taiwan: Spear Phishers Target Gmail Users

The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:

• 11qioz.co.uk
• 11qwod.co.uk
• easder1q.co.uk
• f1iiitl.com
• iiizad1z.co.uk
• ij1tli.com
• ltiil1.com
• nekz1mqv.co.uk
• nezz1cza.co.uk
• racder1c.net
• racder1x.com
• raeder1f.net
• rarder1g.com
• raxsder1.com
• t1fliil.tc
• tj1fiil.co.nz
• uunuyr.com
• yyy1yyrd.co.uk
• yyy1yyre.co.uk
• yyy1yyrf.co.uk
• yyy1yyrg.co.uk
• yyy1yyrj.co.uk
• yyy1yyrk.co.uk
• yyy1yyrl.co.uk
• yyy1yyrm.co.uk
• yyy1yyro.co.uk
• yyy1yyrq.co.uk
• yyy1yyrr.co.uk
• yyy1yyru.co.uk
• yyy1yyrv.co.uk
• yyy1yyrx.co.uk

The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs. The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.

It looks like as though the same group has reemerged using the same tactic they’ve used last year. Maybe last year’s campaign has been successful enough that they’re hoping to duplicate the winning formula in the recent spam wave.

Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZBOT and a CapitalOne Phish

The spammed message bears the subject “Notice of Underreported Income” and lures users to click the link that supposedly contains the tax statement. Users who click the URL are led to a site where they get infected by various ZBOT variants. ZBOT variants are notorious for their information theft routines.Trend Micro detected these ZBOT variants as TSPY_ZBOT.BZJ, TSPY_ZBOT.BZT, TSPY_ZBOT.BZS, and TSPY_ZBOT.COB.

Ever since this spam run began, ZBOT creators have been generating new binaries, probably to avoid detection and removal.

Spammers often ride on the tax season to trick users into giving their credentials and even infecting their PCs with malware. We blogged about it in the following posts:

• Fake Form W-8BEN Used in IRS Tax Scams
• Tax Season is Phishing Season
• Phishers Hit Multiple Banks with One Stone
• IRS Used by Spammers Again

Trend Micro already detects and blocks this spam attack with its Trend Micro Smart Protection Network. Users are advised to get only their tax statement straight from IRS.

Post from: TrendLabs | Malware Blog - by Trend Micro

Social Engineering Watch: Another IRS Scam

Phishers have created a duplicate of a legitimate German-language ClickandBuy login page on at least one malicious website. The fake site can be seen below:

Figure 1. Phishing website

After entering their credentials, users would be redirected to the legitimate ClickandBuy site. Users would then think everything was normal, when nothing could be further from the truth. The phishing website is a very close match to the legitimate site, which is shown below for comparison:

Figure 2. Legitimate website

Users are advised to be very careful about where they enter their login credentials to guard against attacks like this. For example, the user’s connection to the phishing site was not encrypted, whereas the connection to the legitimate website was encrypted. (All browsers show this in their user interface, usually using a padlock.)

The phishing URL in this attack is already blocked by the Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Internet Payment Site ClickandBuy Phished

Figure 1. Phishing email

Clicking on the link displays the following fake login page asking the user to input his or her password:

Figure 2. Phishing website

It is obvious that the intention of the cybercriminals is to harvest the user’s MSN Messenger login credentials. Afterwards, they can then continuously sends spam messages to the account or, worse, they can use the account for their malicious intent.

Getting in touch with friends is now much easier than before. Because of the growth of social networking sites, we can stay connected with our old friends, or even find new ones. This may include reading the profile pages of other members, sending and receiving invitations to fun games, videos and other applications. However, users must be on guard when interacting within online social networks. Spammers are now abusing these in their phishing attacks.

Always be mindful in accepting “invitations”, especially when it concerns your personal information. This particular spam message, and the associated website, are already blocked by Trend Micro products via the Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

“See Who Blocked You on MSN” Phishing Attacks

Earlier this week, however, Trend Micro researcher Rik Ferguson found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s legitimate Facebook profile, as shown below. The links to the malicious site are highlighted:

Figure 1. Facebook notifications page

After entering the credentials, users would then be redirected to Facebook itself. (The posts detailing these findings can be found at the Counter Measures blog; the initial report is here and a follow-up was posted here.)

While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites. The particular site involved in this phishing attack is already blocked by the Smart Protection Network.

Image credits: thanks to Rik Ferguson, Countermeasures blog.

Post from: TrendLabs | Malware Blog - by Trend Micro

Facebook Applications Used For Phishing

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore.

Just like the traditional PayPal phish, the web page http://{BLOCKED}www.security-paypal.citymax.com/paypal_security.htmlasks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password as seen in Figure 1.

Figure 1: Screenshot of bogus PayPal phishing Feedback page

After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to
create bogus mail accounts, among other things.

The phishing URL is already blocked by Trend Micro’s Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

PayPal Fraud with CAPTCHA

What’s supposed to be a news article is actually an writeup that explains how Google can supposedly provide online users the opportunity to earn easy money. To make it more convincing, the page also claims to have several positive responses from anonymous online users. Clicking any of the links from the spam website shown above leads to a phishing page.

The page contains a spoofed countdown timer that hopes to make the user panic and quickly fill up the form. Clicking the See If I Qualify button then directs the user to another page containing an affirmation of the user’s qualifications, which will then require him/her to fill up another form with his/her credit card information.

Related phishing schemes have also been found using the same technique but with different keywords other than Google Cash Club. Below are some of the keywords used:

• Make Money with Google
• Google Money Monster
• Google Home Income
• Easy Google Profit
• Google’s Business Kit

Inquiries on the legitimacy of the service have been posted on Google’s support forum, and we agree with what most of the users have posted: Google Cash Club is a scam.

The phishing URL is already blocked by the Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Google Cash Club Makes Headlines in Phishing Attack

The email contains a letter stating that it was from ATO. It informs the receiver that he or she is eligible to receive a tax refund. It then asks the recipient to answer the form attached to the mail, click the PRINT button, and then send it to the head office.

Observing the form attached, it uses double extension names: .PDF.HTM which is used to trick the users that they are filling up a PDF file, when it is really an HTML page.

Further studying the content of the form reveals a part where it asks the receiver’s account information, and indicates “Please enter your account information where the 568.24 will be debited.” Take note that according to the mail, the user is eligible for a tax refund. However, the spammers decided rather to fill the field by themselves.

Furthermore, the form asks for the user’s card number and PIN, which should be irrelevant if this is for a tax return.

Once the user completes the form and clicks the PRINT button, a window will appear where the user can specify settings related to the printing process. It may look like a normal process but while the document is being printed, the browser will connect to a site, sending the entered details there.

Users should be assured that not only but in special in these times of crisis, criminals will never get tired in making offers about money or other goods to mask their true intentions.

The Smart Protection Network blocks both the spam email and the phishing website.

Post from: TrendLabs | Malware Blog - by Trend Micro

Australia: Taxpayers Targeted by Phishing Attack

Infiltrating WALEDAC Botnet’s Covert Operations

Spam is not a mere inbox annoyance anymore but is the first step toward executing more dangerous kinds of system infiltration. Malware are no longer discrete executables but a motley group of related components and files that work together to surreptitiously get inside systems. The technologies malware crime fighters are using are—in some cases—being used against us. The people behind these cybercrimes are no longer fame-seeking script kiddies, they are now professional criminals who have created robust cybercrime businesses.

This paper provides a comprehensive view of the WALEDAC botnet—its activities, methodology, involved technologies, purpose, and business model—in order to paint a picture of the complex and intricate nature of the threats that we see today.

Pushdo / Cutwail Botnet

The Pushdo botnet has been with us since January 2007, and while it does not grab as many headlines as its attention-seeking peers such as Storm or Conficker, it is the second largest spam botnet on the planet – sending approximately 7.7 Billion emails per day, making it single-handedly responsible for about 1 out of every 25 emails sent.

There are several reasons for Pushdo’s lack of notoriety – the authors have actively used several techniques to help keep its activity “under the radar.” Not only is Pushdo responsible for a huge amount of spam activity, it also is one of the primary conduits for other criminal gangs to spread their malware creations.

The two abovementioned papers, as well as other previously released white papers can be downloaded from this page.

Post from: TrendLabs | Malware Blog - by Trend Micro

Botnet Research on WALEDAC and PUSHDO

Invariably, summer (at least for people in most parts of the world) is when people troop to online shops, book flights to go on much-awaited vacations, and schedule recreational activities or hobby-type classes. Trend Micro identifies some of the biggest threats that take advantage of summer, an “important season for the social agenda of individuals.”

1. Shopping invoices for ghost transactions: Users, even those who don’t really purchase anything online might, out of curiosity, open fake receipts sent via email or click malicious receipt links, become immediately vulnerable to identity theft.
2. Ecommerce phishing: Shoppers on eBay, one of the most popular online retailers, should be vigilant not to fall prey to phishing attacks and other illicit schemes as the site is also one of cybercriminals’ favorite places to launch the largest number of phishing attacks
3. Compromised high-traffic websites: High-traffic websites, especially during the summer when shoppers flood to online stores and auction and other ecommerce sites, are likely to attract cybercriminals like bees to honey.
4. Poisoned shopping search results: Query results for summer-related strings can be manipulated to yield links to websites rigged with malware.
5. Malicious advertisements or malvertisements: Users fond of getting good bargains online can fall prey to malware-carrying ads, particularly those strategically placed on high-traffic websites.

Apart from online-shopping-related scams that proliferate during the summer season, companies also usually release new products this time of year. For instance, the official launch of Windows 7 RC was soon followed by its release in warez and torrent sites that, unfortunately, came with malware surprises.

Besides being famous for the release of new products, summer is also the time when big movie producers release their blockbuster bets. In fact, almost every week, a highly anticipated film or sequel is shown in theaters worldwide, much to the delight of moviegoers and, of course, cybercriminals. In the past, potential viewers were lured with raffle entries for either free tickets or movie merchandise. Some use codecs embedded in exclusive trailers or downloadable uncut versions. Still others compromise high-traffic fan sites, blogs, or even the movies’ official sites themselves then spread malware to unknowing users’ computers.

Users should therefore be wary when searching for the next big thing as hackers never rest and never stop developing the next big security threat as well.

Post from: TrendLabs | Malware Blog - by Trend Micro

Social Engineering Watch: Summer

We’ve recently found a phishing email that informs users to re-configure their Microsoft Outlook through an online procedure. Users are instructed to click on the link to setup, leading them to a phishing website.

Unlike micro-blogging, social networking, or even banking accounts, a user name and password is not enough to take full control of an email account. Mail server information is also necessary, which explains the need for them in the phishing page. Getting hold of such information would gain the phisher total access the affected user’s account, be able to read their emails, possibly steal critical information, or use it to spam other users. Furthermore, using such a widely used email client such as Microsoft Outlook places a large number of end users at risk of getting their email account compromised.

The Trend Micro Smart Protection Network blocks both the phishing email and URL.

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing Attack Targets Microsoft Outlook Users

Twitter users may see the following tweet in their stream:

When they click on the link, they are redirected to a fraudulent Twitter Web site that asks them for their account name and password. Once the needed login details are entered, the site sends similar messages to all of the affected users’ followers, along with links to a paid dating service.

The messages are said to have started from an account called @twittercut, which had been disabled. But then the tweets continued to come, this time from a new account called @tweetcut. The latter is now also inoperative.

The site operators at TwitterCut denied phishing allegations and announced that they were shutting the site down.

“According to several social network blog sites, TwitterCut has been the bud of several rumors,” they said on a message on their site. “Our website and its programmers can assure you that these rumors are not true and that TwitterCut is simply a Twitter train that was a work in progress!”

Twitter acknowledged the problem with a post on its status page Tuesday night. “We are currently pushing a password reset on accounts we believe may have been caught in a phishing scam,” said the company. “Please exercise your best judgement when thinking about releasing your username and password to third parties.”

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing For Twitter Popularity