Posts filed under 'Phishing'
April 2nd, 2008 by Jake Soriano (Technical Communications)
Voice phishing is making some noise of late.
This technique — more popularly (and creatively) known as “vishing” — uses the all-too-familiar spammed email message format as initial bait. Trend Micro antispam researchers discovered the following messages which again use the IRS in luring users to hand out sensitive information:
This time, however, the striking difference from past phishing emails is that instead of a malicious URL, the message contains a number that users are encouraged to call for information on possible “tax refunds.” An automated voice recording answers queries and asks callers for sensitive information: credit card and social security numbers, for instance.
The timeliness of this attack is evident as deadline for filing taxes is nearing. Users may have learned to not trust unknown links; this time Trend Micro advises users to be extra careful in disclosing information even to “customer service” numbers as well.
April 2nd, 2008 by Ralph Hernandez (Anti-phishing Engineer)
Trend Micro uncovered another phishing Web site that attempts to steal confidential credit card information.
Below is a screenshot of the Web site:
Using string manipulation, it is able to spoof the official Web site of the Royal Bank of Canada. Note that the said URL contains a variation on the actual domain name (”banking” vs. “bank”) to trick the users into thinking that it is the official Web site of the affected bank.
The spoofed URL masks the actual phishing URL by using a certain frame source. This frame source URL is responsible for gathering account-related information, such as credit card numbers and account passwords, from the affected users.
What is interesting about this phishing attack is that when the first frame source URL is blocked, a second frame source is used. The next time the phishing Web site is visited, it already uses another frame source URL. This is clearly a distinct approach in circumventing security restrictions related to phishing attacks.
Furthermore, it was determined that the domain used by this phishing Web site is registered for just one year. Dubious indeed, if one considers how a supposedly legitimate Web site intends to operate for such a short term.
As of this writing, Trend Micro customers are protected from this phishing attack, with the said frame sources already blocked by our products, preventing them from redirecting unknowing users to other phishing Web sites.
March 27th, 2008 by Carolyn Guevarra (Technical Communications)
Virus Coordinator for Trend Micro Latin America Jose Lopez Tello recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.
Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.
However, instead of using the DNS poisoning method as the past attacks, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.
Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting eCard that a user receives via email. This eCard contains a link, which when clicked downloads the malicious file Gusanito.exe.
Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:
dns name= source=static addr=[IP address] register=PRIMARY
Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).
The Botnet client code (BKDR_VBBOT.AE) also opens an IRC connection to the yet another, different US-based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus eCard greeting emails.
As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting eCards at this very moment. “In fact, you can see all the list emails that will be targeted,” says Tello.
The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this.
(Thanks to Paul Ferguson for additional technical background.)
-Update: March 29, 2008-
BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.
March 27th, 2008 by Daver Cavalcanti (Threats Analyst)
Just recently, Trend Micro discovered an FTP server in Uruguay that hosts a phishing Web site that targets Telecom Italia Mobile (TIM) customers, one of the largest mobile phone companies in Brazil.
The server’s IP address indicates that it may be affiliated with Russian or Ukrainian cyber criminals who have previously been affiliated with RBN, or the Russian Business Network. RBN was made notorious for it’s “bullet-proof” hosting facilities which have been linked to illegal activities such as child pornography, phishing, spam, and malware distribution.
Using an INDEX.HTML file, this phishing site has an ActiveX control that invites a user to view a video message purportedly from TIM Brazil. When accessed, it attempts to insert a malicious code on the client system and then send phishing messages to the affected user. This file changes daily and points to a new false URL that is sent via email to all those who fell victim to the fraudulent Web site.
Phishing is a technique used to trick users into divulging personal information (such as social security numbers, ATM PIN, and credit card numbers) through email or dubious Web sites. Perpetrators trick gullible users to send them private or personal information. To do this, they forge the Web site or an email of a legitimate company. These Web sites or email messages usually ask for information about the recipient. Alterations on the code of these bogus Web pages or email messages result in the information being redirected to the cyber criminals. When the user is tricked into divulging information, we say that (s)he has become a victim of a “phishing attack.”
The activeX is already detected by Trend Micro as POSSIBLE_MLWR- 1. The malicious URL, which hides the source of the downloadable file through an obfuscated code script and resolves to downloading a Banker Trojan downloader, win.exe, from a host located in Brazil which is already blocked by our URL filtering services.
March 27th, 2008 by Christopher Talampas (Anti-phishing Engineer)
Trend Micro’s Content Security Web Blocking Team has recently encountered attempts to phish account information of users that subscribe to Google’s advertising platform, Google AdWords. The phishing email message appears to be from Google Adwords and tells the user to log on to Adwords and update their billing information, as shown in the image below:
It instructs the user to click a link which appears to the user as a legitimate Google Adwords link, but actually leads to a malicious Web site. Account information entered by the unknowing user on the malicious Web site is then sent to an unauthorized user.
Such technique may trick to most users, making them think the URL shown in the message will connect them to the legitimate Web site. Furthermore, Google is generally known for its sparse, clean email and Web site interfaces so this simple-looking email message can be quite convincing. Users are advised to report it here if they receive a message similar to the one above.
Next Posts
Previous Posts
