In fact, Trend Micro anti-spam research engineers have already seen a number of spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities.

The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities. As Trend Micro anti-spam research engineer, Argie Gallego, recommends, “Users should be suspicious of any freebies offered online, particularly those requiring sensitive personal information such as full name and contact numbers. We have only seen a number of iPad-related spam so far but we expect the numbers to rise as April 3 draws near.”

This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks as seen in the past. Interestingly, Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click.

Trend Micro™ Smart Protection Network™ prevents spammed messages from reaching users’ inboxes via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

iPad Giveaway Gives Users’ Identities Away

Compromised Twitter accounts post Tweets that tell their followers to click the shortened link to try out a new diet/weight loss plan.

Clicking the given link redirects users to possibly malicious websites that promote Acai Berry.

Compromised accounts were possibly infected from previous Twitter spam runs previously featured in the following blog entries and are being used again for this new attack:

• Twitter DM Spam Collects Mobile Numbers
• Job Spam Uses Twitter
• A New Twitter Worm Is Making the Rounds

As of this writing, Twitter is already aware of this latest spam attack and has taken the necessary corrective actions to prevent the spam from spreading further.

Users are strongly advised to refrain from clicking the links contained in Tweets with similar messages even if they come from a known or a trusted user. On the other hand, users who think their accounts may be one of those that have been compromised should change their passwords as soon as possible.

Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking user access to the malicious domains and other related sites.

For Twitter users, follow @TrendMicro to get the latest security information and updates on how to stay protected from new and upcoming threats.

Post from: TrendLabs | Malware Blog - by Trend Micro

Diet Twitter Spam (on the) Run

May GOD bountifuly bles u & ur family. Have a blissful day Fr Frends of UNI-MAD Party List, United Movement Against Drugs no.181′Luv ur famly, say NO 2 drugs.

According to the Philippine National Statistical Coordination Board, the National Telecommunications Commission (NTC) reported an average of 250 million text messages sent daily in 2005. A more updated study reported an upsurge, which more than doubled the said figure in 2009, along with a growth in the number of mobile phone users (i.e., over 63 million).

Numbers such as these in a country known as the “text capital of the world” set the stage for the proliferation of texts scams such as one that features the following message:

CONGRATULATIONS!!!Your # WON TOYOTA AVANZA car w/ 300thou via electronic last Dec.21,2009. For details,please call now Rene Samonte. of Phil. Info. Center on this #.

As similar instances of text scams have already occurred in the past, it is best to take heed and be wary of your mobile phone activities before you fall prey to potential text scams.

Post from: TrendLabs | Malware Blog - by Trend Micro

Text Spam and Text Scams

To the untrained eye, the email looks quite convincing. However, closer inspection of the message properties reveals that while the email purports to come from a certain security company, the sender’s domain name is indosatm2.com.

According to the spoofed mail, an email sent to the user has been blocked by the administrator. The user is then instructed to ignore the message if the blocked mail was indeed a spammed message or to click the embedded link to view the message.

The spammers may be trying to lure users by leveraging people’s natural curiosity. A user who wishes to know the content of the quarantined mail is thus likely to click the link. The said link currently redirects users to an already unavailable website. However, users are still advised to exercise caution when opening email messages and clicking links, even if these appear to be legitimate. It never hurts to be extra careful.

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can also stay protected from similar bogus email messages by using eMail ID, which uses a two-step verification process to help users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spam Quarantine Notification = Spam

The two samples above TrendLabs obtained were sent to domains that belonged to Trend Micro. The file attachment does not contain any mailbox settings but instead a malicious file detected as TROJ_FAKEAV.EAO.

This spam run is similar to a run that TrendLabs earlier reported wherein Trend Micro Advanced Threats Researcher, Joey Costoya, said the subdomains may have been tailor-made, depending on the recipients’ email addresses. That spam run was actually part of a phishing attempt that targeted employees of various companies, including Trend Micro.

The Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the Web reputation service and by detecting and removing the malicious file via the file reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spammers Target Antivirus Companies

The spammed message instructed users to update their Blogger accounts by clicking the embedded link, which leads them to a fake login page. At first glance, the site’s URL seems legitimate enough. It began with the same domain name as the real Blogger login page. Upon closer examination, however, TrendLabs engineers found that the fake site was not really hosted on the same URL as the real one. It was, instead, hosted on a remote site, thus convincing them that this was indeed a fake login page or a phishing site (compare Figures 2 and 3).

Users basically use blogs as ongoing chronicles of information about anything and everything they are interested in. Some use blogs to promote their businesses or to show what their companies can do. Some use theirs as personal online diaries where they can save their thoughts and feelings in. Whatever use blogs may serve to users, however, signing in to and updating their account records on the bogus login page, will certainly allow phishers to take advantage of them. This kind of attack can lead to not only data theft but also identity theft. This is the reason why we always urge users to be wary of suspicious-looking email messages and sites. Always check the URLs of the sites you are being led to. It never hurts to be paranoid once in a while if it means not falling prey to cybercriminals’ ever-evolving social-engineering tactics.

Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by preventing the spammed messages from even reaching their inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can stay protected as well by using free tools such as eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes. It helps users avoid opening and acting on phishing messages attempting to spoof real companies.

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishers Target “Bloggers”

• Pump-and-Dump Spammers Take on Amazon
• “Storm Pump and Dump”: The Musical
• Taking Stock of Spam

In a pump-and-dump attack, spammers raise the stock prices of companies they own shares in by sending spammed messages with misleading or outright untrue positive news about the said companies. Once the companies’ real stock prices have sufficiently risen, the spammers will then sell or dump their own shares to gain profit.

TrendLabs engineers, however, recently saw the recent comeback of this tactic hit the popular VoIP application, Skype. Spammers used the application’s instant-messaging (IM) feature to send the pump-and-dump spammed messages below.

Spammers tried to promote two companies—EcoBlu Products, Inc. and Terra Energy & Resource. Like other spam runs using IM applications, Skype users received these email messages from users who were not in their lists of contacts.

As usual, we urge users not to click any link in messages sent via email or IM applications that come from people they do not know.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from reaching their inboxes via the email reputation service and by blocking access to malicious sites via the Web reputation service.

Non-Trend Micro product users, on the other hand, can also keep their systems safe by using free tools like eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes.

Post from: TrendLabs | Malware Blog - by Trend Micro

Pump-and-Dump Spam Makes a Comeback on Skype

Trend Micro fraud analysts were recently alerted to the discovery of spammed messages that purported to come from the NIC—the Intelligence Community (IC)’s center for midterm and long-term strategic thinking. The NIC provides intelligence reports to members of the IC, including the National Security Agency (NSA).

Independent security journalist, Brian Krebs, in his blog confirmed that these messages were spoofed due to several obvious reasons, including:

• The email address used in the spammed messages was nic@nsa.gov.
• Another version purported to come from admin@intelink.gov. Extracting the header information, however, revealed that the real sender’s email address was {BLOCKED}@sh16.ruskyhost.ru.
• The spam run also specifically targeted email addresses with .gov and .mil domain names.

The spammed messages persuaded recipients to download the .EXE file attachment, a spoofed version of the NIC’s “2020 Project.” In reality, however, the file is a ZBOT variant detected as TROJ_ZBOT.SVR.

Like its well-known predecessors, this ZBOT variant is also an information stealer, as evidenced by the following published reports:

• Facebook Phishing Page Leads to Exploits and ZBOT
• Balance Checker Mail Carries ZBOT Trojan
• ZBOT/Zeus Sends Out Tailor-Made Spam

Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from this threat by preventing the spammed messages from even getting into their inboxes via the email reputation service and by detecting and blocking the download of the malicious .EXE file via the file reputation service.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZBOT Variant Spoofs the NIC to Spam Other Government Agencies

The bogus email asks users to add its sender to their lists of friends just like any normal social-networking invitation. What is odd about this email, however, is that it first asks recipients to download and open an attachment, which supposedly contains an invitation.

Unsuspecting users who are tricked into downloading and opening the compressed file (Invitation Card.zip) end up executing a malware detected as WORM_PROLACO.AA instead of an invitation. The attachment contains a file named Document.htm. However, upon closer examination by expanding the Name column in the window, users will discover that the supposed .HTM file is really a malicious .EXE file.

The social-engineering technique used in this spam run is probably one of the oldest tricks in the “Spammers’ Handbook,” if there is one. This is precisely why users are always reminded to be wary of opening email messages from people they do not know and to scan file attachments before downloading them onto their systems.

Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching their inboxes via its email reputation service. It also detects and blocks the malicious file from being downloaded onto and executed in users’ systems via its file reputation service.

Non-Trend Micro product users can also stay protected from this threat via eMail ID, a free tool that helps them avoid opening and acting on email messages attempting to spoof real companies.

Post from: TrendLabs | Malware Blog - by Trend Micro

hi5 Spam Invites Users to Download a Worm

Founded in 1818, with around 4,700 branches in France, Caisse d’Epargne is active in both the retail and private banking segments. It also holds a significant stake in the publicly traded investment bank, Natixis.

The spammed message informs customers that the bank found some problems with their accounts. It then informs the recipients that the bank needs them to fill in additional information by clicking an embedded link in the email to keep them protected. Clicking the link, however,  redirects users to a phishing page that looks a lot like the bank’s official website.

As expected, the phishing site asks users to enter their personal identification numbers (PINs) to validate their accounts. There are, however, noticeable differences between the phishing site (marked in red in Figure 2) and the bank’s legitimate site (marked in green in Figure 3) if only users take time out to make sure they are not being victimized by wily cybercriminals.

In fact, the bank’s legitimate site even has a security warning (marked in green in Figure 4) to all of its customers regarding the said phishing attack since January 28.

The continued proliferation of phishing attacks, as evidenced by this, supports the “2009 Third Quarter Report” released by the Anti-Phishing Working Group (APWG). Based on the group’s global phishing survey, the third quarter of 2009 broke the record with 40,621 unique phishing reports as of August.

However, what is more often overlooked can be summarized by the question, “What really happens after a phishing attack?” Trend Micro partner, RSA Security, gave some really frightening answers to this question. The article describes a real-life scenario that shows how cybercriminals buy credit card information, which they use to purchase high-end merchandise online. Fraudsters then resell these products, enabling them to make substantial profits.

Considering the persistence with which cybercriminals operate, users should thus be extremely cautious every time they conduct online transactions. Fortunately, Trend Micro™ Smart Protection Network™ already protects product users from this particular threat by preventing the spammed message from even reaching their inboxes and by blocking user access to the phishing site.

Non-Trend Micro product users can also stay protected from malicious URLs by using one of Trend Micro’s free tools, Web Protection Add-On.

Post from: TrendLabs | Malware Blog - by Trend Micro

Caisse d’Epargne Customers, Beware!

First off, PUSHDO variants are usually downloaders that often report to a command and control (C&C) server. The DDoS malware in the attack, on the other hand, is a spambot. Though the PUSHDO botnet uses a spambot (dubbed “CUTWAIL” by the security industry) to massively spam users, when we compared our CUTWAIL samples with the DDoS spambot used in this attack, we did not see a convincing reason to believe that they are related.

Security experts commonly detect this new spambot variant as “Harebot” or “Shgray.” Some security vendors also detect it as “Pandex,” which was another name used for PUSHDO variants. We believe this is the reason why people think this new threat is PUSHDO related.

Though this may seem like a small point to make, it is a rather important one. Even if the new spambot is indeed an evolved version of CUTWAIL variants (something that has not yet been proven), this still does not mean that the PUSHDO botnet owners are the ones behind this massive DDoS attack.

These two groups may be one and the same or two entirely different organizations. In any case, the reason to create a DDoS-capable spambot is still an enigma even to security researchers.

Feel free to comment on this blog if you have any interesting theories about it.

Post from: TrendLabs | Malware Blog - by Trend Micro

The PUSHDO Puzzle—DDoS or Not DDoS?

Taking the form of job application responses from Google, the email even sports the official Google logo with an accompanied legitimate From: address. With close-to-perfect grammar and syntax (unlike most known spammed messages), it is becoming even trickier to distinguish real email messages from fake ones. And why would users not want to believe what the message says? Google has always been commended for being a more-than-ideal workplace. Receiving word regarding a job application from the company is thus great news indeed. But is viewing a suspicious-looking email message, especially if you did not even send an application in the first place, worth infecting your computer?

The latter part of the spammed message is even more suspicious, as it asks the recipient to download a .ZIP file attachment, CV-20100120-112.ZIP, which then opens a prompt to download the file with a different name (document.doc) and a hidden extension (.EXE), detected by Trend Micro as WORM_SPYBOT.MCP.

Cybercriminals have also been known to make use of spaces to hide the real extension names of file attachments. The same technique was used in this scam, making it seem that the extension is .DOC when it is actually .EXE.

Trend Micro™ Smart Protection Network™ protects users from this kind of threat by preventing the spammed messages from even reaching their inboxes and detecting and deleting files detected as WORM_SPYBOT.MCP.

Non-Trend Micro product users, on the other hand, can also stay protected via HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware from infected systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spammers Fake Responses from Google Job Applications

Many naive users still fall for the age-old ruse that rogue antivirus peddlers use—scareware tactics—to scam victims into believing that their systems have fallen prey to malware infections. Thinking of the repercussions presented by the fictional threats, users are duped into paying for something that turns out to be entirely nonfunctional.

The techniques cybercriminals use are changing at such an alarming rate as they become more intuitive about successfully pushing their FAKEAV creations to unwitting users. They often resort to poisoning results for the latest and most popular search terms and to customizing spammed messages containing malicious URLs or file attachments. There seems to be no end to the proliferation of FAKEAVs. In fact, FAKEAV variants consistently crop up alongside every major news from any part of the world. According to Paul Ferguson, Trend Micro Forward-looking Threat Researcher, hundreds of new rogue AV domains appear every day.

Not only is an infected user in danger of potentially being scammed by FAKEAV perpetrators, he/she also becomes a direct participant in perpetrating fraudulent activities and cybercrimes as part of a botnet. This is because FAKEAVs outsource their propagation to botnets with already-installed bases, which allows the cybercriminals behind FAKEAVs to “concentrate instead on coming up with effective scare tactics and pay-per-install models,” says Ferguson. This paved the way to its affiliation with other cybercriminal groups such as the KOOBFACE and BREDOLAB gangs, making it a very lucrative business model for cybercriminals. You can find more information about these affiliate programs in the following papers:

• “You Scratch My Back… BREDOLAB’s Sudden Rise in Prominence”
• “Show Me the Money! The Monetization of KOOBFACE”

Always remember that FAKEAVs exist for one thing alone—for cybercriminals to profit from users’ losses. That is probably why the cybercriminal minds behind FAKEAV are not showing any signs of slowing down. FAKEAV variants can be seen everywhere and can be delivered in a multitude of ways. They have, in fact, even made their way into iPhones! But it is not to late to start becoming more aware. Rely only on trusted news sites for the latest updates. Avoid clicking suspicious-looking URLs and downloading and opening file attachments, especially those that come from people you do not know.

Finally, use a reputable security suite that protects you wherever you connect. Trend Micro™ Smart Protection Network™ will serve users well to keep their systems safe from FAKEAV-related infections, as it blocks spammed messages with email reputation technology, prevents user access to malicious sites and domains with Web reputation technology, and detects and consequently deletes malicious files with file reputation technology.

iPhone users can also stay protected from FAKEAV-related threats and other malware via the Smart Surfing for iPhone at no cost at all. Keep in mind that smarter protection is key in dealing with complex malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

Much Ado About FAKEAV

However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks. We recently received Portuguese spam samples purporting to be from the international news site, BBC. Translated to English, the spammed message describes the current situation in Haiti. It also attempts to convince recipients to click the link to the embedded video, which supposedly contains photos taken by an amateur photographer who witnessed the earthquake.

Upon clicking the link, however, users are redirected to a site where they are asked to save an .EXE file detected by Trend Micro as TROJ_BANLOAD.JAE. This Trojan connects to websites to download another malicious file detected as TSPY_BANKER.LMG.

This is a good reminder of how spammers will do anything to make their spammed messages appear legitimate. It is thus important to check for data consistency so as not to fall into their trap. In this case, if the video truly contains photos of the aftermath, then there is no need to download or execute an .EXE file. Users are thus advised to exercise caution when opening messages, particularly those that come from unknown senders.

Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, preventing user access to malicious sites, and blocking the download of the malicious files.

Post from: TrendLabs | Malware Blog - by Trend Micro

Haiti Spam Leads to New Malware

The spammed message purports to be from AIM and urges recipients to download and execute the latest AIM version to reactivate their currently inactive accounts.

This becomes a problem if the receivers actually have AIM accounts, as they may be tricked into clicking the link, http://{BLOCKED}update.aol.com.yhff13.com.pl/products/aimController.php?code=826954935720939660939448
039218184173&email=angelan@bc4.so-net.ne.jp. The end result may be the loss of pertinent personal information or, worse, their identities. Instead of getting an actual application update, the link leads to a spoofed AIM website.

Users who land on the phishing page are then prompted to download the malicious file aimupdate_7.1.6.475.exe, which has been detected by Trend Micro as TSPY_ZBOT.JF, which injects threads into certain normal processes. Like its ZBOT predecessors, it also attempts to access a website to update its list of target banks and other financial institutions, which it then sends to a remote site.

Trend Micro™ Smart Protection Network™ protects users from this attack by blocking the spammed messages, preventing user access to malicious sites, and detecting and blocking the download of malicious files.

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishers Target AOL IM Users