TrendLabs | Malware Blog - by Trend Micro » Spam

Job Spam Uses Twitter

Bernadette Irinco (Technical Communications) — Fri, 20 Nov 2009 04:07:43 +0000

TrendLabs researchers were alerted to the discovery of spammed messages that contained Twitter URLs. The spam uses subjects such as N3 Earn Extra Income! 7L, C2 Exrtra Income Daily 4P, and Q0 $$$ Oppurtunity 6O. It informs users about supposed work-from-home opportunities for Google that pay good sums of money. It then entices users to click the Twitter URL to view the details of the bogus ‘opportunities.’

When users click the link, they will land in the sender’s Twitter page where another URL is posted in a tweet along with a message that encourages them to work online. The said URL points to a bogus site about working online and some success stories. This spam attack used Twitter as a technique to lure users into clicking the link. Since Twitter is a trusted source, users may think the email they received is legitimate.

Users are advised to be wary of opening any suspicious-looking emails. Trend Micro protects users via the Trend Micro Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use free tools like eMail ID to stay secure.

Post from: TrendLabs | Malware Blog - by Trend Micro

Job Spam Uses Twitter

Payment Request Spam Contains Malware

Merianne Polintan (Anti-spam Research Engineer) — Wed, 18 Nov 2009 09:26:48 +0000

TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request.

The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA.

Users are advised to be wary before opening any attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate. Trend Micro secures users from this attack via the Trend Micro Smart Protection Network™, which detects and blocks the spammed emails and prevents the download of the malicious file.

Post from: TrendLabs | Malware Blog - by Trend Micro

Payment Request Spam Contains Malware

Bogus “Balance Checker” Tool Carries Malware

Nino Penoliar (Anti-spam Research Engineer) — Sat, 14 Nov 2009 07:30:09 +0000

Trend Micro threat analysts received samples of spammed messages purporting to have come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employ the balance checker tool attached to the email.

When users open the attached .ZIP file, they will not find a balance checker tool but will instead get a malicious file (balancechecker.exe) detected by Trend Micro as TROJ_ZBOT.MYS. TROJ_ZBOT.MYS steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities that make detection and removal difficult.

Users are strongly advised not to open any suspicious-looking email even it comes from a known source. It is also good to verify any email coming from your mobile service provider just to be sure if it is legitimate or not. Trend Micro protects users from this attack via the Trend Micro Smart Protection Network™ that detects and blocks spammed emails and malicious files.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus “Balance Checker” Tool Carries Malware

Twitter DM Spam Collects Mobile Numbers

JM Hipolito (Technical Communications) — Fri, 13 Nov 2009 03:49:02 +0000

Cybercriminals are using compromised Twitter accounts to spam out information-gathering websites to unknowing users.

The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts.

The Direct Message—which is basically the Twitter counterpart of a private message—contains a link to what looks like an IQ test website:

An IQ test may seem harmless but the last thing asked for in the test is no longer an answer but the respondent’s mobile number. Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack.

Users are strongly advised to refrain from clicking the links contained in similar Direct Messages that they may encounter even if the person who sent the DM is a known user. On the other hand, those users who think that their accounts may be one of those compromised should change their passwords as soon as possible.

The Trend Micro Smart Protection Network™ protects users from this by blocking all related URLs.

Update as of 08:49 P.M. “Users who do give out their mobile phone numbers may end up being billed at least US$10 a month for text messages,” says KOMO News. Though not every online IQ test will charge you, most are just there to scam unwitting users. Keep in mind that if a test asks for your mobile phone number, it is looking for a way to bill your mobile phone account. If the quiz looks like it came from someone in your Twitter account then a hacker must have hijacked other people’s accounts to make you think you are getting a message from someone you know.

Update as of November 13, 10:52 A.M. This attack do not simply harvest the affected users’ numbers but signed up their mobile for an auto-renewing subscription as described in the terms and conditions.

Post from: TrendLabs | Malware Blog - by Trend Micro

Twitter DM Spam Collects Mobile Numbers

Koobface Abuses Google Reader Pages

Jonell Baltazar (Advanced Threats Researcher) — Mon, 09 Nov 2009 11:56:04 +0000

We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter.

The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URLs are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all-too-familiar fake YouTube page that hosts the Koobface downloader component.

Google Reader is a free service offered by Google that allows users to monitor websites for new content. It also allows the users to share content from the websites. Any user online can view these pages as they are shared with the public. Sharing any Google Reader page publicly is easy as anyone can click on the share icon in his or her Reader page and the content will appear on his or her public page.

This ability to share content with the public was abused by cybercriminals to use the Google Reader domain to spam malicious links.

We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack. The spam URLs hosted through these accounts are now blocked.

Post from: TrendLabs | Malware Blog - by Trend Micro

Koobface Abuses Google Reader Pages

Are You Being (Facebook) Phished?

Verna Sagum (Fraud Analyst) — Sun, 08 Nov 2009 05:04:13 +0000

Trend Micro security experts received email messages that supposedly came from Facebook. It asks recipients to update their login credentials for security purposes. It then instructs them to click the URL provided in the email message. When the user clicks the URL, it points them to a spoofed Facebook website where they are required to input their password only as their email address has been automatically filled up.

Once the users hit the “Login” button, it will redirect them to another fraudulent page where a link to download a suspicious update tool file is provided. Trend Micro detects this as TROJ_ZBOT.CDX.

As of this writing, the phishing URL as well as the malicious file has been blocked and detected already via the Trend Micro Smart Protection Network.

This is a great example showing just how cunning cybercriminals can be just to steal precious information. They even claimed to offer recipients security, which is really ironic. Not everyone though may be as hard to fool as, say, security experts. So how can you tell if your personal information is being phished? Here are some useful tips:

Check the email’s content. Misspellings and grammatical mistakes are very common in spammed messages.
Do not click embedded links. If you need to update your login credentials, go to the site’s homepage and log in from there.
Check the URL in the message body. A legitimate Facebook link will not continue beyond .com as in the two bogus email messages.
Check the time stamps. Facebook has millions of users worldwide so it really is very unlikely that the site’s administrator will send out email messages to all users within the same day.
Check the sender’s email address. A legitimate Facebook email sender will have a facebook.com and not a facebookmail.com address.

Don’t be just another victim. Keep in mind that cybercriminals will do just about anything to fool those who let their guards down.

Additional text by Det Caraig

Post from: TrendLabs | Malware Blog - by Trend Micro

Are You Being (Facebook) Phished?

Malware Conceals Itself as Boss’s Letter

Maria Alarcon (Anti-spam Research Engineer) — Mon, 02 Nov 2009 13:36:09 +0000

Trend Micro threat analysts found spammed messages that pretended to be a letter coming from the “boss.” The messages bore the subject “get back to my office for more details” and instructed users to extract and read the letter contained in the attached .ZIP file. The attachment, of course, does not contain a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT.

Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the “spam engine” of the notorious botnet, PUSHDO, which spammed around 7.7 billion messages a day in the second quarter.

In the past few days or so, Trend Micro has reported various spam that used malicious attachments (ZIP or RAR) to hide malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about this in the following posts:

Users are advised to be wary when opening any attached file even if it comes from a person with authority or one’s “boss.” Trend Micro users are protected via the Trend Micro Smart Protection Network, which detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Conceals Itself as Boss’s Letter

Christmas Spam Spotted

Nino Penoliar (Anti-spam Research Engineer) — Mon, 02 Nov 2009 13:31:55 +0000

With Christmas just right around the corner, spammers are already flooding users’ inboxes with unwanted email. No surprises there. Spammers are known to exploit the holidays to further their malicious causes.

Just recently, Trend Micro threat analysts found another spammed message that claimed to be a “replication specialist” and enticed users to buy replica products like watches, handbags, and jewelry at discounted prices.

The email can bear any of the following subjects:

Better early than late
New models are here
Quantities are low
Reminder
Some supplies are low

Morever, the email also encourages users to place their orders before November 1 because of limited supplies. Clicking the URL in the email message leads users to a fraudulent site that sells expensive imitation products. The email messages used various URLs though these pointed to the same landing page. As early as September, Trend Micro has already alerted users of holiday-themed spam.

As usual, users are advised not to avail of any product from spammers. Trend Micro protects users from this attack through the Smart Protection Network. Non-Trend Micro products users can use free tools like eMail ID to stay secure.

Post from: TrendLabs | Malware Blog - by Trend Micro

Christmas Spam Spotted

Social Engineering Watch: Spam Leads to Canadian Pharmacy Sites

Aljerro Gabon (Anti-spam Research Engineer) — Thu, 29 Oct 2009 10:05:17 +0000

Trend Micro researchers found over 200 email samples that spamvertised male sexual enhancement pills. These bore subjects like “Re: Go wild in bedroom,” “Re: Let your lever straight up,” and “Re: Be her concrete-rod satisfier” and contains a URL that points to all-too-familiar Canadian pharmacy websites.

While spammed messages that lead to Canadian pharma sites are not new, there are notable things in this particular spam run. For one, it employed random messages in the email content to avoid spam filters. The spammers also put “Re:” in the subject to make it appear as though it was a reply of sorts. In addition, the FROM and TO fields bear the same email address. It particularly used dictionary form of spam attack where spammers randomly send spammed messages to a generated list of email addresses. Upon further analysis, the domains used were just recently registered.

As usual, users are advised not to open emails that spamvertise sexual enhancement pills. Trend Micro users are secure from this spam attack with the Smart Protection Network. Non-Trend Micro products users can stay protected from this by using free tools like eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Social Engineering Watch: Spam Leads to Canadian Pharmacy Sites

Taiwan: Spear Phishers Target Gmail Users

Sarah Calaunan (Fraud Analyst) — Thu, 29 Oct 2009 09:44:20 +0000

Trend Micro threat analysts found several phishing sites registered in China that target specific people or companies. The said email can customize phishing URLs using the names of intended recipients via a technique called “spear phishing.”

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Taiwan: Spear Phishers Target Gmail Users

Fake Facebook Password Notification Leads to Malware

Maria Alarcon (Anti-spam Research Engineer) — Wed, 28 Oct 2009 08:02:31 +0000

A new spam campaign that purports to be from Facebook is making rounds today. It bears the subject, “Facebook Password Reset Confirmation,” and informs users that their passwords have been changed for security purposes. It then asks them to open the attached .ZIP file that supposedly contains their new passwords, which in actual fact is a malware detected by Trend Micro as TROJ_BREDLAB.SMF.

Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV.

Users are advised to be wary of bogus notifications even if comes from a known source. Trend Micro product users are protected from this attack via the Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Facebook Password Notification Leads to Malware

FDIC Spam Points to Info Stealer

Ralph Hernandez (Fraud Analyst) — Wed, 28 Oct 2009 06:06:15 +0000

Trend Micro researchers recently found spam emails fashioned to come from Federal Insurance Deposit Corporation (FDIC). The email message informs users that they should visit the “official” FDIC’s website (provided in the email) to check their Deposit Insurance Coverage.

However, clicking the URL leads users to a fake FDIC website where they are ask to download a document file, which in actual fact is an .EXE file detected by Trend Micro as TSPY_ZBOT.AZH.

TSPY_ZBOT.AZH initially downloads a configuration file that contains a list of URLs that it will monitor, which mostly comprises social networking and banking-related websites. Once the user accesses any of the listed websites, it starts logging keystrokes to steal information such as account credentials. This, in effect, compromises the user’s account, making it available for cybercriminals’ future use.

Here’s a list of domains used in this spam wave:

h1erfae.eu
h1erfai.eu
h1erfaj.eu
h1erfaq.eu
h1erfar.eu
h1erfat.eu
h1erfau.eu
h1erfaw.eu
h1erfay.eu
milki1a.co
milki1a.me
milki1e.me
milki1g.me
milki1i.co
milki1l.co
milki1y.me
nyuh1awa.eu
nyuh1awb.eu
nyuh1awc.eu
nyuh1awd.eu
nyuh1awf.eu
nyuh1awg.eu
nyuh1awh.eu
nyuh1awm.eu
nyuh1aws.eu
nyuh1awt.eu
nyuh1awv.eu
nyuh1awx.eu
tt1qwa1.eu
tt1qwa1.me
tt1qwae.eu
tt1qwae.me
tt1qwaq.co.uk
tt1qwaq.eu
tt1qwaq.me.uk
tt1qwar.co.uk
tt1qwar.eu
tt1qwar.me.uk
tt1qwat.co.uk
tt1qwat.eu
tt1qwat.me.uk
yh1qab.eu
yh1qab.me.uk
yh1qak.co.uk
yh1qak.eu
yh1qak.me.uk
yh1qal.eu
yh1qao.eu
yh1qao.me.uk
yh1qaz.me.uk

According to Advanced Threats Researcher Joey Costoya, the brains behind this spam attack are the same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam.

He explicated that the characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves.

As we always say, please do not open unsolicited and suspicious-looking emails such as those shown above. Trend Micro customers need not worry about being bothered by this though, as they are protected by the Smart Protection Network. Non-product users, on the other hand, can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

FDIC Spam Points to Info Stealer

Spoofed Contract Carries Malware

Maydalene Salvador (Anti-spam Research Engineer) — Sat, 24 Oct 2009 12:58:19 +0000

Trend Micro researchers found spammed messages with a .ZIP file attachment that contains a malware. It bears the subject, “Contract of Settlements,” and purports to come from LSM Company. It informs users to open and check the attached file that holds a contract, which in actual fact, is an executable file (contract_1.exe) detected by Trend Micro as TROJ_FAKEALE.JH.

When executed in the system, TROJ_FAKEALE.JH connects to http://{BLOCKED}edrdosubor.com/K1er0Lj5n8H0NM4E8h0u where users get another FAKEAV variant, TROJ_FAKEAV.BQN.

Accordingly, users cannot scan the attached file because it is password protected. However, a password is included in the email to open the said file. This is probably to trick users into thinking that the said file is legitimate.

As usual, users are advised to refrain from opening any suspicious-looking emails. Trend Micro product users are protected from this spam attack via the Smart Protection Network. Non-Trend Micro product users can utilize HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spoofed Contract Carries Malware

Halloween Job Spam Spooks Users

Gaye Ofilas (Anti-spam Research Engineer) — Thu, 22 Oct 2009 09:54:37 +0000

Holidays are spammers’ favorite times of the year. After all, these give them additional opportunities to lure more victims to their specially crafted scams apart from a theme to focus on. As one of the most celebrated holidays across the globe, it is not surprising that Halloween, which is barely a week away, has been creating a buzz.

Trend Micro threat analysts got wind of Halloween-related spam samples (see the sample on the right). These offered readers promising opportunities to earn while working from home.

Clicking the link redirects the user to a site that is now inactive. However, based on Whois.Net’s domain name records, the URLs were only created in August of this year, most probably just for spamming purposes. It is, after all, not uncommon for spammers to register domains for the minimum time period allowable to further their malicious profiteering activities.

Users are thus warned not to click links to unknown sites no matter how tempting the offer they put on the table may be. If you’re really interested in getting a legitimate job or a means to earn more, go to a trusted job-search site. Do not trust everything you read on email, especially if you do not know who the email came from.

Trend Micro Smart Protection Network™ protects users from spamming attacks by blocking unwanted email and preventing user access to malicious sites. Mac users can enjoy the same benefits by using Trend Micro Smart Surfing for Mac.

Non-users of Trend Micro products can also stay protected from such attacks with free antivirus tools such as eMail ID and Web Protection Add-On.

Post from: TrendLabs | Malware Blog - by Trend Micro

Halloween Job Spam Spooks Users

FAKEAV Uses Conficker Worm as Bait

Robby Dapiosen (Anti-spam Research Engineer) — Wed, 21 Oct 2009 22:20:39 +0000

Very recently, cybercriminals have found another avenue to lure victims into their trap by using Microsoft as bait.

A screen shot of one such campaign is shown in Figure 1 below. The email asks the recipient to download and install the attached .zip file (shown in Figure 2) which is actually a malicious file which purports to scan their computer of possible Conficker worm infection.

Noticeable to these spam mails are the forged headers. The From field is the same as the address of the recipient (Figure 3).

The executable file contained in the attached .zip file is a FAKEAV variant detected as TROJ_FAKEAV.BL. Upon execution, TROJ_FAKEAV.BL displays a splash screen for the fake antivirus Power-Antivirus-2009 as shown in Figure 4. It then displays the following fake scanning window to trick users into thinking that the executed file is a legitimate antivirus application (Figure 5). It then displays the following fake alerts that warns users of infection, as shown in Figure 6.

With the spam message blocked and malicious file detected, Trend Micro users are fully protected from this attack. Non-Trend Micro product users on the other hand are advised to use HouseCall, Trend Micro’s scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

FAKEAV Uses Conficker Worm as Bait