We often associate Halloween with pumpkins and costumes but for cybercriminals it’s merely another avenue to exploit, steal, and trick users into giving away their personal identities. Treats are fun but we all need to be on the lookout for the sneaky and tricky ways cybercriminals slither into our computers.  Below are the TrendLabs, top 7 scariest threats that might be knocking on your door:

1. Tailor-made ZBOT spam makes its way to employees’ mailboxes
   
   The Zeus botnet is well-known for e-banking attacks that target small businesses without a dedicated IT staff and only 1–2 payroll personnel; the most notorious ZBOT attack to date sent out tailor-made spam to the employees of several of these types of small companies. The spammed messages were made to look legitimate and non-malicious when, in fact, they contained Trojan spyware designed to steal information and identities.
2. Vulnerabilities hit critical mass: Patch me if you can 

   Microsoft set a record in December 2008 of 28 patches for its OS vulnerabilities. In June 2009, the company broke that record with the release of 10 security advisories for 31 OS and other software vulnerabilities. What does this mean for users? It means that unpatched vulnerabilities can allow cybercriminals to exploit their systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.

3. FAKEAV: Surrender hard-earned money for fake security 

   We’ve seen several strains of FAKEAV abound on the Web. Most employ “scareware” tactics, displaying a blue screen or bogus graphical user interfaces (GUIs) to warn users of infection. Some of the most dangerous variants, however, employ “ransomware” tactics. Users who fall victim to FAKEAV scams end up buying useless applications or may even be robbed of critical information apart from their hard-earned money. Sold at an average US$50 apiece, it is clear that big money can be made from pushing FAKEAV to users. This is why we can expect the debut of more FAKEAV in the future.

4. Expand your circle of friends but beware of KOOBFACE malware 

   This year, we saw the emergence of the KOOBFACE botnet that specifically targeted social networking and micro-blogging site users. Facebook and Twitter, two of the top-ranking social networking/micro-blogging sites today have millions of users worldwide, making them favorite cybercriminal targets. The popularity of these sites may be unprecedented but so is the rise in number of malware targeting them. Victims of KOOBFACE variants can end up with FAKEAV infections, wrangled into being a part of the widespread KOOBFACE botnet, or owners of compromised profiles, take your pick.

5. More sophisticated attacks = More victims 

   Cybercriminals continue to up the stakes as they come up with more sophisticated attacks to lure more victims into their traps. A new variant of the BEBLOH family of information stealers went well beyond logging keystrokes and sending it to a server to exploit. It stole user information and used it right away while effectively avoiding detection. The latest BEBLOH variant produces static pages that show remaining account balances and previous transactions to cover its tracks. Victims will not know they have been robbed unless they accessed the online banking site from an uninfected machine or used separate facilities such as ATMs.

6. No system is immune from security attacks, certainly not Macs 

   The days when Mac users felt safe from today’s threat landscape are over. The recent proliferation of Mac attacks reiterates what security researchers have been saying all along—that no system is immune from security attacks, certainly not Macs. The number of Mac users continues to increase, unfortunately so does the number of cybercriminals targeting the Mac OS. Cybercriminal attacks on the growing Mac user base are becoming more and more complex, preying on the earlier belief that the OS X is malware-free.

7. Blackhat SEO attacks climb the charts 

   Just as cybercriminals strive to make their malware-ridden pages climb to the top of search results, so has the number of documented blackhat SEO attacks. As if the usual blackhat SEO techniques were not crafty enough, cybercriminals just learned to use new nifty gadgets—Google Trends and GeoIP tracking—to increase the chances that users will click on links that direct them to specifically crafted malware-ridden pages. This kind of attack can affect anyone searching for information on the Web. All it takes to get infected is click a top-ranking search result.

If you are concerned that your computer may have been affected by a cyber attack, try our free prevention and clean up tools, available here.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Trend Micro researchers found over 200 email samples that spamvertised male sexual enhancement pills. These bore subjects like “Re: Go wild in bedroom,” “Re: Let your lever straight up,” and “Re: Be her concrete-rod satisfier” and contains a URL that points to all-too-familiar Canadian pharmacy websites.

While spammed messages that lead to Canadian pharma sites are not new, there are notable things in this particular spam run. For one, it employed random messages in the email content to avoid spam filters. The spammers also put “Re:” in the subject to make it appear as though it was a reply of sorts. In addition, the FROM and TO fields bear the same email address. It particularly used dictionary form of spam attack where spammers randomly send spammed messages to a generated list of email addresses. Upon further analysis, the domains used were just recently registered.

As usual, users are advised not to open emails that spamvertise sexual enhancement pills. Trend Micro users are secure from this spam attack with the Smart Protection Network. Non-Trend Micro products users can stay protected from this by using free tools like eMail ID.

Trend Micro threat analysts found several phishing sites registered in China that target specific people or companies. The said email can customize phishing URLs using the names of intended recipients via a technique called “spear phishing.”

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

A new spam campaign that purports to be from Facebook is making rounds today. It bears the subject, “Facebook Password Reset Confirmation,” and informs users that their passwords have been changed for security purposes. It then asks them to open the attached .ZIP file that supposedly contains their new passwords, which in actual fact is a malware detected by Trend Micro as TROJ_BREDLAB.SMF.

Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV.

Users are advised to be wary of bogus notifications even if comes from a known source. Trend Micro product users are protected from this attack via the Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Trend Micro researchers recently found spam emails fashioned to come from Federal Insurance Deposit Corporation (FDIC). The email message informs users that they should visit the “official” FDIC’s website (provided in the email) to check their Deposit Insurance Coverage.

However, clicking the URL leads users to a fake FDIC website where they are ask to download a document file, which in actual fact is an .EXE file detected by Trend Micro as TSPY_ZBOT.AZH.

TSPY_ZBOT.AZH initially downloads a configuration file that contains a list of URLs that it will monitor, which mostly comprises social networking and banking-related websites. Once the user accesses any of the listed websites, it starts logging keystrokes to steal information such as account credentials. This, in effect, compromises the user’s account, making it available for cybercriminals’ future use.

Here’s a list of domains used in this spam wave:

• h1erfae.eu
• h1erfai.eu
• h1erfaj.eu
• h1erfaq.eu
• h1erfar.eu
• h1erfat.eu
• h1erfau.eu
• h1erfaw.eu
• h1erfay.eu
• milki1a.co
• milki1a.me
• milki1e.me
• milki1g.me
• milki1i.co
• milki1l.co
• milki1y.me
• nyuh1awa.eu
• nyuh1awb.eu
• nyuh1awc.eu
• nyuh1awd.eu
• nyuh1awf.eu
• nyuh1awg.eu
• nyuh1awh.eu
• nyuh1awm.eu
• nyuh1aws.eu
• nyuh1awt.eu
• nyuh1awv.eu
• nyuh1awx.eu
• tt1qwa1.eu
• tt1qwa1.me
• tt1qwae.eu
• tt1qwae.me
• tt1qwaq.co.uk
• tt1qwaq.eu
• tt1qwaq.me.uk
• tt1qwar.co.uk
• tt1qwar.eu
• tt1qwar.me.uk
• tt1qwat.co.uk
• tt1qwat.eu
• tt1qwat.me.uk
• yh1qab.eu
• yh1qab.me.uk
• yh1qak.co.uk
• yh1qak.eu
• yh1qak.me.uk
• yh1qal.eu
• yh1qao.eu
• yh1qao.me.uk
• yh1qaz.me.uk

According to Advanced Threats Researcher Joey Costoya, the brains behind this spam attack are the same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam.

He explicated that the characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves.

As we always say, please do not open unsolicited and suspicious-looking emails such as those shown above. Trend Micro customers need not worry about being bothered by this though, as they are protected by the Smart Protection Network. Non-product users, on the other hand, can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.