Phishing and its effects, namely, identity fraud, continue to grow. Unfortunately, it is now easier than ever to carry out these kinds of attacks.

Cybercriminals are now using a new tool known as “Super Phisher” (detected by Trend Micro as HKTL_SUPERPHISER) has been released, which creates a phishing page from a legitimate website.

The tool creates all the files necessary for the phishing page such as an .HTML file that contains the actual page, and a .PHP file, which steals information and saves the stolen data to a .TXT file. In the screenshot below, note how the HTML page’s code refers to the local .PHP file and not the legitimate site (in this case, Yahoo!).

A would-be phisher then takes all the files and uploads these to a website under his/her control. This site could be a malicious, compromised, or even a free Web host that the phisher is abusing. It is then up to the phisher to lure users to the site he/she created.

While this tool allows cybercriminals to create phishing pages with greater ease and less time, thus producing more timely attacks, as needed, users can still take steps to protect themselves.

While the pages created by this phishing tool look identical to the legitimate site, it does not contain any code that obfuscates or manipulates the URL as seen in the user’s browser. While the phishing pages appear to be completely legitimate, the URLs they are hosted in do not.

To guard against threats like these, users must always be careful about the sites they enter personal information into. They must check that the site not only look legitimate but is also located in a legitimate URL. While cybercriminals may attempt to register domains with similar appearances, careful users should still be able between authentic and possibly malicious sites.

Trend Micro™ Smart Protection Network™ detects malware such as HKTL_SUPERPHISER using the file reputation service and protects users from accessing malicious sites via the Web reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which is designed to block access to possible malicious websites in real-time.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Google recently announced its latest service Google Buzz, which is considered as the company’s first step in entering the social-networking scene. Naturally, hordes of Internet users became interested in the new application. But such buzz also gained unwanted attention from cybercriminals who already used the service to spread a malware detected by Trend Micro as WORM_PROLACO.AA.

The worm terminates the MCAGENT.EXE process if found running on users’ systems. It also drops another malicious file detected as WORM_SPYBOT.MCS, which exhibits backdoor routines and terminates specific processes

WORM_PROLACO.AA also poses even greater danger to Mozilla Firefox browser users, as it installs Firefox extension and Firefox Security 2.0 by creating specific files on affected systems. These extensions check the browser’s address bar for specific strings related to googlesearchserver, search, google.com, yahoo.com, bing.com, ask.com, and aol.com/aol/search?s_it. If found, the malware loads a page which triggers the display of ads on search results pages. The worm further spreads by sending email messages to target addresses that it gathers from affected systems. It also drops copies of itself in shared peer-to-peer (P2P) sharing folders.

Trend Micro product users need not worry, however, as Smart Protection Network™ blocks user access to malicious sites related to the pop-up ads via the Web reputation service and detects and deletes all related malware via the file reputation service.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

News of a performer killer whale allegedly killing its trainer made the headlines this week. Dawn Branchaeu, an animal trainer in SeaWorld Florida, was attacked by one of the trained killer whales last Wednesday. This sad event, unfortunately, paved the way for cybercriminals to distribute another FAKEAV variant.

With the usual blackhat search engine optimization (SEO) techniques, sites hosting the FAKEAV variant immediately topped search engine results. Users who try to find news on the said incident are led to poisoned results instead.Trend Micro detected the malware as TROJ_FAKEVIME.CJ.

Clicking the malicious search result above redirects users several times until they see the following message:

Click the OK button displays the results of a fake scan with a list of malware that have supposedly infected the system. This prompted users to follow the instructions to remove the said malicious files. However, instead of actually removing them, they instead download a malicious file, www1.to_stopthevir_onmypc.in (aka TROJ_FAKEVIME.CJ), onto their systems.

This Trojan modifies affected systems’ HOSTS files, preventing users from accessing specific websites. It also adds certain strings to the Windows HOSTS files, which, in turn, redirect users to other possibly malicious sites.

TROJ_FAKEVIME.CJ, like its predessors, also shows a spoofed warning messages to convince users to avail of a fake antivirus. To learn more about this, you can check out Trend Micro’s findings on Predictably Unpredictable FAKEAVs.

Using tragedies, calamities, and other newsworthy incidents to propagate FAKEAV variants is no longer new. Trend Micro has blogged about similar events such as the recent plane crash in Austin, Texas.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of malicious files such as TROJ_FAKEAVIME.CJ via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Within days of Adobe’s release of out-of-band security updates for both Acrobat and Reader, word now comes from security researcher Aviv Raff, of another new vulnerability in an Adobe product.

The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.

Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that they have resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onwards are safe; everyone else is advised to removed the Adobe Download Manager entry in the Add/Remove Programs applet in the Windows Control Panel.

This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January of this year, a remote code execution vulnerability in the application was among those Adobe patched.

This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.

Security Has a Price—Problems with Security Updates

Trend Micro researcher, Rajiv Motwani, notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.

Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.

The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat applications while only 19 percent had updated Flash versions.

These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.

As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raises the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.

Solutions and Best Practices

Consumers and small businesses will benefit most by applying any Adobe patch as soon as it is released. Both Flash and Acrobat products now include standard auto-update features that can be scheduled to check for updates on a regular basis.

OfficeScan enterprise users with the Intrusion Detection Firewall (IDF) plug-in helps protect against threats of this nature, thus providing protection until system administrators deem it acceptable to roll out relevant patches.

TrendLabs Web content security analysts recently received spammed messages (see Figure 1) purporting to come from the Bank of Nevada. At first, the attack seems just like any other common phishing attack. However, users who are tricked into clicking the URL embedded in the spammed messages will be redirected to a fake Bank of Nevada home page (see Figure 2).

After a second or two, users will again be redirected to the following malicious adult site.

At present, TrendLabs engineers have identified 29 unique domains related to this phishing attack. Note, however, that the cybercriminals behind this attack used more than 1,000 URLs and spammed messages.

The Bank of Nevada, in its home page, has also stated its knowledge of this phishing attack (see Figure 5) and has issued its own statement on its site to protect its online banking customers (see Figure 6).

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID by avoiding fake messages from reaching their inboxes. It also helps users quickly find legitimate messages quickly.