Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 10th, 2012

    Last month, we have seen cybercriminals use the popularity of apps like Instagram and Angry Birds Space to deliver malware on Android phones. This time, we spotted the same social engineering tactic using Adobe‘s name.

    This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version:

    When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats.

    Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme.

    Trend Micro protects your Android phones from accessing these malicious sites and from downloading malicious .APK files on your phones via the Mobile Security Personal Edition app. Apart from blocking access to malicious sites, our app scans each app you install to ensure your safety.

    For your reference, Adobe Flash Player from Adobe Systems can be downloaded via the Google Play store.

    Posted in Bad Sites, Malware, Mobile | Comments Off on Malware Masquerades as Flash Player for Android

    In light of the slew of persistent black hole spam runs, we have been tracking and investigating this threat that leads users to the black hole exploit. These attacks typically start with a spammed message containing a link to a compromised website that redirects a user’s browser to a malicious site hosting the said exploit. The payload of this threat is to install ZeuS variants onto user systems in order to steal sensitive information from users.

    Trend Micro Solution for Black Hole Spam Runs

    Focusing on the black hole exploit kits at the infection point when the malware begins to download may not be enough. We focus instead at the start of the attack. Because the email is where the threat starts, detection is needed at the beginning, for the phishing email is sent to lure users into clicking the URL that will ultimately lead to the site that downloads the malware.

    We created a system that uses big data analysis and the power of Trend Micro™ Smart Protection Network™, for a unique view of these attacks as they occur, so solutions can be quickly created. Once the details of the attacks are correlated and mapped out, solutions are released to the cloud to protect customers via Smart Protection Network™.

    Insight into Black Hole Exploit Attacks as the Attacks Occur

    The initial challenge for this threat came from the compromised websites. Owners of these compromised websites need to constantly clean up the sites that get compromised. However, the compromised websites that are still vulnerable may still be used in the next attack.

    In the past weeks, black hole exploit-related activities employed social engineering lures using well-known companies like LinkedIn, US Airways, Facebook, American Express, PayPal, and Careerbuilder. The messages we’re seeing are highly intelligent and well-crafted phishing messages that gain the trust of users. The format and wording of these email messages were made to look exactly the same as the legitimate messages from these companies. This is why these messages are difficult to detect using traditional methods.

    One of the spam runs we investigated used the popular business-related site LinkedIn. At the beginning of this run, we identified more than 300 URLs, which were distributed across more than 100 compromised websites.

    Read the rest of this entry »

    Posted in Botnets, Exploits, Spam | Comments Off on Protecting Customers From Black Hole Exploit Kit Spam Runs


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice