Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for July 26th, 2012




    We found a spam mail written in Japanese leveraging the Olympics to sell illegal products. We fully expected this event to be used by cybercriminals to profit. It appears that among the first to strike are sellers of B-CAS cards for TVs, which are supposed to allow the users to watch the Olympics without paying.

    These spammed messages – which have the subject line オリンピック全日程が見放題 (translated as Free access to all Olympic games in English) – have a link which leads to websites selling the illegal B-CAS card. The message itself says that normally, you have to pay more than 400,000 Japanese yen (more than 5,000 US dollars) per year in order to watch premium channels. Instead, the (illegal) B-CAS cards allow you to watch these channels for free.

    The website of these illegal cards describes these cards as “miracle cards” in Japanese:

    The order form – which asks the user for their name, email address, number of cards to be bought, shipping address, and contact information – does not use HTTPS, which all reputable vendors use to secure the transaction from possible interception. Not only is the site selling illegal goods, it’s set up in an insecure manner for any online commerce site.

    We have identified the server as being located in Hong Kong because of its IP address. Other landing pages for sites also selling B-CAS cards are located on this server as well.

    Here are some of the malicious URLs that we found on the server:

    • http://www.{BLOCKED}.com/
    • http://www.{BLOCKED}as.com/
    • http://www.{BLOCKED}atellite.net/
    • http://www.{BLOCKED}cas.com/
    • http://www.{BLOCKED}cesat.com/
    • http://www.{BLOCKED}dshop.net/
    • http://www.{BLOCKED}ear.com/
    • http://www.{BLOCKED}fect.com/
    • http://www.{BLOCKED}g-cas.com/
    • http://www.{BLOCKED}g-cas.net/
    • http://www.{BLOCKED}inareru.com/
    • http://www.{BLOCKED}lltv.com/
    • http://www.{BLOCKED}money-yes.com/
    • http://www.{BLOCKED}opping.biz/
    • http://www.{BLOCKED}s.com/
    • http://www.{BLOCKED}-satellite.com/
    • http://www.{BLOCKED}tylefree.com/
    • http://www.{BLOCKED}y2012.com/

    Note that the above URLs are all hosted on a single IP. The following diagram shows the relationship between the various sites and this single IP address, as well as the overall infection chain:

    The Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching users’ inboxes via the Email Reputation Service. It also blocks access to malicious sites via the Web Reputation Service. We have blocked more than 2,500 attempts from Japanese users to access these sites for the last 30 days.

    We advise users to not purchase anything from these sites, as they could face criminal prosecution for merely buying these devices. Recently, the Kyoto Prefectural Police announced they had arrested both buyers and sellers of illegal B-CAS cards.

    With the Olympics only days away from starting, we expect other threats related to this event soon. Here are some blog entries and Web Attack entries that discuss similar threats:

    Web Attack Entries

    Malware Blog entries

    For complete information on the latest Olympic-themed threats—including quizzes and safety guides, you can visit Race to Security, the Trend Micro security guide to major sporting events such as the Olympics, by clicking the banner below:

    Related posts:

     
    Posted in Bad Sites | Comments Off



    Despite the presence of the legitimate Google Play app store, cybercriminals are still hooking users by distributing malicious Android games themselves. Now, they’re taking advantage of a list of best-selling Android games.

    As before, the criminals have created .RU domains for each Android game they’re (supposedly) distributing. Links to these domains will spread via forum or blog posts, as well as email. Here’s a full list of the games that are being used by this new wave of mobile malware:

    If you look closely at the above list, you can see the wide selection of targeted apps. These include newly developed games like Cut the Rope: Experiments and Amazing Alex; Editor’s Choice apps like World of Goo, Shadowgun, Sprinkle, Where’s My Water, Osmos HD, Riptide GP and Angry Birds Space Premium. Many of these are top sellers as well.

    Aside from best-selling games, some popular movie franchises like The Amazing Spiderman and The Dark Knight Rises are also being exploited, even if the actual games themselves don’t exist. Here’s the page for the supposed Spiderman game:



    All of the download links in these pages actually redirect users to a separate site, where the malicious APK files are actually hosted. Some of the sites in question also include QR codes, although these lead to the same files. (We detect these files as ANDROIDOS_SMSBOXER.B.) This particular malware family is notorious for abusing premium services numbers, which may result in high phone charges for the user.

    Trend Micro customers are now protected by blocking the malicious URLs and detecting the files via the Smart Protection Network. In particular, Trend Micro Mobile Security for Android also detects these malicious apps, preventing their installation on mobile devices.

    As we mentioned earlier, these particular attacks against Russian Android users are not new. Previous attacks have claimed they were websites for Angry Birds Space, Farm Frenzy 3 and Temple Run. (We have compiled a Web Attack entry discussing these threats as well.)

     
    Posted in Bad Sites, Malware, Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice