Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2013
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 19th, 2013

    No less than a day or so after we discovered the spam campaign taking advantage of the Boston Marathon bombing, we came upon yet another spam campaign, very similar to the previous one except this time it uses the Texas fertilizer plant explosion as a lure.  The fertilizer plant explosion occurred a mere few days after the tragedy in Boston, with 35 suspected dead and more than 160 people injured.

    What’s disturbing about the discovery of this particular campaign is that not only does it come hot on the heels of the previous one, but the fact that they seem eerily similar to each other. Upon further analysis, we’ve discovered that the malicious URLs that the spammed mails link to have identical structures, right down to the domains. Even their spammed mails are similar to each other.


    Fig 1. The Boston Marathon explosion spammed email


    Fig 2. Texas plant explosion spammed email

    The only thing distinguishing them from each other was the document file name that the URL lead to – i.e. one URL from the Boston spam campaign lead to “boston.html” while the one from Texas lead to “texas.html”. It was as if the cybercriminals chose to capitalize on the latest tragedy by simply switching names.  The malicious URLs, of course, lead to exploit landing pages that could compromise an affected user’s system.

    We’ve also noted certain Twitter accounts spreading links using keywords related to the MIT shooting in Boston. These links redirect users to various websites of dubious reputation (most adware or spam-related). Though we have yet to see these links redirect to any malware-hosting website, users must still be cautious with their social media activities.


    Figure 3. Tweets leading to various dubious sites

    Read the rest of this entry »

    Posted in Spam | Comments Off on Cybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast, MIT Shooting

    Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.

    Figure 1. Spammed Facebook post

    However, we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site.


    Figure 2. Users are lead to this site that host fake Adobe Flash plugin

    From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US.

    Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs. We already blocks access to all the URLs related to this threat.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Social | Comments Off on Fake Page With “90 Million Likes” Leads to Fake Adobe Flash


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice