Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2013
    S M T W T F S
    « Oct   Dec »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for November 26th, 2013




    For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light—they see it as a prime opportunity to steal.

    Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. These sites are often made to look exactly like the website they’re mimicking, and feature a login screen that asks the user to enter their personal information. They are interested in any and all kinds of login information – for example, we recently saw phishing sites that stole the Apple IDs of users.

    We have kept track of the number phishing sites created since 2008. We pay particular attention to those that target Christmas shoppers and/or have holiday themes. There are plenty of these, and they persist all year. Unsurprisingly, they rise towards the end of the year, as seen in the graph below:

    Figure 1. Christmas-related / Holiday-themed Phishing Sites

    These sites also peak during big shopping dates, such as Black Friday and Cyber Monday. Online shoppers tend to search for huge discounts on these dates.

    Cybercriminals target specific items that users might be looking for in particular when shopping online, such as gadgets (tablets, smartphones and DSLR cameras) toys, video games/consoles, software, and so on. We examined the most popular items sold and wished for on online shopping sites and compared them with the phishing sites we saw. We found that these were the most targeted items:

    Figure 2. Top 10 Most Targeted Shopping Items

    Spam campaigns also take advantage of the season. We recently found a spam campaign which targeted British users. This campaign promoted cheap flights to destinations in the Canary Islands—popular tourist destinations for Britons. The name of a well-known provider of travel packages was also used.

    Figure 3. Sample Holiday Spam

    The email contains a .ZIP file that claims to contain more available holiday destinations. Opening the archive yields a .PDF file that is actually a malicious executable file. (We detect this file as TROJ_DLOAD.NOM.) Its final payload is  a ZBOT variant, which can steal critical personal information of users from their systems.

    Figure 4. Malicious File In Archive

    Users can avoid these threats by following these tips:

    • Don’t use search engines to find good deals. Web threats lurk in search engine results, and they’re often pushed up to the top of the first page because of Blackhat SEO. Instead, bookmark popular and well-established shopping websites and do your searching from there.
    • If it’s a deal too good to be true, it probably is. Half-off promos and amazing discounts certainly exist (moreso during the holidays) but if it’s from an unfamiliar website or simply just beyond any reasonable sense of scale, then chances are it’ll lead to a web threat.
    • Use online shopping apps instead of using your mobile browser. If you’re a huge online shopper and you use your mobile device to do all your buying, check if your favorite site has an app and use that instead. This allows for a more secure transaction between you, the customer, and the website itself—removing the chance for web threats.
    • Install a security solution. A security solution can easily remove the risk of you accidentally stumbling onto opportunistic web threats when you’re shopping online by blocking malicious websites before you can even get to them. It also detects and removes any suspicious files or malware that may end up in your devices.

    For more information on the threats that plague online shopping as well as how to shop in a safe manner, check out our latest e-guide, How to Safely Shop Online, as well as our latest image gallery, 5 Most Popular Online Shopping Items for Cybercriminals.

    Update as of 10:15 PM PST, November 26.

    As expected, cybercrmininals have started to leverage Black Friday, which usually marks the start holiday shopping season. Similar to the Halloween threats we noted previously, we uncovered several Black Friday-themed spam that lead to survey scam sites. These scams steal information from users by posing as survey questionnaires, asking personally identifiable information (PII) such as email addresses, contact information etc.

    black_friday_sample

    Figures 4-5. Black Friday-related spam

     
    Posted in Bad Sites, Malware, Spam | Comments Off



    Several months ago, we found that several Ice IX servers were hosted in the .co.za (South Africa) top-level domain. Our research revealed that these servers were all tied to a group of individuals located in Nigeria.

    To recap, Ice IX is a popular banking Trojan that was heavily used by these criminals, together with the better-known ZeuS malware. These types of threats are known for stealing the login credentials of users to banks, email addresses, and social networks.

    On some of the servers, there was an infected machine located in Nigeria that the cybercriminals seemed to be using as a proxy to connect to their Ice IX and ZeuS control panels:

    Figure 1. Infected machine used as proxy

    These cybercriminals are also engaged in other online crimes, such as setting up phishing websites for banks and social media, as well as operating classic Nigerian 419 scams. In order to send the spam messages necessary to carry out these attacks, they also hacked into legitimate servers and installed a PHP mailer.

    We identified three individuals as part of the group responsible for these crimes, and they are all located in Lagos, the commercial capital of Nigeria. We believe that they are all part of a larger organization that goes beyond Nigeria. This highlights how African cybercrime is growing and how the region may become a major player in a near future.

    More details about this syndicate may be found in our paper “Ice 419″.

     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice