Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April 24th, 2014




    A few days ago, America Online, or AOL, confirmed that their mail service – AOL Mail – had been hacked, with the email addresses (allegedly only 1% of their entire customer base) either compromised and/or spoofed to send spam with links leading to phishing pages.  We combed through the Internet to look for samples of the phishing spam being sent, and they popped up readily in our searches.

    Figure 1. AOL Mail spam sample

    Figure 2. Second AOL Mail spam sample

    The spammed messages themselves are simple and to the point – just a sentence or two, written to seem like a casual, quickly-written email by the recipient’s contacts. The link is presented right after the bait text, typed out in full. When clicked, they lead to fake pages pertaining to online health magazines as well as online cooking recipe websites, which then lead to a landing/phishing page. The phishing page masquerade as a sign-up form that asks for the user’s personal information – their phone number, email address, and so on.

    Figure 3. Final landing and phishing page

    Using data gathered from the Trend Micro Smart Protection Network, we saw that 94.5% of the users who visited the final landing page came from the United States. Other top countries affected include Japan, Canada, France, and the United Kingdom. Analysis also shows that these phishing pages are hosted in different countries, including Russia, the United States, Hong Kong, and Germany.

    While this may seem to be a relatively minor attack as far as hacking attacks go – with the compromised mails only used to send spam messages leading to phishing websites rather than something more obviously damaging, such as sending malicious files or mining the email address itself for personal information – the fact is that the culprits could easily have done so is enough for this to be a serious security incident.There’s also the fact that even if only 1% of AOL Mail’s 24 million total user base was indeed compromised – that’s still 240,000 emails under the control of cybercriminals, to do with whatever they want.

    A day after the attack itself was revealed, AOL came out with another announcement, saying that they’ve modified their DMARC policy to combat the spoofed mail spam.This modification ensures that all mailbox providers will reject bulk AOL mail if it doesn’t come from an AOL server.

    While this does alleviate the spoofed email spam issue somewhat, it does also affect bulk AOL mail that has been previously authorized, and does not really begin to address the compromised emails. For that, AOL has linked victims to their Mail Security page, instructing users how to secure their hacked accounts as well as to recognize scam/spam emails.

    We once again remind users to always be vigilant when it comes to their mail, whichever email service you use. Always think before you click that sent link. Verify first before doing anything.

    Trend Micro security offerings already detect and block all the spammed mails and phishing URLs related to this attack.

    With additional analysis from Gideon Hernandez, Paul Pajares, and Ruby Santos.

     
    Posted in Bad Sites, Spam | Comments Off



    Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today?

    Sites vulnerable to Heartbleed as of April 22-01

    Figure 1. Sites vulnerable to Heartbleed as of April 22

    Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds, to just under 10 percent. Only three TLDs we looked at have percentages above the global number: Brazil (.BR), China (.CN), and Russia (.RU).

    The only TLD with a 100% cleanup record was the .gov domain, reserved for the use of US government sites.The Australian (.AU), British (.UK), German (.DE), and Indian (.IN) TLDs also had rates that were significantly lower than the global average.

    Overall, the numbers leave room for optimism when it comes to addressing Heartbleed. Most system administrators have paid attention to the warnings and patched their servers accordingly. The question is now whether the remaining 10% of vulnerable domains will be patched sooner rather than later, or if we will be stuck with a non-trivial portion of the Internet that will be left at risk.

    For users who want to test if the sites they use are at risk, a Trend Micro heartbleed detector app may be found in the Google Play store, the Google Chrome store, and the web.

     For other posts discussing the Heartbleed bug, check our previous entries:

     
    Posted in Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice