Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2014
    S M T W T F S
    « Apr   Jun »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for May 20th, 2014




    As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted fake FIFA websites selling game tickets.

    One of the sites we found even have different subdomains for different countries, as shown in the diagram below:

    Figure 1. Multiple subdomains of scam site

    (Click above image to enlarge)

    For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for  8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website.

    At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email.


    Figure 2. Screencap of the complaint

    The domain name was registered last May 27, 2013, with no clear owner. However, it was registered in Spain. As for its hosting, it is hosted on a major cloud service provider. The Brazilian site accepts payment via a legitimate online payment service with offices in São Paulo, Brazil.

    This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe.

    We protect our customers by blocking the fraudulent sites we encountered here. We also would like to remind users not to visit scam sites like these, and remember that only FIFA is authorized to sell tickets for the World Cup games.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

     
    Posted in Bad Sites | Comments Off



    We’ve previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities. With all the fun and relaxation set before you, it is easy to take secure Internet access for granted.

    The story below took place in exactly such a situation. While I was on vacation, using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however.

    Trying to access Youtube using the mobile browser resulted in this:

    Figure 1. Fake Youtube alert

    Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:

    Figures 2-3. Fake Facebook alerts

    If the user actually clicked the OK button on either of the two messages the following pages would appear:

    Figures 4. Fake Internet Explorer update

    Figures 5. Fake Adobe Flash Player update

    In both pages, there is fine print that says that the sites are not official download pages. However, because of the professional look of these pages, one could be forgiven for being misled.

    Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system.

    So, how was this done? A little investigation found that the DNS settings had been modified so that DNS queries went to a malicious server, that redirected users trying to visit the facebook.com and youtube.com domains to malicious sites:

    Figure 6. DNS replies and settings

    The IP address of the malicious DNS server is known to be involved in distributing fake Adobe Flash updates. The IP addresses involved in this attack are hosted across multiple ISPs located in France, Canada, and the United States.

    The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line.

    This particular vulnerability has not received much media attention, although it is very similar to “The Moon” attack that hit Linksys routers earlier this year. It appears to have been disclosed publicly at least twice: once in January and a second time several days later. However, DNS poisoning attacks are not new. In fact have been around for many years.

    I was able to verify that the settings of the device were modified by the attackers. Google’s free DNS server at 8.8.8.8 was also set as the secondary address, explaining why the requests for non-targeted websites worked.

    Figure 7. Router DNS settings

    The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain. There were also aimed at users visiting local sites with specific TLDs, such as:

    Poland:

    • allegro.pl
    • gazeta.pl
    • interia.pl
    • otomoto.pl
    • tablica.pl
    • wp.pl

    Italy

    • google.it
    • libero.it
    • repubblica.it
    • virgilio.it

    Turkey:

    • google.com.tr
    • hurriyet.com.tr
    • milliyet.com.tr

    How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). (This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems.) One can also consider the advice we provided earlier about using open wi-fi networks, which include the usage of VPNs.

    What about the likely targets of attacks like these? The most likely targets of these attacks are either homeowners or small businesses that use consumer-grade routers. In such cases, we highly recommend that consumers keep the firmware of their devices up to date. (For this particular router, for example, updated firmware is available for some versions.)

    Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network.

    Update as of May 26, 2014, 02:25 A.M. PDT

    Based on our further analysis, we found out that TSPY_FAREIT.VAOV downloads BKDR_NECURS.BGSJ, which drops RTKT_NECURS.B. NECURS is known for disabling security features on affected systems. In this case, BKDR_NECURS.BGSJ disables the Windows firewall, and RTKT_NECURS.B also disables other security-related services.

    Aside from the function aforementioned, since starting of 2014, we have seen that NECURS malware is associated with banking trojans such as ZBOT.

    We detect the malicious files that are part of this attack.

     
    Posted in Hacked Sites, Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice