Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Abigail Villarin (Fraud Analyst)

    From a security perspective, phishing attempts are pretty much old hat. In most cases, phishing attempts or attacks focus on getting one particular credential, such as those for credit cards or user accounts. We are now seeing cybercriminals attempt to get more credentials by using phishing pages that allow for multiple email logins.

    Multiple Logins Allowed

    We came across some shortened URLs that lead users are lead to phishing pages that mimic popular sites, including Facebook, Google Docs (now known as Google Drive), OneDrive, and several property websites. In order to proceed, users must log in using their email address.

    Figure 1. Log in page featuring different email providers

    The unique feature about these phishing pages is that they include options for several email providers. Users can log in using any of their accounts in Yahoo, Gmail, AOL, and Windows Live. There is even an “other emails” option, in case the user’s preferred email provider is not given. It’s interesting to note that the pages accept any words or even gibberish typed in—a sure sign that the pages are more concerned with collecting data.

    Figure 2. “Other emails” gives users more options to supposedly log in

    After signing in, users may encounter a “loading” or “server error” notification before they are led to the actual site. For example, users who visit the “Google Docs” site are led to a shared document about intentions for prayers.

    Figure 3. Document hosted in Google Docs

    Phishing Steps Up

    This particular phishing scheme shows that cybercriminals are still refining their techniques. In this case, the cybercriminals took the extra steps to make sure the scheme appears as legitimate as possible (e.g., the redirection to legitimate sites, the use of an actual document for Google Docs).

    Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones.

    Trend Micro blocks all threats related to this incident.

    Posted in Bad Sites | Comments Off on Phishers Cast Wider Net, Now Asking for Multiple Emails

    TrendLabsSM recently spotted a phishing site that specifically targets Public Bank of Malaysia’s clients. Public Bank is one of Malaysia’s leading financial institutions that operate in other parts of Asia as well, including Hong Kong, China, and Cambodia.

    The phishing page mimics Public Bank’s official login page to make users believe that it is the legitimate site.

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    Accessing the fake URL leads users to the phishing page where they are asked to enter their user names and passwords. Upon entering these, they are redirected to another page wherein they are asked to enter their PACs—unique system-generated six-digit authentication code numbers. After entering their PACs, the phishing site notifies users that they can now access their accounts. However, these tactics are all just a ruse so that the cybercriminals behind this phishing attack can steal the customers online banking credentials.

    In an effort to warn the bank’s clients, TrendLabs’ regional partners in Asia/Pacific have informed the organization’s administrators.

    Trend Micro™ Smart Protection Network™ already protects product users from this particular threat by preventing access to the phishing site via the Web reputation service.

    Posted in Mobile | 1 TrackBack »

    TrendLabs recently spotted a new phishing site spoofing CenturyLink’s secure login page from one of its anti-phishing resources.

    Click for larger view Click for larger view

    CenturyLink, created by the merger of CenturyTel and Embarq on July 1, 2009, is a leading provider of high-quality voice, broadband, and video services through its advanced communication networks to consumers and businesses in 33 states in the United States. It is the currently the fourth largest local exchange telephone company in the United States in terms of access lines. It has more than 7 million access lines in service and more than 2 million high-speed Internet connections as well as its own 100 percent digital network, Centrex, ISDN, and advanced intelligent network.

    Even though CyberLink’s real secure login page looks very similar to the spoofed one, there are still at least three major differences. First, the URL of the real login page is begins with one of the first marks of a secure login page (https), followed by the company name, unlike the spoofed one, http://www.{BLOCKED}, which begins with http, followed by a suspicious-looking domain name before the company’s own name.

    Next, a secure login page always has a padlock icon on the lower-right portion of the page while the fake page only has an exclamation point, indicating that something is wrong.

    Finally, look at the lower-left portion of the spoofed page, though it is marked as “Done,” it clearly contains errors, as evidenced again by the exclamation point.

    Users who unknowingly end up in the malicious site and enter their credentials are at risk of losing critical personal credentials or maybe even their identities, as clicking the Log In button sends the user data to the cybercriminals behind this attack. As of this writing, however, the phishing page is no longer active.

    There are several ways by which you can tell if you are being phished, the three techniques mentioned above are just some of the more noticeable ones, particularly in this attack. But there are also several ways by which users can protect themselves from being phished. Awareness, in this regard, is clearly key.

    Trend Micro™ Smart Protection Network™ protects users from this kind of attack by blocking user access to malicious sites and domains.


    Trend Micro threat analysts recently discovered a phishing attack targeting the website of the Capita Group. The said site is dedicated for the company shareholders’ use. It aims to reduce the need for paperwork and provides 24 hour access for greater convenience.

    The fake Web portal asks users to enter their surname, shareholder reference number, postal code, telephone number, date of birth, and employer. After entering the said information, the page will redirect them to another login page that requires them to enter their account information—first name, middle name, last name, address, city, country, mother’s maiden name, and email address. Only after filling in the information will the users be redirected to a legitimate page of the Capita website.

    Phishers will indeed do whatever it takes just to prey on unwitting victims. For this reason alone, users must be careful in giving out their credentials online. The phishing website used in this attack is already being blocked by the Trend Micro Smart Protection Network™.


    We have encountered a new phishing scam that targets ClickandBuy. The London-based competitor to eBay offers both billing ang payment solutions, so it’s no surprise cybercriminals would be interested in stealing the login information of ClickandBuy users.

    Phishers have created a duplicate of a legitimate German-language ClickandBuy login page on at least one malicious website. The fake site can be seen below:

    Click for larger view
    Figure 1. Phishing website

    After entering their credentials, users would be redirected to the legitimate ClickandBuy site. Users would then think everything was normal, when nothing could be further from the truth. The phishing website is a very close match to the legitimate site, which is shown below for comparison:

    Click for larger view
    Figure 2. Legitimate website

    Users are advised to be very careful about where they enter their login credentials to guard against attacks like this. For example, the user’s connection to the phishing site was not encrypted, whereas the connection to the legitimate website was encrypted. (All browsers show this in their user interface, usually using a padlock.)

    The phishing URL in this attack is already blocked by the Trend Micro Smart Protection Network.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice