Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Adrian Labiano (Anti-spam Research Engineer)

    After a blackhat SEO attack, cybercriminals are again using the terrifying catastrophe of Air France Flight 447 or about China-made C919 Jumbo Jets competing with Airbus and Boeing for malicious intent. This time, spam messages are sent with an attached PowerPoint presentation, which is specially crafted to exploit a vulnerability in Microsoft Powerpoint.

    The spammed emails suggest that there are images in the attached PowerPoint presentation related to both the China-made jumbo jets and the Air France Flight 447, in order to lure the user into opening the specially crafted file.

    Click for larger view Click for larger view

    The reported circulation of photographs showing the cabin of the Air France Flight 447 has been confirmed as being a hoax, while the China-made C919 Jumbo Jets haven’t been completed yet, announced rolling off the production lines in eight years.

    The specially crafted .PPT file is detected by Trend Micro as TROJ_APPTOM.C. It exploits a vulnerability in Microsoft PowerPoint that allows remote code execution. Upon successful exploitation, it drops TROJ_INJECT.AIO which in turn opens a hidden Internet Explorer window and connects to a certain URL, to download additional malicious files.

    Users are strongly advised to apply the patch provided by Microsoft to avoid being victimized by this threat. The Smart Protection Network provides protection from this threat by blocking the spam messages and detecting malicious files.


    After the World Health Organization raised its global alert level on the spreading swine flu virus, Spammers quickly used this event for their spam campaigns. Early this morning, we have seen spam samples using Swine flu worldwide! or Swine flu outbreak! as their email subject. Spammers are using this social engineering technique because having the latest news as the mail’s subject greatly increases the chance that the recipient will open their spammed messages.

    Click for larger view Click for larger view

    The spammed messages content is not about the swine flu virus but a short message that is related to meds spam with a link that directs you to an online store which sells penis enlargement pills.

    Click for larger view

    The messages are already blocked by the Smart Protection Network. Users are advised to ignore simiar messages that may arrive in their inbox and opt to choose more reliable sources about swine flu. The pandemic has reportedly claimed 149 lives in Mexico, which is the epicenter of the outbreak, while more and more cases are being reported from other parts of the globe.

    Posted in Spam | TrackBacks (13) »

    Spammers are really quick on the draw in terms of their schemes. They have already come up with a scam related to the South Africa FIFA World Cup which will be held a year and a half from now.

    The spammed messages arrives as a notification to the recipients, telling them that they won an online sweepstakes program related to the FIFA World Cup. An explanation is also provided as to how they won the contest, which is likely done to build up credibility.

    Figure 1. The spam email is peppered with information that may overwhelm the user and convince them that the message is indeed true

    Ironically, the scam message even tells the recipient that they must keep the given “winning information” confidential until they have received their prize as a precautionary measure to avoid double claiming and unwarranted abuse. This is an obvious example of social engineering method applied by the criminals.

    Figure 2. More misleading information used to buy credibility

    The recipients are told that they won a large amount of money and must contact their “claim agent” to claim their prize. The recipient is then required to present the “claim agent” with personal information such as age, gender, nationality, and their contact details.

    Figure 3. Certain variants of this scam even attempt to namedrop, but somehow also fails to do so, spelling Bill Gates name as “Bill Gate”

    Of course, if users fall for this scam, they will receive no certain amount of cash–but actually be stolen from.

    Such scam email messages are blocked by the Trend Micro Smart Protection Network. Other users are advised to ignore these scam messages.

    Posted in Spam | TrackBacks (2) »

    A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment.

    The spam reads like so:

    Dear member,
    As part of our security measures, we regularly screen activity in the PayPal system.

    We have reason to believe that you account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this termporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

    Cas ID Number: {case ID number}

    Thank you for your patience as we work together to protect your account.

    PayPal Account Review Department
    PayPal Email ID PP2310

    It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered.

    The attachment that arrives with this spam, however, does not contain a report or any similar information.

    Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution.

    Figure 2. Users expecting a document may be surprised to see that file contains an executable.

    Detected by Trend Micro as WORM_POISON.LA, this malicious executable has routines that are related to the (now infamous) peer-to-peer file-sharing application Kazaa.

    Other PayPal-related spam runs include the following:

    The Trend Micro Smart Protection Network already blocks the spammed PayPal message, keeping users’ PCs away from its malicious attachment. It also detects WORM_POISON.LA and provides solutions for its cleanup and removal. Users are strongly advised to refrain from downloading and executing files found in unsolicited email messages.


    In this new tactic, spammers are setting up bogus Live Spaces (also known as MSN Spaces to older members) accounts then hosting an image in the blog section of the page. This new form of spam is being used to promote online casinos and credit cards.

    Below are screenshots of the spammed email:

    Figure 1. Sample spam containing link to bogus Live Spaces account

    Figure 2. Another sample spam containing link to bogus Live Spaces account

    When the user clicks the link inside the mail, it will redirect to the bogus Live Spaces Blog Account where the image endorsing online casinos and credit cards is placed:

    Figure 3. Bogus Live Spaces account linked to in the spam in Figure 1.

    Figure 4. Bogus Live Spaces account linked to in the spam in Figure 2.

    Furthermore, when the image in Figure 4 is clicked it connects the user to the endorsed site (as of this writing the account in Figure 3 leads to a URL that is already down):

    Figure 5. Online gaming spam site

    The usage of Live Spaces accounts in spam runs is yet another tactic employed by spammers to evade spam filters. This improper use of legitimate services has been used in past spam runs, some of which are reported below:

    These spam however, will have no chance of ever getting to users’ inboxes as the Trend Micro Smart Protection Network already blocks this. Other users are advised to delete similar messages that do get to their inboxes. Windows Live Spaces users should be aware of these and similar schemes.

    Posted in Spam | Comments Off on Bogus Windows Live Spaces Accounts Feature Spam


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice