Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Aivee Cortez (Fraud Analyst)




    Treasury Optimizer is an online banking tool offered by Capital One Bank which aims to provide secure access to business accounts on the Web, 24/7. Posed to replace electronic money or more popularly known as eCash, it offers to protect customers’ accounts through security features such as multifactor authentication.

    Unfortunately, their security offerings come short, as we receive bulks of phishing emails that “promote” the Treasury Optimizer. The phishing mail instructs the client to update their account due to a potential security risk that affects all of Capital One Bank products, including the Treasury Optimizer. Here is a screenshot of the said phishing email message:

    The conventional phishing attack aims to capture users’ credentials through fake login pages spammed through email. For this attack however, the phishing link given in the phishing email leads to a page that does not ask for credentials, but tells the user to download a file instead. When the user clicks the link contained in the phishing email, the following spoofed Treasury Optimizer Web page is displayed:

    The page explains that the bank had to fix vulnerability; and in order to fix it, the client MUST download the update. It even displays different download links for different operating systems. It will then download an .EXE file that poses as an installation setup:

    The downloaded file is detected by Trend Micro as TROJ_SMALL.MAT.

    This malware-enhanced phishing attack is neither the typical type of phishing attack, nor is it less dangerous. The scope of a phishing attack is usually limited; one account from a target organization compromised in every successful attack. But this phishing attack installs a malware on the affected user’s system instead, and then uses it to monitor users’ online activities, thus possibly disclosing more information.

    The phishing URLs related to this attack are now blocked by the Smart Protection Network.

     
    Posted in Malware, Mobile | Comments Off


    Aug17
    9:44 am (UTC-7)   |    by

    Oi Fotos, a photo storage Web site in Brazil, has been victimized recently by a phishing-spyware combo.


    Figure 1: Screenshot of the legitimate Oi Fotos Web site

    The bad guys have taken advantage of the mobile service of Oi Fotos. The phishing email contains a notification that the recipient has received photos from a cellular account and offers them an opportunity to view them — and of course, they need to click on the image.

    A rough translation of the displayed text is as follows:

    "You received a Oi Photos from cellular (0xx) **** - 2981. To see the photos, just click on the image below."


    Figure 2: Sample screenshot of the phishing email

    Upon clicking as directed, the recipient is directed to a malicious phishing site, which eventually attempts to install a piece of spyware, a program that monitors and gathers user information (e.g. online banking login credentials) from the victim’s machine.


    Figure 3: Sample screenshot of the pop-up window that prompts users to download a spyware file on their systems

    Trend Micro already detects the file as MAL_BANKER, a heuristics detection name for files that manifest characteristics similar to those of the TSPY_BANCOS and TSPY_BANKER spyware families. These families can steal online banking information.

    The URLS are now blocked by the Trend Micro Smart Protection Network.

     



    These days, it seems that it can happen to almost anyone — Web site compromises are really, really out of control, and virtually anyone can be victimized when proper security measures are not taken.

    Very recently, another government site became a victim of an SQL injection or XSS attack (possibly enabled by the site’s use of an older Web server application version) — the Web site of the Supreme Court of Nepal.

    The
    Figure 1. Screenshot of the legitimate Supreme Court of Nepal Web site, www.supremecourt.gov.np

    After being hacked, this Web site was turned into a host for pornographic video (particularly named porno tv).

    Unfortunately, this site also included (before being cleaned up) 157 other adult links.

    Other than links, the hacked site also displayed a login page that can be used to gather email addresses for possible spam distribution.

    Screenshot
    Figure 2. Screenshot of the Supreme Court of Nepal after being compromised by hackers

    We also observed the injected folder with adult HTML files, as shown below:

    Screenshot
    Figure 3. Screenshot of indexed folders pertaining to the site

    This folder contained the porn files, but did not contain any malware as when we discovered it (it has also been cleaned up now, but we’re keeping an eye on it).

    Trend Micro Smart Protection Network protect users from inappropriate content by classifying this site as Pornography, enabling users or administrators to block access to this category of sites.

    Note that we have already informed the owners of the said site of our findings and that the site, as of this writing, is already clean.

     
    Posted in Bad Sites | Comments Off


    Aug4
    3:59 am (UTC-7)   |    by

    Olympic tickets, anyone? They are available on the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympics approaches.

    Trend Micro Senior Advanced Threats Researcher Paul Ferguson discovered a fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but are actually stealing credit card numbers and other confidential information.


    Figure 1. Home page of Olympic ticket-selling phishing site

    The TrendLabs Content Security Team tried to verify the phishing site. The Web site hxxp://www.{BLOCKED}gticketing.com asks users to register before buying tickets.


    Figure 2. Users are asked to register for an account.

    Filling out the form is already questionable because some confidential information are required in the registration. We tried to enter bogus delivery address and phone numbers and the site accepted all the information, regardless of the validity of the information we entered. This shows that the supposed ticket sellers don’t intend to deliver the tickets after payment.

    After registering, the user now can sign in to buy tickets.


    Figure 3. Users are asked to sign in using the registered information.

    The site then asks for credit card numbers and CW2 numbers after a user has chosen which ticket to purchase.


    Figure 4. Users are then asked to choose which events to buy tickets to.


    Figure 5. Users are asked to provide payment information.

    There are already hundreds of victims who lost large amounts of money to this site, according to a report by the Los Angeles Times. The said Web site is already blocked by Trend Micro Smart Protection Network.

     
    Posted in Mobile | Comments Off



    Trend Micro senior developer TT Tsai discovered a sequel to the fake Trend Micro iClean tool. Our Web Threat Protection (WTP) add-on is being used as bait to download malware.

    An email message with content seemingly copy-pasted from the WTP page of the Trend Micro Taiwan site advertises a link (Figure 1) where a supposed free download of the WTP add-on is located.

    Note that the real WTP add-on is actually a trial version of Trend Micro’s Web Threat Protection technology so it can really be downloaded for free.

    Screenshot

    Figure 1. Screenshot of email message

    The link redirects to an uncanny imitation of our real WTP download page with the URL hxxp:// {BLOCKED}.update-windows-microsoft.com/products/enterprise/wtp2.htm. This attack takes advantage of a vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access that allows remote code execution to download and execute a malicious file detected by Trend Micro as BKDR_AGENT.AVAJ.

    Screenshot

    Figure 2. Screenshot of the supposed download site

    Trend Micro is not the only victim of the domain hxxp:// {BLOCKED}.update-windows-microsoft.com/. Our initial investigation found spoofed login pages of Taiwan’s Yahoo! mail (Figure 3), Gmail (Figure 4), and Hotmail (Figure 5) hosted in the same domain.

    These pages may have been of the usual phishing scheme, crafted and deployed to gather email addresses for spam distribution and for stealing confidential information from the users’ mail accounts.

    Fake

    Figure 3. Fake Yahoo! email login page

    Fake

    Figure 4. Fake Gmail email login page

    Fake

    Figure 5. Fake Hotmail email login page

    The malicious site mentioned above is already blocked in the Trend Micro Smart Protection Network.

    We are still investigating the various malware samples we found stored in these URLs. Please stand by for updates.

    Note also that Trend Micro will NEVER send tools or applications through email.

    Trend Micro cautions users to never open or download attachments from people unknown to them, and to download tools or applications from trusted sites only.

    Update as of 30 July 2008

    Our researchers have found out that the spoofed login pages of Taiwan’s Yahoo! mail, Gmail, and Hotmail take advantage of a vulnerability in Microsoft Data Access (MDAC) function that allows remote code execution. This exploit is used to execute the routines of the spoofed login pages, which is to steal user information. More information on this vulnerability can be found here.

     
    Posted in Bad Sites, Mobile, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice