Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Aivee Cortez (Fraud Analyst)



    Jul21
    11:49 pm (UTC-7)   |    by

    Phishers are doing their homework. The conventional way is to ask users to update their accounts by asking them to click a certain link. A phishing email usually displays legitimate URL or a hyperlink. Upon clicking, the user will be redirected to the phishing Web site.

    But now, there’s no URL seen in new phishing email samples we’ve discovered. They display instead a legitimate email address. This is to trick users that the recipient of the user name and password they will send is a legitimate user, but looking at the source code of the mail, it would go to an individual email address, the phisher’s. Here are screenshots of no URL phishing email messages:


    Figure 1. Spam sample scaring users into “upgrading” their Earthlink accounts in order to avoid closure.


    Figure 2. Source code of the same spam mail in Figure 1 shows that any replies sent is actually sent to the phisher’s email address. The email address in the source code is not the email address earlier.

    Another variety of the no URL phishing email is the technique of displaying the actual form to fill up while hiding the recipient or the phisher’s email address. Here are two other sample email messages:


    Figure 3. Spam sample asking the user to verify their email accounts immediately by providing certain required information.


    Figure 4. Source code of the same spam mail in Figure 3 shows that any replies sent is actually sent to the phisher’s email address.

    They seem to have discovered a way to allow their email to slip through typical URL scanning efforts (since there are no URLs to scan). However, Trend Micro users are covered by the Smart Protection Network, which blocks email messages like these by analyzing the body of the email. Furhtermore, this type of phishing attack is already detected by our antispam patterns.

     
    Posted in Mobile | Comments Off


    Jun16
    8:53 am (UTC-7)   |    by

    From Web sites related to online banking, credit unions, financial departments, and social networking sites, phishers are chucking their rods into relatively new territory: video streaming sites.

    Trend Micro Content Security team learned about this latest (and very interesting) phishing technique a few days back. Several phishing domains (see Figure 1) carry scripts that refer to legitimate YouTube video links.


    Figure 1: Screenshot of a Fake YouTube Video Page

    This nifty social engineering technique means that the user can actually search and watch videos not knowing they are within malicious domains. In fact, when a user finally logs on to YouTube (still within the malicious domains), the browser redirects to the real YouTube site. However, the key risk here is that since the fake login console resides on the malicious domains, it is highly possible that whoever is behind these servers is going after the users’ login information.


    Figure 2: Screenshot of Fake YouTube Login Page

    The motives? To get the user names and passwords of YouTube users and use them in order to gain a high page ranking. While monetary gain seems unlikely, a slight stretch of creativity points us to the possibility of phishers selling this “service” to fly-by-night promoters and ad agents, or basically to anyone willing to buy stolen data to increase their hits.

    We are still closely inspecting how this technique works and are monitoring domains that use similar techniques. We believe these sites may have been set up in preparation for a spam run that contains links pointing to these sites. But we are not waiting for that spam run to show up in our honeypots. As early as now, the two malicious domains are already blocked by Trend Micro Web Threat Protection technology. As usual, users are advised to visit their regular online haunts using their clean bookmarks and to refrain from clicking on links in unsolicited email.

    To create a bookmark (in Windows), type in the URL of the desired site in the browser’s address bar and press enter. Once the site shows up, go to Favorites and click Add Favorites, then press enter to save the bookmark.

    Updates (as of June 20, 2007, 12:00pm PST)

     • The Content Security Team perceive the following as possible motives of the perpetrators of this attack:

    • • The owners of the malicious domains may want to generate traffic to increase their page rank, then sell the domains at a later time
    • • Since both domains contain a fake YouTube signup and log in page, any entered information may be used for malware-related activities
    • • Harvested email addresses may be later used for spamruns or other phishing attacks

     • Trend Micro is already in contact with Google, owner of YouTube, on the situation.

     
    Posted in Mobile | Comments Off



    A digital certificate is an electronic “credit card” that establishes your credentials when doing business or other transactions on the Web. This certificate is being used by many banks for secure online banking.

    Unfortunately, hackers and phishers have easily adapted to this security technique.

    A recent phishing attack using digital certificates was seen in the Bank of America case. In order to access the Bank of America Direct login page, the client must have a valid digital certificate installed on their personal computer. The URLs, in rockphish form, lead the user to a page asking them to create a certificate or to download the digital certificate. In Internet Explorer, it asks the user to run a Microsoft ActiveX control called “Microsoft Certificate Enrollment Code.”

    After running the add-on and upon filling up the required information, it asks the user to download an .EXE file, sophialite.exe.

    This is quite clever. From the explicit display of login or confirmation page that is easily verified as phishing, they have turned to the creation of digital certificates, a ploy that can actually convince users to take the bait. Another thing, these URLs are in rockphish form; as of now we already have 93 different domains using this technique. All are blocked by WCS (Trend’s Web Classification System for blocking malicious domains and URLs).

     
    Posted in Mobile | Comments Off



    The Web site of the Ministry of Finance in Brazil, Ministerio da Fazenda, has become the new target of the bad guys. Trend Micro Content Security Team found a phishing email that purports itself as a legitimate email coming from the said financial institution.

    It asks recipients to confirm that their income tax return that has not been delivered. The confirmation method is by clicking the hyperlink message, which leads to the URL hxxp://www.c3.hu/~vadkert//tagok/formulario.php. However, instead of displaying an ordinary phishing Web site, it downloads a malicious executable file.

    The said file is already detected by Trend Micro as POSSIBLE_BANLD- 1, while the malicious URL has already been added on the database and will be blocked by WCS.

    - Update: March 27, 2008 -

    TrendLabs engineers further analyzed the malicious site and found the various malware being hosted on the said site, such as the following:

    • w.exe – detected as TSPY_AGENT.ALKZ
      (Note: The original file downloaded from the link is already detected as PE_PARITE.A)
    • formulario.exe – detected as TROJ_BANLOAD.CRZ
    • onnas.exe – detected as TSPY_BANCOS.AUE

    The file usersonline.txt, on the other hand, is a non-malicious file that contains IP addresses and ports, which based on analysis, are currently not available. Jose Lopez Tello, Trend Micro Virus Coordinator in Latin America, notes that it is not certain if the IP addresses contained in the mentioned text file are from online users or just a fake list, but what is interesting is that all of the IPs are located in Brazil.

     
    Posted in Bad Sites, Malware, Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice