Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Aljerro Gabon (Anti-spam Research Engineer)

    The misuse of legitimate services continue as after recent reports of cybercriminals exploitng the redirecting service TinyURL to slip past spam filters, legitimate e-card services are now being used.

    We have received email samples that arrive as ecards with the subject header “Regards From Secret Admirer”. The greeting cards were from, the web’s largest collection of free greeting cards. The email claims to be sent by a user under the alias, “Secret Admirer” as read in the email.

    Figure 1. Legitimate email messages from

    The email is indeed a legitimate greeting card. When the user clicks on the link provided in the email, they will be redirected to a legitimate site. However, it is on this website that the spammer puts his message.

    Figure 2. Spam cloaked in an e-card’s clothing

    This seemingly innocent secret admirer turns out to be an advertiser for an adult dating site, which is also legitimate. This said adult website has already addressed the problem by informing redirected users that it has removed from their systems the affiliate responsible for the spamming.

    This threat may not be a massive spamming operation. allows the sending of cards to multiple recipients, but that could only produce extremely limited spammed messages compared to the volume of mails from automated spamming tools. Still, what’s notable here is that spammers were able to mask their operation using legitimate websites, a model that could be used in the future for more damaging cybercriminal threats.

    The spammed messages are already blocked by the Trend Micro Smart Protection Network.

    Posted in Spam | 1 TrackBack »

    This “new” threat could be an extension of the spamming and malware operation we also blogged about last December — the same social engineering technique and fake websites that look similar, and the same uniform payloads.

    New Years-themed e-cards are the bait — the following spammed messages inform recipients that someone has sent them a card which could be viewed using a given URL:

    Figure 1. Sample New Year spam messages
    Clicking on the link would redirect victims to the following page [pictured below], and a malware infection soon follows if you agree to download and execute the file card.exe (not a card, of course, but a malware Trojan):

    Figure 2. The link opens to a somewhat genuine-looking e-card site.

    Figure 3. Clicking on the links prompts the user to download a file.
    The file is malicious and is detected by Trend Micro as TROJ_WALEDAC.AC.

    Various new WADELAC worm variants have also been seen in the wild by Trend Micro researchers, also distributed through the same methods.

    WADELAC variants, interestingly, are being associated with previous Storm activities by security researchers due to some observed similarities between the two. Shadowserver listed several similarities, such as the constant generation of new domains and change in IP addresses. Another is the use of the Storm-classic technique — spamming through email and using timely themes such as the holidays, as well as the file names of the downloaded malware itself (ecard.exe and postcard.exe).

    The Trend Micro Smart Protection Network already blocks the spammed message and detects the malicious files.


    At least that’s what a new spam run tells you.

    Email messages claiming to be from Esmas, the largest television network in Mexico and also the world’s largest producer of Spanish language media, inform users that Joaquín López-Dóriga has died in an automobile accident. López-Dóriga is one of the more popular news anchors in Mexico. Here’s a screenshot of a spammed message:

    Figure 1. Sample email message.

    This same message also informs users that they can download a news video regarding the accident by clicking on the link provided in the message. By clicking on the link, however, users are unknowingly downloading a malicious executable named videoDoriga.exe instead of an actual video:

    Figure 2. Users download an .EXE file instead of a video footage.

    Trend Micro detects the file as TROJ_CHOST.E. Deaths of prominent personalities are a common technique used by spammers to lure users into clicking links in email messages. Shocked perhaps at the unexpected news, users may want to find out more. Since the links promise more details, users are most often tricked into clicking them.

    Incidentally, another celebrity was reported dead by spammers last week, in what was a phishing operation. Other spamming operations related to famous individuals include:

    These spammed email messages are already blocked by the Trend Micro Smart Protection Network. The same technology also detects the Trojan on the desktop level, and provides solutions for its removal. Users are advised to refrain from clicking links in unsolicited messages. News websites remain the best avenues for checking facts.

    Posted in Malware, Spam | Comments Off on Popular Mexican News Anchor Died!

    Spammers are playing police and scaring people into opening malicious files once again.

    A new form of spam email containing a malicious file attachment have been spreading over the Internet with the subject Your internet access is going to get suspended. The spam email claims to come from ICS Monitoring Team telling recipients that they have to stop their illegal downloading of copyrighted material or else their Internet access will be suspended.

    Below is the spam mail’s screenshot:

    The spam email claims that a report of the recipient’s activities for the past six months is in the attached zipped file. Apparently, instead of the said report, the zipped file contains a malicious executable file named user-EA49943X-activities.exe. Below is a screenshot of the said malicious file:

    The malicious file user-EA49943X-activities.exe is currently detected as TROJ_MEREDROP.GJ. It drops two files, both GOLDUN variants. This Trojans are known information stealers that monitor the Internet browsing activities of affected users. In this particular case the cyber-criminals intend to steal credentials related to the online banking site

    This is not the first time malware authors have disguised themselves as the ‘Internet police’. Trend Micro researchers already found spam which also presented users with the same ISP Consorcium spill used in the spam reported here.

    Trend Micro customers are now protected from this attack through the Trend Micro Smart Protection Network. Other users are advised to disregard such email messages upon receiving them.

    Posted in Malware, Spam | Comments Off on Spam Threatens to Suspend Internet Access

    Here we go again — another invoice spam run!

    Apparently, invoice spam has recently gained popularity among spammers.

    We’ve seen invoice spam runs related to UPS, FedEx, and of course, German-language Rechnung spam receipts. Now, this new invoice spam claims to come from Western Union, informing recipients that their credit card-issuing bank has halted the transaction by the demand of the “Federal Criminal Investigation Service”.

    Below is a screenshot of the spam:

    Recipients are instructed to contact Western Union and bring their ID card, credit card and invoice file. The sender (whose name is also bogus) then instructs the recipient that the invoice file is in the attached compressed file, and should be printed out.

    Unfortunately, the compressed attachment does not contain an invoice, but rather a malicious executable file named MTCN08662112.EXE.

    MTCN08662112.exe is detected by Trend Micro as TSPY_ZBOT.WC.

    Spam emails related to this attack are now blocked by the Smart Protection Network.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice