Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Arman Capili (Technical Communications)




    It is that month of the year when flowers are in full bloom and people celebrate them in festive events. And it seems that same eventful—but darker—tone can be used to describe the month of May for the security industry. Trend Micro has so far documented several mass compromises of Web sites around the world for this month. Yes, you read it right—the world over.

    Here are the highlights of the notable Web site compromises we have seen in the past month:

    May 2 – One Year Later, Italian Job Still Working Overtime

    It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.

    TrendLabs discovered two forms of this compromise: one via an injected obfuscated script that redirects to a certain malicious URL, and the other via a readable iFrame and the same obfuscated script.

    May 7 – A Very Convoluted Chinese Gaming-Info-Stealing Campaign

    Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.

    A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.

    May 10 – More of The Same: Another Half Million Web Sites Compromised

    Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.

    May 19 – Chinese Weekend Compromise

    Also on the same date, Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.

    May 19 – Yet More Weekend Compromises Reach Other Shores

    Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.

    May 21 – It’s Not Over: Asian Sites Injected with Nasty Code

    Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.

    May 22 – Malicious Domains Found in Compromised Japanese Sites

    The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.

    These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.

    These documented compromises appear to be not distinct incidents unto themselves, but rather one big organized attack that just involved different domains. However, it is also very much possible that there are different groups using the same tool, or a big organized group outsourcing to small-time hackers. Until solid evidence is obtained, these scenarios are speculations as of the moment. We are keeping a close watch.

     
    Posted in Bad Sites | Comments Off



    With the Tibet issue still fresh, China is looking to become more and more controversial, this time in cybercrime as the database of a prominent British organization was hacked by Chinese spammers over the weekend, TheRegister reports.

    IT personnel at the Royal Institute of British Architects (RIBA) discovered that the hackers were able to place a Web address in the members’ database, prompting them to take down access to the said database for some time. Although RIBA assured its more than 40,000 members that no information has been stolen, they advised their members to remain cautious of online financial information that they may have used for transactions with RIBA.

    RIBA did not comment on the encryption and other security measures used by their database. The incident has since been reported to the local police although their involvement may not be helpful at all unless there’s a cybercrime division or a similar unit. Furthermore, since the database breach has already been reported, it remains unclear as to why RIBA refused to comment on their encryption measures. This action puts them in a bad light, raising serious questions on their system security.

    Around 1,200 similar organizations have also been targeted in the US and the UK. This figure just shows that data breaches are very critical issues that have to be dealt with utmost priority. Companies cannot afford to be unworried with data security while at the same time declaring nothing has been stolen. Such complacency may eventually prove to be their undoing.

     
    Posted in Bad Sites | Comments Off



    The popularity of online social networking sites has definitely caught the attention of phishers, in as much as they have treated online banking sites as very lucrative prospects for information theft. Just recently, PerfSpot.com was spoofed with the obvious intent to gather user information from unknowing users of this relatively new social networking site.

    In a recent development, the Trend Micro Content Security Team discovered a Web site with an apparent twist in its phishing technique. Below is a screenshot of the said phishing Web site:

    MSN Phishing site screenshot

    The said phishing site does not mimic the legitimate login page of MSN and even explicitly displays the phishing URL as http://{BLOCKED}friender.info. What it does is that it guises itself as an MSN “social networking site,” tricking users into provide their MSN logon information such as email addresses and passwords.

    It should be noted that the official MSN social networking platform is MSN Spaces, which is now officially known as Windows Live Spaces. This phishing site, however, only uses the word MSN minus the logo and related branding material. Nevertheless, its phishing technique remains unique since it entices potential victims to sign up with their MSN accounts, purportedly to gain access to their friends’ photos.

    The use of social networking sites poses as an effective bait by online phishers considering the steady rise of new social networking users. It can be seen that tens of thousands of new users sign up by the hour, while new social networking sites emerge by the day (see TechCrunch for the latest ones). Developers do not seem to mind that the industry is already crowding up with these sites, with users maintaining multiple online profiles—providing online phishers more reason to set up bait.

     
    Posted in Bad Sites | Comments Off



    Apple Woes

    Apple’s outrageously trendy products and Mac users alike are riding on pretty rough seas of late. Just this Wednesday, April 3, Apple released its third update for the year that patches 11 confirmed vulnerabilities in its QuickTime software, both in Mac and Windows. Nine of these can be used to hijack an unknowing user’s machine through what Apple describes as an arbitrary code execution.

    Already, Apple has moved to fix around five flaws in its QuickTime software since January. Counting last Wednesday’s update places Apple in an annual pace of fixing 40 vulnerabilities in QuickTime—that compared to just 34 holes plugged in 2007.

    Mac users are more and more being targeted by security issues, in an outward parallel to the sky rocketing fame of Apple’s products. And that does not come as a surprise at all in an industry where luster can lure the good guys as well as the bad ones. Apple may very well seem to have taken their point, in the heels of a number of setbacks in their product line during the first quarter of 2008.

    The Mac platform went through a second round of scareware last month. The iMunizator was discovered to be a variation of the MacSweeper threat, in an apparent move by rogue security software developers to cash in on the rising number of Mac users.

    Interestingly, around half of the security flaws in last Wednesday’s patch came from 3Com Inc.’s TippingPoint and its Zero Day Initiative program. TippingPoint was a major sponsor of the PWN to OWN challenge during the CanSecWest conference in Vancouver where Apple-hacking aficionado Charlie Miller successfully compromised a MacBook Air.

    While slowly eating up a larger share of the lucrative financial pie, Apple is starting to feel the rising heat on security risks. And more eyes are on the lookout on how Apple will let off the steam.

     
    Posted in Bad Sites | Comments Off



    …Under My Skin

    Charlie’s Angels, James Bond or Ethan Hunt could not have done it any better. British researcher Matthew Lewis recently unveiled a mechanism that captures fingerprints used for secured access in doors and computer systems. And he did not even have to dodge bullets or wear prosthetics to do it.

    Universally known as biometrics, it is the study of methods for distinctively recognizing humans using one or more fundamental physical or behavioral qualities. Perhaps the most popular form of biometrics is fingerprint recognition technology, which is slowly gaining use in laptop computers, smart cards, and employee identification.

    Lewis, who works for Information Risk Management, demonstrated his proof-of-concept device during March’s Black Hat Amsterdam conference. The researcher believes that despite biometrics’ reputation as a suitable replacement instead of a mere supplement for existing security protocols, it will soon serve as a bane for users and companies alike.

    Dubbed as a biometric keylogger, or biologger, Lewis demonstrated how he, by means of a man-in-the-middle laptop, was able to intercept unencrypted transmissions between a certain access control device and a back-end server. Using a certain algorithm, he was able to reconstruct an image of a fingerprint that can be used to unlock computers or building doors. Furthermore, he was able to issue commands on to the said access control device such as adding new users with full administrative privileges without using a valid fingerprint ID.

    Despite some limitations in his study, Lewis was pretty clear in his message that biometrics is not the immaculate end-all solution that people may perceive it to be. So long as biometric technology and its surrounding infrastructure are vulnerable, the threat of biologging looms in the horizon. The surprising indication of biometric data going about unencrypted should be a worrying item on developers’ to-do lists. True to Isaac Asimov’s words, good Hollywood science fiction is indeed based on real science.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice