Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Christopher Talampas (Fraud Analyst)

    Recently, while chatting with someone on Facebook, one of my friends surprised me when she sent me this:

    Facebook chat messages

    Out of curiosity and suspicion, I visited the link. This eventually led me to the following site, which was hosted at http://{BLOCKED}

    Click for larger view

    Users who input their Facebook credentials here would be surrendering their credentials to phishers. Phishing attacks such as this that use Facebook applications are not entirely new but having it spread via Facebook’s own chat feature makes it a more significant threat. In addition, the user first sees a Facebook URL in the message’s text, further lending credibility to it. The appearance of these messages coming from a user’s friends may lead to more people clicking these links.

    The Facebook application used in this attack has already been removed. The underlying phishing page has also been blocked by the Trend Micro™ Smart Protection Network™.


    I recently came across a round of spammed instant messages that arrived via my Yahoo! Messenger account. These messages were supposedly sent from my cousin’s account, and used the following format and were sent to everyone on her friends list:

    Click for larger view

    The familiar message format told me that I was chatting with a bot that wanted me to click the link in the message. Checking where the link went to led me to the following page:

    Click for larger view

    The IQ test had 11 questions that eventually led to a “results” page that asked me to sign up and enter my mobile phone number to get the quiz results:

    Click for larger view

    One may ask why the site would need a mobile phone number just to send IQ test results. Will they use this information to spam me through my mobile phone? Nor is it clear if the answers to the questions actually matter to the IQ “score” given to the user, if they actually receive one.

    That may well be the case but the cybercriminals have a more direct approach to earn money. The Summary of Terms at the bottom of the page says that by giving the quiz’s creators one’s mobile phone number means signing up for “mobile content subscription.” Of course, this is not free, as the subscription fee ranges from US$9.99–$19.99 a month. This is stated in the site’s terms and conditions, which are located at the bottom of the page:

    Click for larger view

    This gave me enough reason to close the browser tab and leave the website. The URL of the said “IQ test” is now blocked by the Trend Micro Smart Protection Network™.

    Posted in Spam | TrackBacks (8) »

    Trend Micro threat analysts were recently alerted to a phishing attempt targeting random employees of several companies. The email posed as a notification from the company’s “system administrator,” reminding the employee to update his/her system’s software due to a recent server software upgrade. The spammed email contained a URL using several subdomains that resolved to the same IP address.

    Click for larger view


    Click for larger view

    Trend Micro Advanced Threats Researcher Joey Costoya believes the subdomains are tailor-made, depending on the recipent’s email address. This makes the email seem legitimate, even if it is not, tricking unknowing users into clicking the URL.

    As of this writing, the URLs are already inaccessible. Trend Micro analyzed the domains and subdomains used in this attack and found that they are already blacklisted. The domain was registered for only one year.

    Trend Micro Smart Protection Network™ already detects the malicious files as TROJ_ZBOT.AYX and blocks the spammed emails. Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.


    The Trend Micro Content Security team discovered a phishing attack that used a software company’s website to lure victims into divulging personal information. The compromised site was that of School Website Solutions, which looks like this:

    Figure 1. Clean page.

    Phishers were able to hack the site however. Users who were trying to access School Website Solutions using its legitimate URL saw this page instead

    Figure 2. Phishing page.

    which is no longer related to the software company at all. The phishing site spoofed the login page of Alliance & Leicester, a bank in the UK. Information entered in this page were keylogged and stolen by phishers.

    Trend Micro has already notified School Website Solutions of this threat, and the site administrators were able to swiftly respond and resolve the issue. Security policies and practices that help ensure attacks like this don’t happen include:

    • Religiously checking OS and software vulnerabilities and taking necessary actions when problems arise.
    • Using strong passwords.
    • Disabling unneeded services and deleting unnecessary accounts.
    • Keeping private files private by not placing them under the public directory on the server.
    Posted in Bad Sites | Comments Off

    TrendLabs Content Security has come upon a new phishing attack that leads to the download of malware. However, unlike most instances where phishing baits are usually banks, credit unions or other financial institutions, this time it uses the popular social networking Web site

    The phishing URL may be contained in spammed email messages. Once recipients of said messages click or visit the URL, it displays a spoofed MySpace login page. It also uses a popup window declaring a supposed MySpace profile object error and requires that the user download the new version of a new MySpace profile object.

    Therein lies the trick: When the user clicks the “continue” button, malicious files are not only downloaded but also automatically installed. The said malicious files are detected as TROJ_ZLOB.GUZ and BKDR_IRCBOT.BGY.

    And if the user tries to exit the page, it will not close until the said file is downloaded. To exit, a user needs to terminate the program using Task Manager.

    Trend Micro users, of course, are already safe from this threat, as the phishing URL hxxp://{BLOCKED} is already blocked by Trend Micro’s Web Threat Protection (WTP) technology. For other users, however, it pays to be vigilant.

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice