Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Christopher Talampas (Fraud Analyst)

    It’s never too early to get ready for Valentine’s day, it seems, even when it comes to malicious attacks. Recently, I came across a scam in Facebook that leverages the upcoming occasion.

    The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile.

    Click for larger viewOnce users click on this post, they are redirected to another page that urges them to install the said theme. Note that this attack only works on either Google Chrome or Mozilla Firefox browsers.

    Read the rest of this entry »


    The latest Facebook scam leverages Breaking Dawn Part 2 and leads to survey pages that steal personal data such as cell phone numbers and email addresses.

    Who wants free tickets to The Twilight Saga: Breaking Dawn Part 2? To most, specifically to cybercriminals, the real question is, “Who wouldn’t?”

    We have encountered several incidents of clickjacking on Facebook, which typically redirect users to a malicious survey that asks for personal information such as email addresses or mobile phone numbers.

    This time around, this attack now targets users (and fans) who may be interested to watch the movie, Twilight Saga: Breaking Dawn Part 2.

    The image below shows how the page looks. The photo features celebrities, Robert Pattinson and Kristen Stewart, two of the movie’s main characters.

    Read the rest of this entry »

    Posted in Bad Sites, Social, Spam | Comments Off on Free ‘Breaking Dawn Part 2′ Tickets Scam Spreads in Facebook

    Recently, while chatting with someone on Facebook, one of my friends surprised me when she sent me this:

    Facebook chat messages

    Out of curiosity and suspicion, I visited the link. This eventually led me to the following site, which was hosted at http://{BLOCKED}

    Click for larger view

    Users who input their Facebook credentials here would be surrendering their credentials to phishers. Phishing attacks such as this that use Facebook applications are not entirely new but having it spread via Facebook’s own chat feature makes it a more significant threat. In addition, the user first sees a Facebook URL in the message’s text, further lending credibility to it. The appearance of these messages coming from a user’s friends may lead to more people clicking these links.

    The Facebook application used in this attack has already been removed. The underlying phishing page has also been blocked by the Trend Micro™ Smart Protection Network™.


    I recently came across a round of spammed instant messages that arrived via my Yahoo! Messenger account. These messages were supposedly sent from my cousin’s account, and used the following format and were sent to everyone on her friends list:

    Click for larger view

    The familiar message format told me that I was chatting with a bot that wanted me to click the link in the message. Checking where the link went to led me to the following page:

    Click for larger view

    The IQ test had 11 questions that eventually led to a “results” page that asked me to sign up and enter my mobile phone number to get the quiz results:

    Click for larger view

    One may ask why the site would need a mobile phone number just to send IQ test results. Will they use this information to spam me through my mobile phone? Nor is it clear if the answers to the questions actually matter to the IQ “score” given to the user, if they actually receive one.

    That may well be the case but the cybercriminals have a more direct approach to earn money. The Summary of Terms at the bottom of the page says that by giving the quiz’s creators one’s mobile phone number means signing up for “mobile content subscription.” Of course, this is not free, as the subscription fee ranges from US$9.99–$19.99 a month. This is stated in the site’s terms and conditions, which are located at the bottom of the page:

    Click for larger view

    This gave me enough reason to close the browser tab and leave the website. The URL of the said “IQ test” is now blocked by the Trend Micro Smart Protection Network™.

    Posted in Spam | TrackBacks (8) »

    Trend Micro threat analysts were recently alerted to a phishing attempt targeting random employees of several companies. The email posed as a notification from the company’s “system administrator,” reminding the employee to update his/her system’s software due to a recent server software upgrade. The spammed email contained a URL using several subdomains that resolved to the same IP address.

    Click for larger view


    Click for larger view

    Trend Micro Advanced Threats Researcher Joey Costoya believes the subdomains are tailor-made, depending on the recipent’s email address. This makes the email seem legitimate, even if it is not, tricking unknowing users into clicking the URL.

    As of this writing, the URLs are already inaccessible. Trend Micro analyzed the domains and subdomains used in this attack and found that they are already blacklisted. The domain was registered for only one year.

    Trend Micro Smart Protection Network™ already detects the malicious files as TROJ_ZBOT.AYX and blocks the spammed emails. Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice