Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Christopher Talampas (Fraud Analyst)

    The latest Facebook scam leverages Breaking Dawn Part 2 and leads to survey pages that steal personal data such as cell phone numbers and email addresses.

    Who wants free tickets to The Twilight Saga: Breaking Dawn Part 2? To most, specifically to cybercriminals, the real question is, “Who wouldn’t?”

    We have encountered several incidents of clickjacking on Facebook, which typically redirect users to a malicious survey that asks for personal information such as email addresses or mobile phone numbers.

    This time around, this attack now targets users (and fans) who may be interested to watch the movie, Twilight Saga: Breaking Dawn Part 2.

    The image below shows how the page looks. The photo features celebrities, Robert Pattinson and Kristen Stewart, two of the movie’s main characters.

    Read the rest of this entry »

    Posted in Bad Sites, Social, Spam | Comments Off on Free ‘Breaking Dawn Part 2′ Tickets Scam Spreads in Facebook

    Recently, while chatting with someone on Facebook, one of my friends surprised me when she sent me this:

    Facebook chat messages

    Out of curiosity and suspicion, I visited the link. This eventually led me to the following site, which was hosted at http://{BLOCKED}

    Click for larger view

    Users who input their Facebook credentials here would be surrendering their credentials to phishers. Phishing attacks such as this that use Facebook applications are not entirely new but having it spread via Facebook’s own chat feature makes it a more significant threat. In addition, the user first sees a Facebook URL in the message’s text, further lending credibility to it. The appearance of these messages coming from a user’s friends may lead to more people clicking these links.

    The Facebook application used in this attack has already been removed. The underlying phishing page has also been blocked by the Trend Micro™ Smart Protection Network™.


    I recently came across a round of spammed instant messages that arrived via my Yahoo! Messenger account. These messages were supposedly sent from my cousin’s account, and used the following format and were sent to everyone on her friends list:

    Click for larger view

    The familiar message format told me that I was chatting with a bot that wanted me to click the link in the message. Checking where the link went to led me to the following page:

    Click for larger view

    The IQ test had 11 questions that eventually led to a “results” page that asked me to sign up and enter my mobile phone number to get the quiz results:

    Click for larger view

    One may ask why the site would need a mobile phone number just to send IQ test results. Will they use this information to spam me through my mobile phone? Nor is it clear if the answers to the questions actually matter to the IQ “score” given to the user, if they actually receive one.

    That may well be the case but the cybercriminals have a more direct approach to earn money. The Summary of Terms at the bottom of the page says that by giving the quiz’s creators one’s mobile phone number means signing up for “mobile content subscription.” Of course, this is not free, as the subscription fee ranges from US$9.99–$19.99 a month. This is stated in the site’s terms and conditions, which are located at the bottom of the page:

    Click for larger view

    This gave me enough reason to close the browser tab and leave the website. The URL of the said “IQ test” is now blocked by the Trend Micro Smart Protection Network™.

    Posted in Spam | TrackBacks (8) »

    Trend Micro threat analysts were recently alerted to a phishing attempt targeting random employees of several companies. The email posed as a notification from the company’s “system administrator,” reminding the employee to update his/her system’s software due to a recent server software upgrade. The spammed email contained a URL using several subdomains that resolved to the same IP address.

    Click for larger view


    Click for larger view

    Trend Micro Advanced Threats Researcher Joey Costoya believes the subdomains are tailor-made, depending on the recipent’s email address. This makes the email seem legitimate, even if it is not, tricking unknowing users into clicking the URL.

    As of this writing, the URLs are already inaccessible. Trend Micro analyzed the domains and subdomains used in this attack and found that they are already blacklisted. The domain was registered for only one year.

    Trend Micro Smart Protection Network™ already detects the malicious files as TROJ_ZBOT.AYX and blocks the spammed emails. Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.


    The Trend Micro Content Security team discovered a phishing attack that used a software company’s website to lure victims into divulging personal information. The compromised site was that of School Website Solutions, which looks like this:

    Figure 1. Clean page.

    Phishers were able to hack the site however. Users who were trying to access School Website Solutions using its legitimate URL saw this page instead

    Figure 2. Phishing page.

    which is no longer related to the software company at all. The phishing site spoofed the login page of Alliance & Leicester, a bank in the UK. Information entered in this page were keylogged and stolen by phishers.

    Trend Micro has already notified School Website Solutions of this threat, and the site administrators were able to swiftly respond and resolve the issue. Security policies and practices that help ensure attacks like this don’t happen include:

    • Religiously checking OS and software vulnerabilities and taking necessary actions when problems arise.
    • Using strong passwords.
    • Disabling unneeded services and deleting unnecessary accounts.
    • Keeping private files private by not placing them under the public directory on the server.
    Posted in Bad Sites | Comments Off on Phishing School Teaches Lessons on Secure Practices


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice