Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Fatima Bancod (Fraud Analyst)

    8:16 am (UTC-7)   |    by

    Trend Micro fraud analysts were recently alerted to the discovery of a new phishing campaign that specifically targets AOL Instant Messenger (AIM) users.

    The spammed message purports to be from AIM and urges recipients to download and execute the latest AIM version to reactivate their currently inactive accounts.

    Click for larger view

    This becomes a problem if the receivers actually have AIM accounts, as they may be tricked into clicking the link, http://{BLOCKED}
    The end result may be the loss of pertinent personal information or, worse, their identities. Instead of getting an actual application update, the link leads to a spoofed AIM website.

    Click for larger view

    Users who land on the phishing page are then prompted to download the malicious file aimupdate_7.1.6.475.exe, which has been detected by Trend Micro as TSPY_ZBOT.JF, which injects threads into certain normal processes. Like its ZBOT predecessors, it also attempts to access a website to update its list of target banks and other financial institutions, which it then sends to a remote site.

    Click for larger view

    Trend Micro™ Smart Protection Network™ protects users from this attack by blocking the spammed messages, preventing user access to malicious sites, and detecting and blocking the download of malicious files.


    3:19 am (UTC-7)   |    by

    It’s about time this technique comes in.. Content Security’s forecast that phishing with captcha would be an emerging fraudulent techniques.

    CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore.

    Just like the traditional PayPal phish, the web page http://{BLOCKED} the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password as seen in Figure 1.

    Click for larger view
    Figure 1: Screenshot of bogus PayPal phishing Feedback page

    After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to
    create bogus mail accounts, among other things.

    The phishing URL is already blocked by Trend Micro’s Smart Protection Network.


    After the Walmart phish, comes the KMart survery form phish wherein it promises to add a $150 to the users account just by taking the survey form. As shown in the verification page, the user has to rate each criterion provided and then the personal information of the user such as full name, phone number and email address as shown in Figure 1.

    Click for larger view Click for larger view

    Clicking the proceed button is a Thank you page and a statement wherein to be able to add to the user’s account the $150, the user must enter their Card Number and Card PIN as shown in Figure 2.

    After clicking on the ‘Continue’ button, it will already proceed to the legitimate KMart webpage.

    As for the phishing URL, it’s already blocked by the Trend Micro Smart Protection Network.


    1:22 am (UTC-7)   |    by

    The Trend Micro Content Security team recently discovered a Cable Cable Inc. domain hosting a Walmart phishing survey. Cable Cable Inc. is a television, Web, and phone service provider based in Canada. Walmart, of course, is the chain of discount department stores.

    As shown in the following sample phishing page, hosted at http://{BLOCKED}, Walmart customers are required to provide their rating as well as contact information such as their full name, phone number, and email address:

    Figure 1. Screenshot of bogus Walmart phishing survey page.

    After clicking on the “Proceed” button, a user is redirected to the the following confirmation page asking the user for additonal and more valuable information (for cybercriminals that is) such as a user’s credit card number, card expiration date, card verification value, and PIN.

    Figure 2. Screenshot of Walmart phishing survey verification page.

    The phishing URL is now already blocked by the Trend Micro Smart Protection Network. Cybercriminals lately seem to be favoring social engineering techniques to trick users into divulging their personal information in exchange for gift certificates or any promised freebies. The economic recession might explain this. Then again, cybercriminals are known for being creative.

    Other similar threats include:

    Users are advised to not participate in surveys that come from unsolicited messages.


    The Trend Micro Content Security Team has discovered a phishing attack that has some unusual targets — customers of at least two popular domain name registrars and Web hosting companies. Both of them were among the world’s largest domain name registrars in the past year, which would probably explain the phishers’ interest.

    Here’s a screenshot of the one of the phishing pages:

    Figure 1.Display of the fake login page.

    The pages ask users to log into their accounts by entering their login IDs and passwords. The site, however, is designed to harvest user names and passwords to access legitimate accounts.

    Trend Micro Smart Protection Network already blocks the phishing URL, thus keeping users from even accessing the site.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice