We were alerted in July 2012 about malicious apps that we detect as ANDROIDOS_CONTACTS.E. We investigated the related spam, which arrives on the mobile device. What is noteworthy about this threat is that the spam were distributed not only to smartphones, but also to feature phones as well.

This indicates that the spammers may have carried out indiscriminate attacks targeting the email addresses provided by telecommunication carriers.

In Japan, this carrier email address is popular among mobile users since this email address can be accessed on both mobile devices and systems. Also, each telecommunications carrier provides a service that blocks spam mails. This feature may have resulted to users being complacent when it comes to the security of their carrier email addresses.

Spammers understand users’ tendency to be too trusting, thus they distributed these spam to carrier email addresses to increase their attack’s success.

So far, we can categorize the URLs in these spam into three types:

• URLs that directly lead to download an APK package of Android app
• URLs that lead to a malicious web page disguised as a legitimate app market store
• Shortened URLs

Let’s focus on the 3rd type of URL. When users click the shortened URL, they are lead to a webpage set up by the spammer or their partners. In this scenario, it is possible that it may either lead to the downloading an APK package or to a web page disguised as a legitimate app store.

Why do spammers leverage this shortened URL service? Users find it difficult to double check the complete URL based on the shortened URL, thus the higher rate of users inadvertently clicking a malicious link. Furthermore, some shortened URL services can count user clicks in real-time. So if a particular link had less clicks, spammers can use a different shortened link which had more clicks in their future spam run.

Now, let’s focus on those URLs that lead users to a spoofed app store. We found the app “Power Charge”, also detected as ANDROIDOS_CONTACTS.E, which is supposedly an app that charges by using solar light.

Read the rest of this entry »

We found a spam mail written in Japanese leveraging the Olympics to sell illegal products. We fully expected this event to be used by cybercriminals to profit. It appears that among the first to strike are sellers of B-CAS cards for TVs, which are supposed to allow the users to watch the Olympics without paying.

These spammed messages – which have the subject line オリンピック全日程が見放題 (translated as Free access to all Olympic games in English) – have a link which leads to websites selling the illegal B-CAS card. The message itself says that normally, you have to pay more than 400,000 Japanese yen (more than 5,000 US dollars) per year in order to watch premium channels. Instead, the (illegal) B-CAS cards allow you to watch these channels for free.

The website of these illegal cards describes these cards as “miracle cards” in Japanese:

The order form – which asks the user for their name, email address, number of cards to be bought, shipping address, and contact information – does not use HTTPS, which all reputable vendors use to secure the transaction from possible interception. Not only is the site selling illegal goods, it’s set up in an insecure manner for any online commerce site.

We have identified the server as being located in Hong Kong because of its IP address. Other landing pages for sites also selling B-CAS cards are located on this server as well.

Here are some of the malicious URLs that we found on the server:

• http://www.{BLOCKED}.com/
• http://www.{BLOCKED}as.com/
• http://www.{BLOCKED}atellite.net/
• http://www.{BLOCKED}cas.com/
• http://www.{BLOCKED}cesat.com/
• http://www.{BLOCKED}dshop.net/
• http://www.{BLOCKED}ear.com/
• http://www.{BLOCKED}fect.com/
• http://www.{BLOCKED}g-cas.com/
• http://www.{BLOCKED}g-cas.net/
• http://www.{BLOCKED}inareru.com/
• http://www.{BLOCKED}lltv.com/
• http://www.{BLOCKED}money-yes.com/
• http://www.{BLOCKED}opping.biz/
• http://www.{BLOCKED}s.com/
• http://www.{BLOCKED}-satellite.com/
• http://www.{BLOCKED}tylefree.com/
• http://www.{BLOCKED}y2012.com/

Note that the above URLs are all hosted on a single IP. The following diagram shows the relationship between the various sites and this single IP address, as well as the overall infection chain:

The Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching users’ inboxes via the Email Reputation Service. It also blocks access to malicious sites via the Web Reputation Service. We have blocked more than 2,500 attempts from Japanese users to access these sites for the last 30 days.

We advise users to not purchase anything from these sites, as they could face criminal prosecution for merely buying these devices. Recently, the Kyoto Prefectural Police announced they had arrested both buyers and sellers of illegal B-CAS cards.

With the Olympics only days away from starting, we expect other threats related to this event soon. Here are some blog entries and Web Attack entries that discuss similar threats:

Web Attack Entries

• The Dangers of Olympic-Related Online Threats
• Sports as Bait: Cybercriminals Play to Win

Malware Blog entries

• Spammed Messages Attempt to Cash In on London 2012 Olympics
• Bogus Olympics 2012 Email Warning Blindsides Users With Malware

For complete information on the latest Olympic-themed threats—including quizzes and safety guides, you can visit Race to Security, the Trend Micro security guide to major sporting events such as the Olympics, by clicking the banner below:

Related posts:

• Bogus London Olympics 2012 Ticket Site Spotted
• Countdown to the Olympics: Are You Safe?
• Spammed Messages Attempt to Cash In on London 2012 Olympics
• Bogus Olympics 2012 Email Warning Blindsides Users With Malware
• Cybercriminals Race to the 2012 Olympics

In the past we’ve reported about one-click billing fraud schemes starting to target smartphone users. The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. The past attack we saw involved a website wherein target victims were asked to pay for a certain amount in order to prevent their information from being sent to an adult site.

We’ve found a similar scheme, but this time it specifically targets Android users through a malicious app.

The attack is triggered by a blog site that features videos showing gamers playing. The said blog, called “Game Dunga”, has changed its domain three times in the past. In the previous versions, there were a lot of links leading to the game-playing videos (not only adult content). The current one, however, (the third generation) includes links leading to only adult contents.

Trying to view any of the videos triggers a pop-up asking the user to download a malicious app detected as ANDROIDOS_FAKETIMER.A. ANDROIDOS_FAKETIMER.A gets the Android user account information, and sends them as to a certain URL as parameters for the following methods:

• getAccounts() method – to acquire Gmail account information managed by the affected users’ devices.
• getDeviceID() method – to acquire the SIM information of the affected devices
• getLine1Number() method – to acquire the mobile number of the affected devices.

The information gathered by these methods is sent to the cybercriminals.

ANDROIDOS_FAKETIMER.A also displays a pop-up window that shows the message “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.”

ANDROIDOS_FAKETIMER.A also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.

App usage for this one-click billing fraud gives the scheme a level of persistence that was not evident before. In past schemes, the routines were mostly executed through a malicious website, and closing the browser would stop the attack. For this, however, since the one responsible for the routines is an app installed in the device, the prompts asking for the user to pay are shown repeatedly. We studied the code and found that the pop-up is set to show every 5 minutes.

Should users encounter a similar site, they are advised to leave the site immediately and not click any links to avoid getting victimized. Smart Protection Network already blocks the related URL via our Web Reputation technology and detects the malicious application.

For more information on other mobile threats, as well as tips on how to keep one’s device safe, please check our Mobile Threat Information Hub.

One-click billing fraud, a scheme known for targeting PC users in Japan, now appears to target smartphone users as well.

The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. Instances of successful attacks have been increasing in Japan since 2004, which already amounts to 903 inquiries to the Information Technology Promotion Agency Japan in November 2009.

A typical attack involves a spam sent to the victim, which includes a link to a website that hosts free videos. The website lists videos with sensational titles to catch users’ attention. Trying to view any of the video displays a trailer, which explains why viewing it is free.

Once the trailer ends, a link that says “view more” is displayed, which the users must click to supposedly see the video they originally wanted to view. Instead, users are redirected to a page that they should register first to in order to become a member and are told to pay a fee. The window that informs users to pay will continuously be displayed on the screen unless they pay the said amount.

Read the rest of this entry »

Today’s social media sites like Twitter and Facebook can be convenient tools for users to easily get the information they want. Such sites can easily satisfy users’ desire to know more, especially in the wake of life-changing events.

In the case of the recent disasters in Japan, hash tags related to victims’ safety, rolling blackouts, and public transportation, which were spontaneously created helped provide information at the time and continue to be effectively utilized.

However, users should keep in mind that there is a lot of fake information mixed in with facts. There are a lot of cases wherein people simply accepted information as truth, leading to unnecessary anxiety and inadvertently contributing to the spread of lies. To help prevent such cases, we would like to share some tips on how to verify the sources of Tweets.

The Jackie Chan Hoax

Just recently, false news about the untimely death of the famous actor made the rounds online. According to the hoax, Jackie Chan died of a heart attack, prompting fans from all over the world to post related Tweets. A bogus news site Yahoo!7 News was used in this attack, effectively redirecting users to the malicious URL http://pastehtml.com/view/{BLOCKED}.html. The website was created using a hosting service known as PasteHTML, which allows users to anonymously register sites.

Read the rest of this entry »