Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Noriaki Hayashi (Senior Threat Researcher)

    One-click billing fraud, a scheme known for targeting PC users in Japan, now appears to target smartphone users as well.

    The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. Instances of successful attacks have been increasing in Japan since 2004, which already amounts to 903 inquiries to the Information Technology Promotion Agency Japan in November 2009.

    A typical attack involves a spam sent to the victim, which includes a link to a website that hosts free videos. The website lists videos with sensational titles to catch users’ attention. Trying to view any of the video displays a trailer, which explains why viewing it is free.

    Click for larger view

    Once the trailer ends, a link that says “view more” is displayed, which the users must click to supposedly see the video they originally wanted to view. Instead, users are redirected to a page that they should register first to in order to become a member and are told to pay a fee. The window that informs users to pay will continuously be displayed on the screen unless they pay the said amount.

    Click for larger view

    Read the rest of this entry »

    Posted in Mobile | 1 TrackBack »

    Today’s social media sites like Twitter and Facebook can be convenient tools for users to easily get the information they want. Such sites can easily satisfy users’ desire to know more, especially in the wake of life-changing events.

    In the case of the recent disasters in Japan, hash tags related to victims’ safety, rolling blackouts, and public transportation, which were spontaneously created helped provide information at the time and continue to be effectively utilized.

    Click for larger view

    However, users should keep in mind that there is a lot of fake information mixed in with facts. There are a lot of cases wherein people simply accepted information as truth, leading to unnecessary anxiety and inadvertently contributing to the spread of lies. To help prevent such cases, we would like to share some tips on how to verify the sources of Tweets.

    The Jackie Chan Hoax

    Just recently, false news about the untimely death of the famous actor made the rounds online. According to the hoax, Jackie Chan died of a heart attack, prompting fans from all over the world to post related Tweets. A bogus news site Yahoo!7 News was used in this attack, effectively redirecting users to the malicious URL{BLOCKED}.html. The website was created using a hosting service known as PasteHTML, which allows users to anonymously register sites.

    Read the rest of this entry »


    Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by using an open-source social networking system Jcow 4.2.1. It is hosted on the IP address 50.61.{BLOCKED}.{BLOCKED}, which is located in the United States. We’ve confirmed that the site is still active as of this writing.

    Click for larger view Click for larger view

    Aside from hosting a phishing site, the cybercriminals behind this attack also abused the blog function of the website and inserted advertisement-looking posts, possibly to increase the site’s SEO ranking.

    Click for larger view

    Read the rest of this entry »


    Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.

    Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.

    None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the URL shortener to lead to this FAKEAV variant’s download.

    Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.

    Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.

    Infection Vectors

    Fake diagnostic tools may arrive via several different infection vectors:

    • Users visit malicious sites and manually download and install malicious files.
    • Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.

    The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.

    System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.

    Its installer uses the same icon as Windows Update.

    Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.

    Read the rest of this entry »


    Japanese users are the latest target of a new phishing campaign. This attack was carried out via the PlayOnline gaming service instead of via more traditional means like email.

    PlayOnline is a service offered by Square Enix, which is used by several of the company’s games for their online features. However, it has been confirmed that this threat specifically targets users of the popular massively multiplayer online role-playing game (MMORPG) “Final Fantasy XI.”

    The said game gives users the ability to chat with other players using the in-game Tell command. A malicious user, posing as a game administrator, sends the following Japanese messages using this command to users:

    8周年お祝いかつどうはひらき、 www.ffxi{BLOCKED}.com で贈り物の包みを受け取ってください

    ご当選おめでとうございます。あなたはFFXI抽選イベントで当選されました www.ffxi{BLOCKED}.com にご登録し、商品を受け取ってください。

    It should be noted, however, that the above-mentioned messages are grammatically incorrect and thus would not be used by any native Japanese speaker. These messages translate to the following English sentences:

    What is the 8th anniversary celebration and Hiraki, www.ffxi (BLOCKED).com Please accept the gift wrap

    Congratulations on your win. FFXI was elected in the event you draw www.ffxi (BLOCKED).com and sign up, please receive it.

    Accessing the URL embedded in the said messages eventually takes users to a fake PlayOnline login page.

    The phishing page’s contents are written in English whereas those of the legitimate page are written in Japanese. However, the overall appearance of the fake phishing page is identical to the legitimate PlayOnline page as shown below.

    Click for larger view Click for larger view

    In addition, careful examination of the address bar lets users know that the page is fake. The PlayOnline login page uses an extended validation certificate, which some browsers (including Internet Explorer and Firefox) show by changing the color of the address bar to green. Users can also see the name of the organization that runs the said site. In contrast, the phishing page does not use any SSL certificate at all, which helps users determine whether a site is legitimate or not.

    The other contents, including a fake official site for “Final Fantasy XI,” is also present on the same server that hosts the phishing page.

    Click for larger view Click for larger view

    These phishing pages are hosted by an ISP in the United States and have since been shut down although similar attacks using the Tell command are still not out of the question and users should be careful moving forward.

    Trend Micro users are protected from this attack via the Trend Micro™ Smart Protection Network™, which blocks the malicious websites used in the attack.

    Posted in Mobile | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice