Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Noriaki Hayashi (Senior Threat Researcher)

    Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.

    Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.

    None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the URL shortener to lead to this FAKEAV variant’s download.

    Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.

    Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.

    Infection Vectors

    Fake diagnostic tools may arrive via several different infection vectors:

    • Users visit malicious sites and manually download and install malicious files.
    • Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.

    The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.

    System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.

    Its installer uses the same icon as Windows Update.

    Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.

    Read the rest of this entry »


    Japanese users are the latest target of a new phishing campaign. This attack was carried out via the PlayOnline gaming service instead of via more traditional means like email.

    PlayOnline is a service offered by Square Enix, which is used by several of the company’s games for their online features. However, it has been confirmed that this threat specifically targets users of the popular massively multiplayer online role-playing game (MMORPG) “Final Fantasy XI.”

    The said game gives users the ability to chat with other players using the in-game Tell command. A malicious user, posing as a game administrator, sends the following Japanese messages using this command to users:

    8周年お祝いかつどうはひらき、 www.ffxi{BLOCKED}.com で贈り物の包みを受け取ってください

    ご当選おめでとうございます。あなたはFFXI抽選イベントで当選されました www.ffxi{BLOCKED}.com にご登録し、商品を受け取ってください。

    It should be noted, however, that the above-mentioned messages are grammatically incorrect and thus would not be used by any native Japanese speaker. These messages translate to the following English sentences:

    What is the 8th anniversary celebration and Hiraki, www.ffxi (BLOCKED).com Please accept the gift wrap

    Congratulations on your win. FFXI was elected in the event you draw www.ffxi (BLOCKED).com and sign up, please receive it.

    Accessing the URL embedded in the said messages eventually takes users to a fake PlayOnline login page.

    The phishing page’s contents are written in English whereas those of the legitimate page are written in Japanese. However, the overall appearance of the fake phishing page is identical to the legitimate PlayOnline page as shown below.

    Click for larger view Click for larger view

    In addition, careful examination of the address bar lets users know that the page is fake. The PlayOnline login page uses an extended validation certificate, which some browsers (including Internet Explorer and Firefox) show by changing the color of the address bar to green. Users can also see the name of the organization that runs the said site. In contrast, the phishing page does not use any SSL certificate at all, which helps users determine whether a site is legitimate or not.

    The other contents, including a fake official site for “Final Fantasy XI,” is also present on the same server that hosts the phishing page.

    Click for larger view Click for larger view

    These phishing pages are hosted by an ISP in the United States and have since been shut down although similar attacks using the Tell command are still not out of the question and users should be careful moving forward.

    Trend Micro users are protected from this attack via the Trend Micro™ Smart Protection Network™, which blocks the malicious websites used in the attack.

    Posted in Mobile | Comments Off on Phishing Attacks Target Japanese Gamers

    On September 27, Trend Micro researchers found phishing emails and sites pretending to be the Japanese localized site of Yahoo! Auctions. Japanese users, be warned.

    According to researchers, the said phishing mails were delivered to users with a subject title in Japanese, which when translated to English, reads “To Yahoo! Japan site users” and appearing to come from the Yahoo! Japan Support Center.

    This phishing mail pretends to be some type of user ID and password verification where the phisher intends to lead the victimized users to a site where confidential information such as Yahoo! Japan user IDs, passwords, credit card numbers, etc. can then be stolen.

    If the users click a link in the said mail, they are redirected to a webpage entitled, “Update your Yahoo! Japan ID user account,” again in Japanese.

    Figure 1. The fake site entitled “Update your Yahoo! Japan ID user account” in Japanese. The users visiting this phishing site are asked to input their passwords and credit card numbers.

    Trend Micro Web Reputation technology correctly and swiftly analyzed the danger of this site and has categorized it as a phishing site. If Trend Micro users unwittingly connect to this site, they are blocked from access and are thus safely protected.

    Figure 2. This shows that the said phishing site has been blocked by Web Reputation technology. When connecting to a specific website, Trend Micro users automatically query the reputation server to check the rating of this site.

    This phishing site is quite similar to the real Yahoo! Japan site in terms of design and layout. In fact, some of the links are connected to the legitimate Yahoo! Japan site. Therefore, any users who may hover their mouse over random links may tend to believe that the site is legitimate. The IP address, 210.188.{BLOCKED}.{BLOCKED}, further suggests that the site is located in Japan.

    Fortunately, this phishing site is currently inaccessible. (We also confirmed that it was accessible from 16:30 of September 27 to 23:00 on September 28, all in Japan time.)

    It is possible that similar phishing sites can be found to be hosted on different servers. This places Yahoo! Auction fans at greater risk as it expands the threat further. If ever you have updated your ID and password when this phishing site was accessible, once more, you had better check if your update was properly done in the legitimate site.

    We have seen several other cases targeting Japanese users by using phishing mails and websites written in Japanese. Below are some of the typical cases.

    Table 1. Just a sampling of arrests made against cybercriminals. Details can be found at the Metropolitan Police site.

    On September 6, Yahoo! Japan announced support for victimized users on such incidents that their Yahoo IDs were used illegally, etc. Users can even refund the amount lost in valid cases of fraud.

    While this is good news, the most important thing is to protect against being victimized by this kind of attack.

    Yahoo! Japan also has the particular pages devoting to best practices on how users can protect themselves from such auction-related fraud and troubles, at Yahoo! Security Center and Self-defense techniques on the auction sites. Japanese Yahoo! Auctions fans are encouraged to take time to read these reminders.

    Posted in Mobile | Comments Off on Caution Needed: JP Yahoo! Auctions Site Phished


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice