Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - JM Hipolito (Technical Communications)

    The KOOBFACE gang certainly knows how to bring on the Christmas spirit.

    KOOBFACE has pushed a new campaign with the help of the new component that we saw deployed last month. The said component executes human-like behavior such as joining Facebook groups and posting messages on Facebook friends’ walls. This new campaign, on the other hand, boosts a timely theme.

    The bait is basically the same for this run: posts supposedly published by another user are suggested to be a link to a video. Clicking the link leads to the fake YouTube page typical of KOOBFACE attacks, only this time the page is presented as a Christmas-themed video:

    Click for larger view

    The file downloaded from the page is detected by the Trend Micro Smart Protection Network™ as WORM_KOOBFACE.X.

    This isn’t the first Christmas-themed attack we’ve seen this year, as we’ve reported spam runs using Christmas in its social engineering ploy as early as September. And judging from what has been observed in the past years, this attack will not be the last.

    Thus, as the same for any season, users are advised to be aware and demonstrate caution when online to help stay safe from online threats.


    Cyber Monday is basically the online retailers’ version of Black Friday and is considered the busiest day of the year for online shoppers and sellers alike. The National Retail Federation (NRF) estimates 96.6 million Americans to shop this Cyber Monday, an 11.5 million increase from 2008’s 85 million, while 87.1% of retailers are going to have a special promotion for the said event.

    With such great numbers of shoppers and promotions expected to flood the Web, it is certain that shoppers and sellers aren’t the only ones who will be busy. Cybercriminals are surely bound to leverage on this busy day, that is why users should keep their guards up and watch out for the following ploys that are likely to arise:

    1. Tainted shopping search results: Searching for the best deals might bring about some malware-related complications, as search results related to popular sales and well-sought-out products can be manipulated to lead to malicious websites.
    2. Phishing spree: Phishers will surely anticipate the throngs of online shoppers who will key in their credit card details as they make their purchases and deploy phishing attacks in hopes of stealing information.
    3. Fake receipts used as bait: As non-online shoppers are readily given a receipt on hand as the transaction takes place, online shoppers also are provided receipts through email or other means. Unfortunately, this becomes a convenient leeway for cybercriminals, using fake receipts as bait, in luring users to open files that contain malware.

    Despite the expected increase in online shoppers, the NRF expressed that the shoppers aren’t likely to go on careless shopping sprees due to the still-lingering effects of recession. The users, NRF states, are forced to stick to necessities in terms of their purchases.

    We strongly suggest that users extend their cautiousness in choosing their purchases to their online shopping habits as well. The Trend Micro Smart Protection Network can and will protect Trend Micro users from these threats by blocking malicious spam emails and URLs and detecting malicious files.

    Other users are advised to stay protected and keep in mind that everyone is out for a quick and seamless bargain even cybercriminals.


    Users who are currently planning to go or return to Brazil, especially with the holidays coming up, should watch out for a recent spam run. Spammed messages fashioned to look like an email from a Brazilian airline are offering users tickets to Brazil for just US$1.


    Here is a rough translation of the text in the spam:

    Promotion Voegol the $1.00 is back, buy tickets or return for all of Brazil to only $1.00.
    Visit our online service through the website: and mention code: VG1R
    After that, wait for contact from a clerk, and make the purchase.
    Further promotion visit:

    The spam run seems to take advantage of the promotions currently being offered by the said Brazilian airline. As enticing as the offer is, however, the links in the said email leads to nowhere near cheap tickets. The link leads to a URL that downloads TROJ_DLOADR.APX. TROJ_DLOADR.APX then connects to other URLs to download TSPY_BANKER.NGN. TSPY_BANKER variants have been known to take special interest on Brazil. They are known to steal banking information specifically related to Brazilian banks.

    Users are advised to ignore similar spam they receive and instead check out the airline’s website for promos and other offers. On the other hand, Trend Micro users are protected from this attack through the Smart Protection Network.


    Cybercriminals are using compromised Twitter accounts to spam out information-gathering websites to unknowing users.

    The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts.


    The Direct Message—which is basically the Twitter counterpart of a private message—contains a link to what looks like an IQ test website:

    Click Click

    An IQ test may seem harmless but the last thing asked for in the test is no longer an answer but the respondent’s mobile number. Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack.

    Users are strongly advised to refrain from clicking the links contained in similar Direct Messages that they may encounter even if the person who sent the DM is a known user. On the other hand, those users who think that their accounts may be one of those compromised should change their passwords as soon as possible.

    The Trend Micro Smart Protection Network™ protects users from this by blocking all related URLs.

    Update as of 08:49 P.M. “Users who do give out their mobile phone numbers may end up being billed at least US$10 a month for text messages,” says KOMO News. Though not every online IQ test will charge you, most are just there to scam unwitting users. Keep in mind that if a test asks for your mobile phone number, it is looking for a way to bill your mobile phone account. If the quiz looks like it came from someone in your Twitter account then a hacker must have hijacked other people’s accounts to make you think you are getting a message from someone you know.

    Update as of November 13, 10:52 A.M. This attack do not simply harvest the affected users’ numbers but signed up their mobile for an auto-renewing subscription as described in the terms and conditions.

    Posted in Spam | TrackBacks (2) »

    Anyone who has ever played a video game—whether in an arcade, using a gaming console, or on a PC—knows how a good kill can get one all excited and pumped up. Games that involve killing certain entities give us the thrill of being in such an exhilarating situation, without suffering any serious consequence. A certain Mac OS X game called Lose/Lose has been getting attention for its rather controversial effects.

    The game, created by Zach Gage, somewhat resembles the format of the popular game Space Invaders, wherein the player is represented by a spacecraft and the goal is to kill the aliens placed all over the screen. Gage’s game, however, has a different twist, which has been causing quite a stir.

    The new twist in Lose/Lose is that the aliens in the game—the ones that the player must kill to stay in the game—represent random files in the user’s system. Whenever the user kills an alien, the file the alien represents is deleted. Should the user refuse to kill the aliens, he/she will lose and the game itself will be deleted.

    This interesting consequence of the game is clearly stated in Gage’s website where the game can be downloaded.

    Click Click

    Gage describes his creation as a means to answer the question: “Why do we assume that because we are given a weapon and awarded for using it, that doing so is right?” Curious intentions or not, however, the game presents high risks and may be very easily abused. A user who may have acquired the file without knowing its effects may end up with a large number of deleted critical files.

    The file has thus been classified as a malware and is now detected as OSX_LOSEGAM.A. The game tests the users’ killer instinct: the user is placed in a situation where he/she is handed a weapon and told that his/her survival depends on his/her ability to kill his/her prey. This usage of natural human reactions to trigger certain actions may be a form of research to some but what we see it as is this: a social engineering technique.

    Mac users can get protection from this and other threats by using the Trend Micro Smart Surfing for Mac.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice