The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware.

I found the following accounts who wanted to ‘follow’ me on Instagram. This is the standard if your Instagram account is set to private. While checking these requests, the security researcher inside me noticed something off with some of the accounts.

Figure 1. Screenshot of Instagram request

To validate my suspicions, I checked the page of these Instagram accounts and noticed that they all posted this “Get Free Followers!” photo. This post reminded me of the Pinterest free items promo survey scam we blogged in the past.

Figure 2. Get Free Followers Post on Instagram

Another thing that I found dubious is that these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”.

Figure 3. Screenshot of sample spamming account

Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was lead to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.

Figure 4. Page offering ‘Get Free Follower’ app

Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work.

Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes.

Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense. Trend Micro protects users from this threat by blocking the related URLs.

To know more about how these scammers (or online crooks in general) use and benefit from your data, you can check out our infographic How Cybercriminals Are Getting Better At Stealing Your Money.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

In the past few weeks, many WordPress blogs have been under a large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites.

It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog.

We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack, as seen by the Smart Protection Network.

Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign.

Read the rest of this entry »

The truth about the Facebook Profile Viewer is simple: it doesn’t exist.

You can check every Facebook page or app available, but you can be 100% sure that each one that says “See who viewed your profile!” or “Who’s stalking you?” is just a ruse for Facebook users to reveal their passwords or spread spam. How do they do this? Clickjacking is a surefire way. In a typical clickjacking attack, cybercriminals hide malicious content under the guise of legitimate pages and may use malicious JavaScript to load content from third-party sites, all in a few clicks.

But what happens if cybercriminals turn to different and newer techniques? Having users type in commands on their keyboard would be a real game changer. Here’s how:

Ctrl+FB

A closer look at a comment within a spammed wall post showcases the start of a different strategy for spammers this time around.

Once you click the link on the comment box, it will redirect again to Facebook Log in Page with Pinterest.

Once logged in, the site redirects to another malicious URL that claims to be “Official Facebook Profile Viewer.” Clicking the ‘Get Started’ button redirects to image with keyboard shortcuts with instructions for users to carry out.

Read the rest of this entry »

Malicious schemes promising free or discounted items are effective because everyone likes a great offer. More so, if the offered item is a much-talked about product like Windows 8.

Last year, we unraveled some fake Windows 8 generators, fake Windows 8 antivirus programs, and phishing email that surfaced right after the platform’s release. Though it’s been months since it was launched, we found out that certain bad guys are continuously using the brand to lure users into their ruse. This time, however, they are offering Windows 8 “activators” amidst news of Microsoft’s limited offer of discounted Windows 8 upgrade.

During our research, we found several websites using Windows 8 as keywords. The first site purportedly offers free Windows 8 “activator”, which is actually fake (detected by Trend Micro as HKTL_KEYGEN).

Figure 1. Screenshot of site offering fake Windows 8 activator

The other site we looked into also offers free Windows 8 activator, dubbing it the “Windows 8 Activator Loader Extreme Edition 2013”.

Read the rest of this entry »

The much-anticipated 2012 London Olympics is set to kick off this Friday.

As the event draws nearer, we expect to see online attacks riding on different Olympics-related activities. Sure enough, we saw this interesting Facebook wall post regarding the said event:

The site, hosted on the domain liveolympictickets(dot)com, appears to offer tickets for sale. Moreover, the site uses the colors and look and feel of the official site:

Exploring the site, I found that clicking on the blue tab Olympic Tickets – Buy Tickets for the London 2012 Olympics leads to other pages within the site that mimics normal online transaction pages, such as details about the items to be purchased. In this case, if the user proceeds with the transaction, he/she can choose which games to watch:

However, towards the end, the user is asked for their personal details:

After this, the site asks the user to continue with the payment by entering credit card details or choosing another payment method:

The final page shows that the user’s order has been “confirmed.”

We checked the official website of the London Olympics, where it was possible to check if the ticket vendor was legitimate. However, the site was not recognized and therefore unauthorized to sell tickets. The rest of our investigation shows that it is indeed a phishing page set up to capture user information.

Additionally, we also saw a lot of newly created domains related to this event that included keywords like “2012 london summer games,” “2012 olympic ticket,” “britain olympics 2012,” “olympic 2012 ticket” and other variations thereof.

We already block all malicious URLs involved via the Web Reputation Service; therefore Trend Micro customers are now protected via Trend Micro Smart Protection Network.

For complete information on the latest Olympic-themed threats—including quizzes and safety guides, you can visit Race to Security, the Trend Micro security guide to major sporting events such as the Olympics, by clicking the banner below:

Related posts:

• Illegal TV Cards Allowing Free Olympic Viewing Sold Online
• Countdown to the Olympics: Are You Safe?
• Spammed Messages Attempt to Cash In on London 2012 Olympics
• Bogus Olympics 2012 Email Warning Blindsides Users With Malware
• Cybercriminals Race to the 2012 Olympics