Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Maria Alarcon (Anti-spam Research Engineer)

    February has already begun, which means Valentine’s Day is close at hand. As usual, spammers will definitely hype up their malicious activities. It is only the first day of the so-called “love month” but we have already seen at least two spam samples leveraging one of the most-celebrated special occasions when people flock to websites that advertise gifts they can give to their loved ones.

    Click for larger view Click for larger view

    These spammed messages contained links that led users to a fake gift card promotion site and a site that advertised and sold replica watches, respectively.

    Click for larger view Click for larger view

    Every special occasion and/or holiday is, in today’s threat-laden Internet landscape, not just a time for people to celebrate but also a time for spammers to scam unwitting users with their devious scams, as evidenced by these previous blog entries:

    Spammed messages come in many forms and with varying payloads, some redirect users to sites that sell anything and everything under the sun, most especially pharmaceutical and replica items; some lead to links to malicious or malware-ridden sites; some lead to sites that advertise bogus promotions; and some carry malware as attachments. That is why users should always be wary of opening email messages, particularly those that come from unknown sources.

    Trend Micro™ Smart Protection Network™ protects users from these kinds of threat via its Web reputation service, which blocks access to known malicious sites and domains; email reputation service, which prevents spammed messages from even reaching your inboxes; and file reputation service, which detects and deletes all kinds of malicious files.

    Non-Trend Micro product users can also stay protected from these threats by using the eMail ID plug-in, which helps identify legitimate email messages in your inbox. It helps avoid fake messages and the risks associated with them.


    Trend Micro threat analysts found spammed messages that pretended to be a letter coming from the “boss.” The messages bore the subject “get back to my office for more details” and instructed users to extract and read the letter contained in the attached .ZIP file. The attachment, of course, does not contain a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT.

    Click for larger view Click for larger view

    Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the “spam engine” of the notorious botnet, PUSHDO, which spammed around 7.7 billion messages a day in the second quarter.

    In the past few days or so, Trend Micro has reported various spam that used malicious attachments (ZIP or RAR) to hide malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about this in the following posts:

    Users are advised to be wary when opening any attached file even if it comes from a person with authority or one’s “boss.” Trend Micro users are protected via the Trend Micro Smart Protection Network, which detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack.


    A new spam campaign that purports to be from Facebook is making rounds today. It bears the subject, “Facebook Password Reset Confirmation,” and informs users that their passwords have been changed for security purposes. It then asks them to open the attached .ZIP file that supposedly contains their new passwords, which in actual fact is a malware detected by Trend Micro as TROJ_BREDLAB.SMF.

    Click for larger view Click for larger view

    Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV.

    Users are advised to be wary of bogus notifications even if comes from a known source. Trend Micro product users are protected from this attack via the Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

    Posted in Malware, Spam | 1 TrackBack »

    September signals the onset of holidays and as early as this month, spammers are already gearing up for the said season as they “spamvertise” their products.

    Just recently, Trend Micro discovered several spammed messages that used “Christmas” as its subject. The said spam email entices users to avail the “best gift” for their loved ones by clicking the URL.

    Click for larger view
    Figure 1. Sample spam

    Click for larger view
    Figure 2. Sample spam

    After the users clicked on the link, it points them to a website that sells replica watches for a discounted price. Although the redirected site does not infect users with malware, it could possibly lead to information theft.

    Click for larger view
    Figure 3. The website where users are redirected to.

    Cybercriminals often use the holidays as part of the social engineering ploy. Trend Micro recently blogged about these tactics in the following blog posts:

    Trend Micro protects users from this spam attack via the Trend Micro Smart Protection Network. Users are also advised to stay vigilant especially in the upcoming holidays as spam (that may even contain malware) is very rampant.

    Posted in Spam | TrackBacks (4) »

    Today we have noticed an increase in the amount of dating spam mails containing phrases such as:

    I’m emailing you because I like you

    wanted to let you know about my profile

    you have been invited to join

    Click for larger view

    The link in the spam points to an adult-dating web page that contains pictures of a woman, as well as a profile on the right corner of the screen with a huge clickable ad that says, CLICK HERE TO CHAT FOR FREE.

    Following the link opens a page where the visitor is asked to register by providing an email address and password. Afterward the visitor’s browser opens a new site where he/she is prompted to create a preferred chat handle (username).

    The requests for user information do not end there. The next page asks the user to enter his/her personal details:

    Click for larger view

    Lastly, credit card information is requested, despite a prior statement saying that chatting is free. The site tries to justify this, saying that such is needed to prevent minors from trying to log in:

    Click for larger view

    Users tempted to correctly fill up the forms from the shown web pages provide a free service to the cybercriminals as they reveal their valid email addresses, passwords, and credit card information.

    The simplicity of this technique in extracting user information could indicate two things: spammers are running out of new, more intricate ideas, or that the technique remains to be quite effective despite its simplicity. We’re pretty sure it’s the latter.

    Users of the Smart Protection Network need not worry about getting these spam emails, other users however are advised that the simplest, most effective way of not falling for these kind of sham advertisements is to not open emails that look suspicious, especially when the recipient is an unknown sender.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice