Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Mary Bagtas (Anti-spam Research Engineer)

    Spammers are clearly becoming more and more creative as they try new ways to bypass our anti-spam filters. Just recently, we received a spammed message disguised as a spam quarantine notification message from a competitor.

    Click for larger view

    To the untrained eye, the email looks quite convincing. However, closer inspection of the message properties reveals that while the email purports to come from a certain security company, the sender’s domain name is

    Click for larger view

    According to the spoofed mail, an email sent to the user has been blocked by the administrator. The user is then instructed to ignore the message if the blocked mail was indeed a spammed message or to click the embedded link to view the message.

    The spammers may be trying to lure users by leveraging people’s natural curiosity. A user who wishes to know the content of the quarantined mail is thus likely to click the link. The said link currently redirects users to an already unavailable website. However, users are still advised to exercise caution when opening email messages and clicking links, even if these appear to be legitimate. It never hurts to be extra careful.

    Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

    Non-Trend Micro product users can also stay protected from similar bogus email messages by using eMail ID, which uses a two-step verification process to help users quickly find legitimate messages.

    Posted in Spam | TrackBacks (2) »

    As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections.

    However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks. We recently received Portuguese spam samples purporting to be from the international news site, BBC. Translated to English, the spammed message describes the current situation in Haiti. It also attempts to convince recipients to click the link to the embedded video, which supposedly contains photos taken by an amateur photographer who witnessed the earthquake.

    Click for larger view

    Upon clicking the link, however, users are redirected to a site where they are asked to save an .EXE file detected by Trend Micro as TROJ_BANLOAD.JAE. This Trojan connects to websites to download another malicious file detected as TSPY_BANKER.LMG.

    Click for larger view

    This is a good reminder of how spammers will do anything to make their spammed messages appear legitimate. It is thus important to check for data consistency so as not to fall into their trap. In this case, if the video truly contains photos of the aftermath, then there is no need to download or execute an .EXE file. Users are thus advised to exercise caution when opening messages, particularly those that come from unknown senders.

    Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, preventing user access to malicious sites, and blocking the download of the malicious files.


    Spammers are clearly putting the holidays to good use, as they have made Christmas just another reason to spread malware.

    Trend Micro threat analysts recently received a spammed message purporting to come from, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo (see Figure 1).

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    However, upon further investigation of the spammed message’s header, we noticed that the sender’s IP address (see Figure 3) did not match that of the legitimate site (see Figure 2).

    Click for larger view

    The spammed message urges the user to download and open the .ZIP file attachment (see Figure 4), which is actually an .EXE file detected by Trend Micro as WORM_PROLACO.Z (see Figure 5), in order to view the greeting card.

    In addition, according to, the e-cards sent from the site are stored on servers and so should not be attached to emails. In other words, to view e-cards sent from the site, users do not need to download anything.

    To keep your system malware-free this festive season, do not open unsolicited email messages. Be smart, use an effective security suite.

    Smart Protection Network protects Trend Micro product users by blocking the spammed messages and related malicious files (WORM_PROLACO.Z).


    Thanksgiving kicks off the holiday season in the United States, the top spam-sending country in the world. The holiday season ushers sales and big discounts for users. Unfortunately, however, this also means that spammers will be rushing to offer consumers bogus promos and discounts. Seems even cybercriminals have something to be thankful for, too.

    Trend Micro analysts received Thanksgiving-related spam samples. The spammed messages offered users who log in to their sites US$500 worth of “grocery vouchers.” The sites were hosted on different domains that, upon further analysis, have already been blacklisted though they have only recently been created.

    Click for larger view Click for larger view

    Users who are tricked into clicking any of the URLs in the spammed messages landed on sites where they are asked to give out personal information like email addresses, complete names, addresses, and phone numbers, which, as you may already know, may be used for other malicious activities later on or sold in underground forums.

    Click for larger view Click for larger view

    Though it is true that legitimate companies do promote discounts and other special offers online, not everyone who sends promotional offers has good intentions. In fact, most of them don’t. Going into business is, after all, all about one thing alone—making money. Bear in mind that legitimate online offers only send out information on promotions and special offers to those who subscribe to them.

    Users are strongly advised to be wary of online offers. Here are some useful dos and don’ts that will help you stay safe from spammers and scammers on the Web:

    • Do not open emails that come from senders you do not personally know.
    • Do not click links embedded in emails. To check if these are legitimate, you may use free tools such as Trend Micro’s Online URL Query.
    • Do not rashly give out your personal credentials online. You may end up just being another phishing victim.
    • Do keep in mind that legitimate offers are only sent to subscribers.
    • Do remember, too, that cybercriminals will do anything for money so stay safe online by using a security suite that stops threats before they even reach you.

    Don’t let spammers and scammers spoil the holidays though. There are ways to stay safe online. For more useful tips and tricks, please visit:


    No one is absolutely safe from Influenza H1N1, not even world leaders.

    This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering.

    Click for larger view
    Figure 1. Sample spam

    Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file (Alan.Gripe.Porcina.mp3.exe) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities.

    Figure 2. Screenshot of the executable file

    In the past, Trend Micro has written about malware attacks that hitchhiked on swine flu in the following blog posts:

    Trend Micro already blocks and detects the malicious URL and file via its Trend Micro Smart Protection Network. Users are advised to be wary in clicking on URLs in messages from unknown senders.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice