Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Mary Ermitano (Anti-spam Research Engineer)

    As usual, the approaching tax season (April 15th is Tax Day in the US) also comes with tax-related online threats. With unemployment rates reaching record highs this year, cybercriminals have yet another opportunity to polish their social engineering techniques.

    Last year, spammed messages supposedly from the Internal Revenue Service (IRS) delivered malware into systems. The email messages were sternly-worded. The intention was to alarm recipients of what these same messages claimed were incomplete tax forms, which could lead to tax avoidance fraud. High-profile institutions, including Fortune 500 companies and US Defense contractors, were prominent targets of this attack.

    This year, cybercriminals offer their recipients ways to save money by supposedly reducing their expenses on tax preparation transactions. The recent email samples no longer purport to come from the IRS, though. They do, however, offer tax relief services for tax help-seekers. And instead of downloading malware, unknowing users are tricked into giving out personal and sensitive information to phishers.

    Click for larger view Click for larger view

    Links on the email message in Figure 1 redirect users to a site (Figure 2) that prompts them to fill out a form. The various bits of personal information keyed in by users in this said form are logged and then stolen by phishers. The threat does not end there. Other windows load after users complete the form:

    Click for larger view Click for larger view

    Figures 3 and 4 are supposedly credit-related sites, but like the tax relief page they also steal sensitive and confidential user information. The spammers/phishers behind this threat have thus fashioned the attack to be both timely and seemingly relevant by exploiting the tax season as well as recession-related concerns.


    The IRS recently set up an information page in response to this threat. Users are advised to refrain from clicking links in unwanted and unsolicited email messages. The Trend Micro Smart Protection Network already blocks the spammed messages, keeping the inboxes of Trend Micro users clean.


    The language has changed but the modus operandi remains the same. Spammed messages, this time in Spanish, again use TinyURLs to mask the exact destination of the links they contain. Here’s a sample email message:

    Spammed message
    Figure 1. Sample spammed message.

    The message above claims to be from Bancaja, a popular Spanish bank. It tells its recipients that their accounts are temporarily suspended because of possible malicious activities. Users are then told to reactivate their accounts within 24 hours by following the link provided in the message. The exact URL is concealed using TinyURL.

    We previously blogged about similar phishing operations that used this exact technique to trick users into thinking links are legitimate:

    As TinyURLs become more and more popular, phishers are also exploiting the URL shortening service this said tool provides. They do this make phishing URLs less suspicious and less obvious than using the exact URL, which could be long and totally unrelated to the site a spammed message purports to be from.

    The Trend Micro Smart Protection Network already blocks these spammed messages. Ignoring spammed messages keeps systems safe from spam-borne threats. There are also online tools that users could use to verify TinyURLs, like the URL expander offered by Substituting for also allows users to get a preview of the final link.


    “Dating spam” is becoming more rampant recently, which is somewhat expected due to Valentine’s Day being just a couple of weeks away.

    But some of this dating spam is quite unique, and has caught our attention, as the spammed message claims to be coming from Trend Micro:

    Figure 1. Spammers work their charm to attract dateless users

    Figure 2. Trend Micro email addresses used for the From field

    The “From” field in the emails were tampered with to be able to evade spam filters. Also, a scheme called dictionary attack is used to send the spam mails:

    Figure 3.Random email addresses used in dictionary attack

    A Dictionary Attack is a spammer tactic wherein spam is sent to random addresses from a given domain, hoping that some of it will get through. Unknowing users who respond will have their email addresses validated and added to the spammers’ list, thus causing the users to receive more and more spam mails.

    However, a quite interesting and comical twist happens in this case. Since the “From” addresses are forged, the spammers themselves aren’t getting the replies or even the bounces to the spammed messages they sent. This attack is apparently just a waste of resources for spammers.

    This suits them right for trying to sneak past spam filters through us!

    The Trend Micro Smart Protection Network already blocks the spammed messages, and Web users are always reminded to not trust spammed messages no matter what these messages say.

    Posted in Spam | TrackBacks (2) »

    Scam messages that purport to be from banks, government institutions, or even from certain individuals circulate the Web. Email messages where recipients are told that they have won a prize or are asked for donations would already be familiar to most Web users. Scammers, however, show no signs of slowing down using this technique.

    The Trend Micro Content Security team received samples of spammed email messages with the same announcement as most scam mails: the recipient has won a huge amount of money in lottery. Except this time, scammers placed this said fraudulent content in the From field and not in the Subject or in the message body itself.

    Figure 1. Sample spammed message.

    The spammers behind this operation are doing this to bypass antispam products. Analyzing the sample email message above through text editor, we see how the From field is literally a common content found in scam messages. Spam filters may already be blocking messages when similar content are detected in Subject fields and in message bodies, but not in From fields.

    Figure 2. The announcement is written in the From field.

    Because it still is able to get the message across, these messages may still lure recipients into contacting the spammers through email addresses and phone numbers which are also given in the same email message. The scamming usually happens here, as in several cases we’ve blogged about:

    The Trend Micro Smart Protection Network already blocks these spammed messages, protecting users from this threat. Non-Trend Micro users are advised to not trust unsolicited email messages. Rewards and cash prizes that seem too good to be true probably are.


    Malicious spammers are really striking while the iron is hot, so to speak.

    Less than a day after spammed messages containing links claiming to point to news related to the recent Russian-Georgian conflict, another spam run bringing malware was found by the Trend Micro Content Security Team.

    Below is an example of the latest spam:

    spam sample
    Figure 1. Spam sample about journalists being shot in Georgia in relation to the recent Russian-Georgian conflict.
    The attached file is a password-protected .ZIP file. Setting a password to enable access to the file prevents the spam filter function of email applications from scanning the attachment for malicious content. In this case, detection was made for the .ZIP file itself to protect the users even before they access the file’s content. The .ZIP file is detected by Trend Micro as WORM_DLOAD.RAR.

    When accessed through the password also contained in the email message (see bottom of spam where it says attach password: 123, the .ZIP file is seen to contain an executable named Joined.exe. This file on the other hand is detected as TROJ_DLOADER.UAF:

    Figure 2. When the attachment is opened, the archive reveals that the “photo” promised in the text is actually an executable.
    Upon execution, TROJ_DLOADER.UAF connects to another host, and downloads additional components — specifically, a rogue antivirus (TROJ_FAKEALRT) variant that displays fake warnings of a malware infection. It attempts to trick the victim into buying a fake antivirus program to eliminate the malware which is supposedly affecting the system. This obviously leaves the victim with a piece of software that was never necessary in the first place, and less money.

    Users are now protected from this attack by the Trend Micro Smart Protection Network.

    The recent Russia-Georgia conflict caused a worldwide stir as Russian troops reportedly invaded certain areas of Georgia, injuring numerous civilians. The said invasion was later concluded, with Russia withdrawing their troops from Georgian soil.

    News items in spam such as this is one of the “facades of choice” by malware authors, promising information on recent events to entice users to click on malicious links. Just this month, fake news alerts purporting to be sent by CNN were repeatedly used by spammers and malware authors to distribute their handiwork:

    Users should exercise caution when opening their email.

    Posted in Malware, Spam | Comments Off on Malicious Russian-Georgian Spam Uses .ZIP Password


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice