Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Michael Casayuran (Anti-spam Research Engineer)

    “Get rich fast” scams have been circulating online for several years now. Some examples would be the classic Nigerian or 419 scams, lottery scams, and work-from-home scams. The stories may vary but the underlying premise is the same: get a large sum of money for doing something with little to no effort.

    Scammers have now added a new topic to their roster of lures: the cryptocurrency Bitcoin. The continued rise and fall (and rise and fall and…) of Bitcoins has captured the interest of the media and the public. Certain events in the cybercriminal underground have also played a significant part in boosting the profile of this digital currency.

    The fact that Bitcoin is being recognized as a legitimate form of currency with real-world value has not gone unnoticed by cybercriminals. We have seen different types of Bitcoin-related threats appear over the past years and now, we can add yet another incident to this roster.

    We came across several spammed phishing messages that use Bitcoin as bait. These messages promise recipients that they can earn a large amount of Bitcoins in a short span of time, with one email promising up to more than US$23,000 in a single day. The emails encourage users to click the embedded link for more information.

    Figure 1. Spammed message about Bitcoin

    The links lead to a site that asks for details like name, address, and credit card information. The registration page appears to have no means of verifying the information; it accepts any data provided in the form fields. This type of behavior is very much typical of phishing sites, which aim to get as many credit card credentials as possible.

    Figure 2. Phishing site

    Scammers often use “get rich quick” schemes because these hold a certain appeal to users. After all, who wouldn’t want to get a large amount of money easily? However, these things are often too good to be true. We encourage users to refrain from opening emails and clicking links from unknown or unverified senders. Users should also do research before sharing personal information—especially those financially related—online with any site or service.

    Trend Micro protects users from all related threats in this incident.


    Rockstar Games’ latest offering for the videogame industry, open-world crime simulator Grand Theft Auto V, came out several months ago for consoles to fanfare and anticipation. Unsurprisingly, people have been waiting for the PC version, despite Rockstar Games being very mum about its release date (or even its existence).

    This uncertainty did not stop cybercriminals from taking advantage of the pre-release publicity. We recently found a spam campaign making the rounds; this one claims that the user has been invited to the GTA V PC beta test.

    Figure 1. Spam message

    The second half are links written in Slovak, leading to several sites, one of which is a phishing site. The biggest problem is the attached .ZIP file, which when opened reveals an application named Your promo code in app The extension may actually make people believe that it is a link to the Rockstar; in fact it is a backdoor detected as BKDR_ANDROM.ATG.

    Figure 2. Contents of malicious attachment

    Even though the existence of a PC version of GTA V is an unproven rumor, cybercriminals still managed to make convincing bait out of it.

    We recently covered a similar incident using the non-existent desktop version of the messaging app WhatsApp. Like GTA V, the desktop version of WhatsApp has yet to even be announced, and yet it managed to garner its own share of victims.

    As always, we remind users to always be vigilant and alert when it comes to spammed mails such as these. Make sure to check valid and reputable news organizations/websites first before clicking on anything that seems too good to be true. If possible, seek verification from first-party sources (in this case, Rockstar Games). It saves everyone a lot of wasted time, effort and hassle.

    Additional analysis by Christopher So and Mark Manahan.

    Posted in Malware, Spam | Comments Off

    The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook for a staggering $16 billion. Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.

    Figure 1. Screenshot of spammed message

    Our engineers found a spam sample that mentions Facebook’s purchase of WhatsApp, and also says that a version of WhatsApp is now available for users on Windows and Mac PCs. The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices.)

    That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil.

    Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak.

    We strongly advise users to be careful of this or similar messages; WhatsApp does not currently have a Windows or Mac client, so all messages that claim one exists can be considered scams. Trend Micro protects users from this spam attack via detecting the malicious file and spam, as well as blocking the related web site.

    With additional analysis from Sabrina Sioting.

    Posted in Malware, Spam | Comments Off

    We saw samples of email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, Myspace, and Pinterest. These spam contain links that direct users to bogus pharmaceutical or fraud sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam.

    Fake foursquare Email Notifications

    We uncovered spammed messages masked as notifications from foursquare, a popular location-based social networking site. The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification.

    Both messages use the address in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the malicious URLs. If users click these, the URLs direct to an empty web page containing another URL, which ultimately leads to a website selling sex-enhancement drugs.

    Read the rest of this entry »


    The death of Korean leader Kim Jong Il resulted in an outpour of reactions from many people all over the world. Some people were saddened by the loss, while some were quite jubilant, saying that Kim Jong Il was “a repressive leader”.

    Cybercriminals, on the other hand, only had one reaction to the incidentto take advantage of it.

    Our researchers found spammed messages with email subjects mentioning the death of Kim Jong Il. The messages arrive with a .PDF attachment that has the file name brief_introduction_of_kim-jong-il.pdf.pdf. The said file is of course malicious and is detected as TROJ_PIDIEF.EGQ.

    As part of its routines, TROJ_PIDIEF.EGQ opens a non-malicious PDF file to trick the user into thinking that it is a normal file. The .PDF contains a picture of Kim Jong Il.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice