IT administrators and the likes are expected to have a long day today, as Microsoft releases its security bulletin for May that resolves 33 vulnerabilities. Though this is not Microsoft’s biggest release (April 2011′s 17 bulletins addresomg 64 vulnerabilities come to mind), it is crucial for users to apply these security updates, which include a resolution to the zero-day incident involving the US Department of Labor webpage.

This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.

The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.

Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).

The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.

Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.

Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

While users are trooping to the cinemas to watch Iron Man 3, some may scour the Internet for bootleg copies or free movie streaming. Unfortunately, this gives the bad guys an opportunity to serve users with their dubious schemes.

We conducted a simple Google query and found more than a hundred websites claiming that they provide movie streaming of Iron Man 3. (The movie has already opened in some countries but not the United States, making these claims more credible at first glance.) These supposed streaming sites using popular blog providers, with half of these sites using Tumblr.

Figure 1. Half of the fake Iron Man 3 sites we found use Tumblr

Once visited, these sites would ask users to download a video installer file. Based on our analysis, we found that this file was what it said it was – a legitimate video player. This particular video player has been known to display aggressive ads in the past, although we did not see that behavior this time. In addition, the player could be used to download and view pornographic materials.

However, it’s still possible that these legitimate files would be replaced with malware at a later time. Thus, it won’t be a complete surprise if we find a malware-hosting webpage disguised as an Iron Man 3 streaming or downloading page anytime soon.

Unsurprisingly, some bad guys have also used Facebook to spread links advertised as providers of free Iron Man 3 movie streaming. Users may encounter these as feeds on their Facebook page, together with a link to the said site. But once users click the link, they are redirected to several web pages until lead to another survey scam, not to mention spamming their Facebook contact with the same post. Other similar ruses we documented in the past include the “Facebook Profile Viewer” and the survey scam under the veil of the much talked-about Google Glass competition.

Figure 2. Screenshot of page leading to survey scam

Needless to say, these sites do not lead to the actual Iron Man 3 movie. Some of these sites, however, may ask users to register and ask for their credit card number, which is highly suspicious.

High-profile summer flicks like Iron Man 3 are typical cybercrime baits because they have been effective in tricking users into visiting shady websites, including those the host malware and dabble in survey scams. Because of the clever use of social engineering tactics, users may end up falling into the bad guys’ traps. Thus, it is important to be aware of how social engineering works and be conscious with what you click and share on your Facebook and other social media accounts. Trend Micro blocks the related sites and domains related to this threat.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

With insights from Fraud analyst Paul Pajares.

For this month’s patch Tuesday, Microsoft released security updated to resolve nine bulletins, including a bulletin for two critical issues found in all versions of Internet Explorer on all supported versions of Windows (which includes Windows 8 and Windows RT).

These issues received a critical severity rating, which means IT or security administrators should consider this bulletin high-priority. These issues affect all versions of Internet Explorer, from IE 6 to 10. If successfully exploited, these vulnerabilities could permit a possible attacker to execute a malware once user visits certain malicious website via Internet Explorer (or what we call drive-by downloads or attacks). The other IE issue may allow a successful attacker to gain the same rights or privileges that an affected user has. Fortunately, this may have less impact if victim has no administrator privileges.

The other critical bulletin addresses a privately disclosed vulnerability in Windows Remote Desktop. Like the IE bulletin, this issue may allow a remote malicious user to execute malicious code onto the vulnerable system.

Besides this month’s roster of security updates, Microsoft announced another major reminder, specifically its plan to stop supporting Windows XP and Office 2003 by April 8, 2014. Thus, we might be seeing less and less of updates for the platform until this deadline. To prevent any possible problems, Microsoft is encouraging its customers, who are still using Windows XP, to upgrade to a “more modern platform” such as Windows 7 and 8 the soonest possible.

Read the rest of this entry »

The Internal Revenue Service (IRS) opened up the filing season on January 30, 2013 to help taxpayers prepare for the looming April 15 tax deadline. April 15 or colloquially known as Tax Day is when individual income tax returns are due to the federal government. Typical of cybercriminals, they have also prepared their own tax-related scams for taxpayers with scams that aren’t a far cry from the usual attempts.

Tax-themed attacks usually arrive in the form of spammed messages claiming to be from the IRS or other government-related entities. In order to appear a little more convincing, the messages are crafted in order to intimidate and scare users into to acting on it immediately, without having the chance to verify whether the these emails are legitimate. Below are some of the common trends in tax-themed messages seen in 2012:

• Rejected Federal Tax Transfer
• Rejected Federal Tax Transaction
• Rejected Federal Tax Payment
• Federal Tax Payment returned
• Federal tax transfer canceled
• Federal tax transfer rejected
• Federal tax transfer returned
• Your IRS federal tax transfer is cancelled
• Your federal tax transaction has been not accepted
• Your transaction is cancelled
• IRS report of not accepted tax bank transfer
• Report of tax transaction decline
• Report of tax bank transfer decline
• Income Tax Refund CANCELED
• Income Tax Refund RETURNED
• Income Tax Refund TURNED DOWN
• Income Tax Refund NOT APPROVED

…And the list goes on. Notice that these messages are made to warn users of their “negligence” in terms of payment. Due to the serious penalty involved and to avoid any kind of scuffle with the law, people would naturally try to remedy the situation by clicking the links or downloading attached files, only because the email instructed them to.

Figure 1. Detected phishing URLs related to the IRS

Read the rest of this entry »

As expected, shady developers are now taking advantage of Candy Crush, one of the hottest gaming apps in both social networks and Android.

Recently, Candy Crush grabbed the top spot from FarmVille 2 as the most popular gaming app on Facebook. This boost in popularity, however, has its perils. In particular, Candy Crush’s popularity made it the perfect target for dubious developers and cybercriminals who want to lure and profit from fans of the game – similar to what happened with other popular mobile apps and games like Instagram, Bad Piggies, and Temple Run in the past.

In a development that surprised no one, we discovered fake Candy Crush apps online, proving that cybercriminals are indeed hoping to capitalize on the game’s current trending status. These apps contain code for the Leadbolt and Airpush ad networks; apps containing said code were some of the most prevalent found last year. (We detect these as  ANDROIDOS_LEADBLT.HRY and ANDROIDOS_AIRPUSH.HRXV.)

Figure 1. Screenshot and notification of fake app

While not inherently malicious, adware can be abused by cybercriminals for their own gains. Adware not only uses aggressive advertising tactics such as persistent notifications, but also collects information about the user. This could be construed as a violation of the user’s privacy.

Read the rest of this entry »