Valentine’s Day is here, and once again, we remind users to be careful online during this special occasion, whether or not you have a reason to celebrate it. Several entries in this blog should have already established Valentine’s Day (or love in general) as a favorite topic used by cybercriminals, and this year is no exception. Granted, with today’s more digitally connected lives, other love- and relationship-related issues come to mind—online privacy and reputation management (do you share passwords with your loved ones?) and inappropriate content (sexting), to name a few—but looking at the data gathered through the global sensors of our Smart Protection Network™, the more, shall we say, “old-school” web threats are still getting some traction.

Below is a 30-day snapshot of hits to malicious sites and detected files with keyword “valentine” in it:

Figure 1. Malicious URL hits related to “valentine” from January to Feb. 14

Figure 2. Malware detections related to “valentine” from January to Feb. 14

The increasing trend as February 14 approaches is not surprising. Nor does the correlation between the file and web reputation; indeed, it seems that majority of the Valentine-related threats that affected users are Trojans that usually arrive via malicious sites. We can assume here that these users were searching for something Valentine-related, clicked a link, and the Trojan was downloaded automatically.

But what are these users actually looking for? “My Bloody Valentine” (which refers to pirated copies of both the movie and the music band) aside, several of the URL keywords we’ve seen still reflect the commercial side of Valentine’s Day. These range from coupons, to e-cards, to “last-minute gift ideas.” What is more interesting to note, though, is that some of these keywords reflect the user’s “post-PC” behavior: terms like “free download happy valentine day 2012 love quotes funny sms text” and the several “wallpaper backgrounds” or “animated gifs” were seen, indicating the shift of user behavior towards something more social (posting images and gifs in Facebook or Tumblr) and mobile (sending texts, MMS, etc.).

Read the rest of this entry »

In TrendLabs, it has become somewhat a tradition for our researchers to remind readers of the things cybercriminals do to scare them into falling into their traps. After all, not only do they take advantage of this trick-or-treating festivities to send e-cards or poison search results, the malicious tweets, disturbing Facebook posts, and the scareware that are still plaguing users happen all year round. We even did an infographic last year to sum up these tactics.

Today, cybercriminal activities, hackers, and malware are just one aspect of our digital lives that we need to be scared of. So we asked ourselves: what are we really afraid of?

A study* we recently conducted found that while 7 out of 10 users feel that it is their personal responsibility to protect their and their family’s online security, online 4 out of 10 feel they know how to do so. Other fears/concerns that came up touch on relevant issues like privacy and data loss.

Are these fears rooted on something? It turns out that some of our online activities may be a contributing factor after all. Worried about the information posted on your social networking account? You should, if you don’t change your privacy settings. And did you know that according to Mashable, 1 out of 4 people in the U.S. do not back up their data at all?

These interesting findings can be found in our latest infographic. It is interesting to note, too, that our digital “phobias” almost have the same manifestations as real-life ones (athazagoraphobia, anyone?).

*Based on a Trend Micro survey sent to 1,000 respondents in the United States, United Kingdom, and Australia

Many have watched the U.S. presidential debate last week, and while whether Barack Obama or Mitt Romney won the discussion is still up for debate among netizens, one thing is certain: the presidential campaign is on its last stretch towards the November 6th elections. One other thing that’s certain? Scammers exploiting this to the very end.

Our researchers have been looking into the data gathered through the global sensors of our Smart Protection Network. Below is a snapshot of election-related keywords that got several hits to malicious sites:

Note that these hits are just for the past three months, and we expect it to increase as Election Day draws near. But what stood out for us is the number of hits for both candidates: apparently, when it comes to the number of failed attempts to access a malicious site, Obama gets the users’ vote. And cybercriminals agree: when we checked the number of unique domains blocked since January, there were 4 Obama-related domains for every 1 Romney domain.

This shouldn’t come as a surprise, given the incumbent President has had at least four years of pop-culture mindshare under his belt compared to Romney. Remember that as early as right after he won the 2008 elections up to his inauguration, Obama was used in several social engineering baits. Going back to the three-month snapshot, it can be seen that hits to Obama has seen its share of highs and lows, while the increase in Romney was consistent around the period when his candidacy was officially announced in August.

But looking at the type of threats and who the eventual victims were, both candidates are pretty much neck-to-neck. While it is quite obvious that most victims are from the United States and Canada, interestingly, the other top countries include those in Asia and Europe.

Majority of the hits are from disease vector URLs (i.e., those that eventually download malicious files on computers or host phishing sites) and spam-related, which was consistent with previous election-related threats.

Several malware have also taken advantage of these two candidates, as we’ve seen file names that range from the curious (Drunken Obama.exe, which we detect as ADW_MARKETSCORE), to the somewhat serious (several PDF files like Romney V. Obama Tax Policies.pdf, which we heuristically detect as HEUR_PDFEXP.E). And apart from the malicious mobile apps we’ve seen several weeks ago, based on our feedback, we’ve also seen infections from a relatively old SOHANAD worm, as well as from other AUTORUN malware (those that usually spread via removable drives) with backdoor capabilities, including the following:

• WORM_VOBFUS.SMAC
• WORM_VOBFUS.RU
• WORM_MSIL.BR
• WORM_SILLY.SS

So what do these tell us? This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices.

Update as of October 11, 2012 7:30 AM PDT

We’ve found a spam run using the election as social engineering bait as well. The email is supposedly from CNN and contains news stories about the election:

However, instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit. We detect this variant as TSPY_ZBOT.NTW; in addition to blocking the malware we also block the malicious sites that were used by the Blackhole exploit kit in this incident.

In January this year, Trend Micro chairman and co-founder Steve Chang was quoted as saying that Android-based devices are less secure than those running on iOS. While his comment caused quite a stir back then, today’s threat landscape seems to agree. Since Steve’s statement, our researchers saw a whopping 1410 percent increase in the number of Trojanized Android apps and actual malware targeting fans of the little green robot.

Our researchers opine that we have yet to reach a tipping point where malware become the biggest security issue for Android-based device users. The fact that these malicious apps are out there to invade one’s privacy, to take control of a device, and to cost users money because of unnecessary billing charges are some things that should be taken seriously though. Add to that the fact that these threats heavily rely on user interaction to initiate. Like most information security threats, awareness is the first step toward prevention.

So in—for lack of a better term—”commemoration” of the discovery of first Android Trojan, below is an infographic that gives users a snapshot of Android threats—how much these have grown, how these work, and how users can protect themselves.

Click here to view a bigger version of the infographic below.

For more information on keeping your Android-based mobile devices safe from threats, check out our e-book, “5 Simple Steps to Secure Your Android-Based Smartphones.”

India is emerging as one of the growing unwitting participants in the global threat landscape. As a country, it consistently ends up in top 10 lists of bad actors whether as a source of spam or malicious URLs or as the country with most number of system infections.

TrendLabs’ recent half-year report supports this, citing that “the country is second to the United States as top spam sender (and top source of botnet activity) and one of the top 20 victims of malicious URLs.” Major malware threats have hit the country as well. Two years after it first became a problem, DOWNAD/Conficker infections are still commonplace in the region. STUXNET was also a major problem in India with a significant number of infections present.

Like other developing countries, India’s growth means it is becoming part of the global cybercriminal economy. In 2008, it was reported that India hosted the majority of CAPTCHA-breaking contact centers, among others.

India’s top-level domain (TLD) .IN is also being heavily abused by cybercriminals. While the domain registrars offering .IN domains are quick to act when malicious domains are reported, abuse of the TLD is still a significant problem.

There are several environmental reasons why India is becoming a significant segment in the world of cybercrime. These include:

1. Language: English may not be the official language in India but it is considered important for most types of “official” national, political, and commercial communications. The current Internet users in India are also said to prefer consuming their online content in English. Since a large chunk of threats such as spam (now at 83 percent as of Q3) are in English, they are more likely to succumb to these threats than their non-English-speaking Asian neighbors.
2. IT infrastructure: There are approximately 160 ISPs in India but the top 6 account for almost 90 percent of all the users. The varying levels of security that the said ISPs are willing to provide their customers may very well be the main factor that causes a certain set of users to be affected by a certain threat and be protected from another. Another reason why the Indian IT environment severely suffers from security issues is piracy. As of 2009, almost two-thirds of all the software in the country was pirated. Pirated software has a twofold effect on security. First of all, cybercriminals frequently use pirated software as bait in their attacks. Second, users of pirated software frequently do not update their applications, leaving themselves open to potential vulnerability exploits.It’s not surprising then that India continues to be plagued by DOWNAD/Conficker. Many systems have not yet been patched to close the security hole that was exploited.
3. User behavior: User studies of Indian Internet users indicate that the majority are young men. These users go online primarily to look for jobs and, more recently, to visit business and finance websites. These activities can easily be leveraged in social engineering attacks. How Indian users access the Internet is also relevant. Many users do so from Internet cafes and not by using their own systems. The burden of system maintenance is thus passed on to business owners who may not have the knowledge nor resources to perform this task. Other user behaviors that increase risks are:
   • 80 percent of users have clicked banner ads at least once. This makes malvertisements a more enticing ploy for cybercriminals.
   • Facebook has surpassed Orkut as the top social media network in India. This means that users are now more exposed to social media threats such as KOOBFACE.
   • 72 percent are willing to exchange personal information in return for “something of value.” This means that social engineering ploys may well be more successful since this is the very tactic that users rely on. Given that personal use of office Internet connection is also commonplace, confidential information from organizations are also put at risk.

Taken together, all this information indicates that India is emerging not just economically but in the world of cybercrime as well. Several unique aspects of the region also differentiate the threats in it from other regions.