Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Paul Pajares (Fraud Analyst)

    We’ve seen “get Twitter followers” scams in the past, but a recent one stood out for a very good reason: it actually delivers what it promises—and then some.

    This scam tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a redirector to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.

    Figure 1. Sample tweets promoting the site

    When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts.

    The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.

    Figure 2. Choice between the free or premium service

    What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well.

    In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle.

    Figure 3. Service confirmation page

    Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads.

    We’ve seen 35 separate domains in this attack, all of which lead to an IP address hosted in the United States. The US also accounts for almost 70% of this site’s visitors, based on Smart Protection Network feedback. Other countries in the top 5 include Turkey, New Zealand, Britain, and the Philippines.

    Users are encouraged to avoid clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known.  Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts.

    Trend Micro blocks all URLs related to this scam. Twitter has suspended some accounts that were involved in this attack, and spammed tweets have also been removed.

    Posted in Social | 1 TrackBack »

    According to news stories, Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers.

    Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below:

    Figure 1. Number of identified Apple-related phishing sites

    Some cases of these Apple-related threats just use Apple as social engineering bait. For example, here, the need to “verify” one’s Apple products or services is used to phish email services:

    Figure 2. Phishing site

    As we noted earlier this year, Apple ID itself is now being targeted for theft. For users of all Apple products – whether they be Macs, iOS devices, or just the iTunes store – the Apple ID is a key ingredient in how they use these products. For example, it can be used to control the data stored in your iCloud account, make purchases of both music and apps, and even manage your iOS or Mac device.

    Not only that, users from all over the world are being targeted. For example, this phishing site is in French:

    Figure 3. Apple ID phishing site

    Unsurprisingly, the number of phishing sites seems to spike in months where Apple-related rumors are high as well. For example, the month with the most identified sites – May – was also the month when iOS 7-related rumors were most prevalent, particularly before its June announcement at the Apple Worldwide Developer Conference.

    Similarly, June itself saw many rumors related to what became the iPhone 5c. The same was true for the succeeding months, up until the new generation of iPhones was launched on September 20.

    It would appear that cybercriminals are using Apple-related rumors as a gauge of potential interest from users/victims and increase the number of their attacks as needed.

    This growth in Apple-related threats highlights how Apple users, far from being safe, are continuously targeted by threats today as well. We discuss these problems in more detail in the eguide Why Macs Need Security.

    Posted in Bad Sites | Comments Off

    Summer movies are highly anticipated by the moviegoers, because Hollywood traditionally releases its biggest blockbusters during this season. Fraudsters are relentless in creating fake streaming sites, not just on the screening date of these movies, but also before the release of movies in theaters.

    The next two charts show which movies are most popular with attackers, as well as where these fake sites are hosted.

    Commonly used summer movie titles-01
    Figure 1. Commonly used summer movie titles

    Popular hosts for fake streaming sites-01
    Figure 2. Popular hosts for fake streaming sites

    How do these scams work? Cybercriminals want to lead users to download video players or sign up for streaming sites via affiliate links. Alternately, they may want to lead users to more traditional survey scams.

    Figure 3. Fake streaming sites infection chain

    The attackers use various social media sites like Facebook, Google+, Youtube, LinkedIn, and many others to drive users to the fake streaming pages.  These are hosted on blogging services like Tumblr, WordPress, and Blogger.

    Most pages on these blogs have shortened URLs that lead to the final sites we talked about earlier. Because they used the services of URL shorteners, we were able to view the number of visits per selected movie. It appears that Man of Steel, Fast and the Furious 6 and Iron Man 3 got the highest number of viewers. This data is for a two-month period from late April up to the end of June.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off

    Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.

    Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:

    Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.

    As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:

    We’ve identified a total of 110 compromised sites, all of hosted at the IP address, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.

    The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
    Read the rest of this entry »

    Posted in Spam | Comments Off

    Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

    Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

    We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}


    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice