Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Paul Pajares (Fraud Analyst)




    Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.

    Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:

    Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.

    As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:

    We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.

    The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
    Read the rest of this entry »

     
    Posted in Spam | Comments Off



    Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

    Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

    We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.

    fake_java_update_site

    Read the rest of this entry »

     



    Ease is the main reason why users are going online for their purchases, especially during the holiday season. While convenient, online shopping poses risks to users’ login credentials and personally identifiable information (PII), as cybercriminals can easily craft phishing attacks that lead to data theft.

    Using Trend Micro Smart Protection Network™ and other proprietary tools, we identified the top created phishing sites for December 2012. Below is a graph of created spoofed sites limited to 50 popular brand names.

    Based from the information we’ve gathered, the e-commerce site PayPal was the most targeted institution, with 18,947 spoofed sites under its belt, followed closely by the American bank Wells Fargo. Users who are tricked into visiting spoofed PayPal sites may lead to their systems being infected by TROJ_QHOST.EQ. So far, the malware has infected systems from Taiwan, Thailand and the United States (US). As you can see below, the top 10 most spoofed sites are composed of either banks or well-known credit card companies.

    Company name/websites Number of created phishing websites
    PayPal 18947
    Wells Fargo 2049
    Visa 1661
    Citibank 1628
    Bank of America 1477
    Mastercard 986
    Chase 656
    Bancolombia 369
    Natwest 324
    Cielo 310

    Read the rest of this entry »

     
    Posted in Mobile, Spam | Comments Off



    It’s a pig-eat-pig world out there – at least on the mobile app threat front. Right after reports of malicious Bad Piggies on Google Chrome Web Store circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app.

    On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are not affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges.

    Slicing Through Malicious Bad Piggies Version

    During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d.ru, which appears as an app download page.

    The said site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off



    Note:

    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    We uncovered four Android mobile apps on Google Play and certain third-party app stores, which when installed, gain access to specific device information that can be used without users’ consent and may lead to data leakage. One of these apps was already removed from Google Play but remain available on third-party ones. These apps are crafted to take advantage of the upcoming 2012 US Presidential Election and its two candidates, Mitt Romney and Barack Obama. Users can download these apps for free.

    The first app called “Obama vs Romney”, an ANDROIDOS_AIRPUSH variant found to connect to airpush.com, a mobile ad network site. The app’s description page also indicates that it may contain ad notifications. We found that this app has more than 300 downloads from third party stores and an estimated 500-1000 downloads from Google Play so far.

    This app was designed as a polling service in which users can choose between the two candidates. It is supposed to display an overall result of the poll immediately. However, during our testing, it ends up showing the message “you probably want to start clicking as soon as possible”. This particular app also displays potentially annoying ads served from airpush.com that are displayed outside of the app itself.

    It also contains ACCESS_COARSE_LOCATION among others, that can access information that includes the device’s GPS location.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice