Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Paul Pajares (Fraud Analyst)

    We were alerted to a scam that is currently found on Facebook. It’s worth noting that this scam uses the mobile messaging app WhatsApp. Users may encounter this scam via Facebook notification requests or contacts’ “Likes”.

    The scam takes off like a typical scam: users are redirected to a fake WhatsApp Facebook page that requires users’ permissions. Once app permission request is granted, it displays other Facebook users, usually victims’ own contacts, who are supposedly using the WhatsApp app.

    Interestingly, users are lead to a user’s agreement page that appears to target mobile users. The page contains icons of different mobile device OS to appear legitimate.

    When users agree and gives permission to the said app, they are then lead to different pages, which vary depending on the victim’s location. For users located in countries such as the United States, Australia, New Zealand, Germany, and Great Britian, they are lead to a fake Starbucks giftcard page. Those who are not located in any of these countries are lead to a different page containing an image.

    We have previously reported fake Android app pages that spoof popular mobile apps like Instagram, Farm Frenzy, and Angry Birds Space. But this new scam suggests that it won’t be long before we see links to fake Android apps spreading on Facebook.

    Trend Micro protects users from this threat via the Smart Protection Network™, preventing access to the site survey scams. Because of its more than 900 million users, Facebook is a natural target of scams such as this incident. To know more on how to protect yourself from these threats, in particular survey scams, you may read our FAQ entry Survey Scams Aimed at Social Networking Netizens.

    Update as of August 23, 2012 10:47 AM, PST

    We also spotted an app in Facebook named Whatsapp Messenger, which can access a user’s friends’ contact information. Upon checking, it leads to another fake app named Temple Run V.2 for Facebook. When the user clicks on play, it automatically sends requests to the affected Facebook user’s friends list, thus spreading the scam. Trend Micro already blocks this threat.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog


    With the 2012 Olympics officially closed, it’s worth looking back at the types of online scams we saw that tried to exploit the good name of the Olympics for illegal profit.

    We saw two primary lures for Olympic scams: fake streaming sites, and tickets for sale. These two scams accounted for approximately two-thirds of Olympic-related malicious sites that were encountered in the months of July and August. Other scams encountered included fake mobile apps, illegal TV cards, fraudulent goods, and typosquatting sites.

    Fake streaming sites

    • The primary purpose of these fake live streaming sites was, supposedly, to offer discounts for satellite TV for PC scams. In general, the sites let users click on fake video players, but clicking on these links instead redirects them to the said scam via legitimate (but abused) URL shorteners like The scammers use this to generate web analytics for their sites. To promote these, events on Facebook are created that link to these scam sites.
    • The events most targeted by streaming scams were: tennis, basketball, and athletics. The men’s and women’s tennis gold medal matches were particularly singled out for attention.
    • Around two-thirds of the sites created for this purpose used generic keywords like London 2012 Olympics. 17% of the sites were tied in to one match/event, while 8.6% tied to the opening or closing ceremonies. The total number of fake streaming sites was over 300.
    • Some of the most used keywords for fake live streaming sites were:
      Key Word Percentage
      2012 79%
      Olympics 67%
      live 63%
      London 46%
      stream 43%
      watch 23%

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Fake Streaming Sites: Most Used Olympics-Related Scam

    Despite the presence of the legitimate Google Play app store, cybercriminals are still hooking users by distributing malicious Android games themselves. Now, they’re taking advantage of a list of best-selling Android games.

    As before, the criminals have created .RU domains for each Android game they’re (supposedly) distributing. Links to these domains will spread via forum or blog posts, as well as email. Here’s a full list of the games that are being used by this new wave of mobile malware:

    If you look closely at the above list, you can see the wide selection of targeted apps. These include newly developed games like Cut the Rope: Experiments and Amazing Alex; Editor’s Choice apps like World of Goo, Shadowgun, Sprinkle, Where’s My Water, Osmos HD, Riptide GP and Angry Birds Space Premium. Many of these are top sellers as well.

    Aside from best-selling games, some popular movie franchises like The Amazing Spiderman and The Dark Knight Rises are also being exploited, even if the actual games themselves don’t exist. Here’s the page for the supposed Spiderman game:

    All of the download links in these pages actually redirect users to a separate site, where the malicious APK files are actually hosted. Some of the sites in question also include QR codes, although these lead to the same files. (We detect these files as ANDROIDOS_SMSBOXER.B.) This particular malware family is notorious for abusing premium services numbers, which may result in high phone charges for the user.

    Trend Micro customers are now protected by blocking the malicious URLs and detecting the files via the Smart Protection Network. In particular, Trend Micro Mobile Security for Android also detects these malicious apps, preventing their installation on mobile devices.

    As we mentioned earlier, these particular attacks against Russian Android users are not new. Previous attacks have claimed they were websites for Angry Birds Space, Farm Frenzy 3 and Temple Run. (We have compiled a Web Attack entry discussing these threats as well.)

    Posted in Bad Sites, Malware, Mobile | Comments Off on Malicious Versions of Best-Selling Android Games Spreading In Russia

    The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites.

    Malicious Domain Hosts Multiple Threats

    While conducting proactive research, we spotted the site {BLOCKED}, which tried to mimic the official site Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Social, Spam | Comments Off on Cybercriminals Kick Off UEFA Euro 2012

    The continuing increase in visitors to the Pinterest site may be a primary reason why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams. This new wave of survey scams I found came from my search using “pinterest” as keyword.

    Users who re-pin the posts from the sample above will most likely spread the post.

    In addition, I also spotted posts using URL shorteners such as and When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

    • http://pinterest.{BLOCKED}
    • http://pinterestgift.{BLOCKED}
    • http://pinterests.{BLOCKED}

    Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

    Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are not clickable. The clickable links are those that redirect to survey scams such as Body Age Quiz.

    After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message.

    And Via Email, Too

    Another thing I’ve noticed is that the fake site requires an email address:

    Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages.

    Upon closer investigation of these attacks, I noticed that before users are redirected to the fake Pinterest sites, the connection passes through ad-tracking sites. This way, the number of visitors are tracked, determining the supposed earnings of the scammers. Based on our data, the fake Pinterest URLs are being visited since May 2. Fake Pinterest posts hosting scams are likely to spread within Pinterest via users who re-pin the posts. The “offers” in these fake Pinterest posts look enticing after all. Plus, some users would want to ask the rest of the Pinterest community to verify such offers, like this user.

    Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

    Posted in Social | Comments Off on Bogus Pinterest Pins Lead to Survey Scams


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice