Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Paul Pajares (Fraud Analyst)

    With the 2012 Olympics officially closed, it’s worth looking back at the types of online scams we saw that tried to exploit the good name of the Olympics for illegal profit.

    We saw two primary lures for Olympic scams: fake streaming sites, and tickets for sale. These two scams accounted for approximately two-thirds of Olympic-related malicious sites that were encountered in the months of July and August. Other scams encountered included fake mobile apps, illegal TV cards, fraudulent goods, and typosquatting sites.

    Fake streaming sites

    • The primary purpose of these fake live streaming sites was, supposedly, to offer discounts for satellite TV for PC scams. In general, the sites let users click on fake video players, but clicking on these links instead redirects them to the said scam via legitimate (but abused) URL shorteners like The scammers use this to generate web analytics for their sites. To promote these, events on Facebook are created that link to these scam sites.
    • The events most targeted by streaming scams were: tennis, basketball, and athletics. The men’s and women’s tennis gold medal matches were particularly singled out for attention.
    • Around two-thirds of the sites created for this purpose used generic keywords like London 2012 Olympics. 17% of the sites were tied in to one match/event, while 8.6% tied to the opening or closing ceremonies. The total number of fake streaming sites was over 300.
    • Some of the most used keywords for fake live streaming sites were:
      Key Word Percentage
      2012 79%
      Olympics 67%
      live 63%
      London 46%
      stream 43%
      watch 23%

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off

    Despite the presence of the legitimate Google Play app store, cybercriminals are still hooking users by distributing malicious Android games themselves. Now, they’re taking advantage of a list of best-selling Android games.

    As before, the criminals have created .RU domains for each Android game they’re (supposedly) distributing. Links to these domains will spread via forum or blog posts, as well as email. Here’s a full list of the games that are being used by this new wave of mobile malware:

    If you look closely at the above list, you can see the wide selection of targeted apps. These include newly developed games like Cut the Rope: Experiments and Amazing Alex; Editor’s Choice apps like World of Goo, Shadowgun, Sprinkle, Where’s My Water, Osmos HD, Riptide GP and Angry Birds Space Premium. Many of these are top sellers as well.

    Aside from best-selling games, some popular movie franchises like The Amazing Spiderman and The Dark Knight Rises are also being exploited, even if the actual games themselves don’t exist. Here’s the page for the supposed Spiderman game:

    All of the download links in these pages actually redirect users to a separate site, where the malicious APK files are actually hosted. Some of the sites in question also include QR codes, although these lead to the same files. (We detect these files as ANDROIDOS_SMSBOXER.B.) This particular malware family is notorious for abusing premium services numbers, which may result in high phone charges for the user.

    Trend Micro customers are now protected by blocking the malicious URLs and detecting the files via the Smart Protection Network. In particular, Trend Micro Mobile Security for Android also detects these malicious apps, preventing their installation on mobile devices.

    As we mentioned earlier, these particular attacks against Russian Android users are not new. Previous attacks have claimed they were websites for Angry Birds Space, Farm Frenzy 3 and Temple Run. (We have compiled a Web Attack entry discussing these threats as well.)

    Posted in Bad Sites, Malware, Mobile | Comments Off

    The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites.

    Malicious Domain Hosts Multiple Threats

    While conducting proactive research, we spotted the site {BLOCKED}, which tried to mimic the official site Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Social, Spam | Comments Off

    The continuing increase in visitors to the Pinterest site may be a primary reason why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams. This new wave of survey scams I found came from my search using “pinterest” as keyword.

    Users who re-pin the posts from the sample above will most likely spread the post.

    In addition, I also spotted posts using URL shorteners such as and When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

    • http://pinterest.{BLOCKED}
    • http://pinterestgift.{BLOCKED}
    • http://pinterests.{BLOCKED}

    Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

    Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are not clickable. The clickable links are those that redirect to survey scams such as Body Age Quiz.

    After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message.

    And Via Email, Too

    Another thing I’ve noticed is that the fake site requires an email address:

    Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages.

    Upon closer investigation of these attacks, I noticed that before users are redirected to the fake Pinterest sites, the connection passes through ad-tracking sites. This way, the number of visitors are tracked, determining the supposed earnings of the scammers. Based on our data, the fake Pinterest URLs are being visited since May 2. Fake Pinterest posts hosting scams are likely to spread within Pinterest via users who re-pin the posts. The “offers” in these fake Pinterest posts look enticing after all. Plus, some users would want to ask the rest of the Pinterest community to verify such offers, like this user.

    Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

    Posted in Social | Comments Off

    We’ve recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform).

    The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals.

    We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:

    • Android Market apps
    • Opera Mini/ Phone Optimizer apps
    • Pornographic apps (sites were unavailable during time of checking)
    • App storage sites
    • Others (sites that were inaccessible during time of checking)

    As for the unavailable sites, it seems that the attacker is still setting them up, or has permanently taken them down. The domains listed under App storage sites, which hosts Apps featured in the other domains, are inaccessible. However, the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites.

    The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A.

    On the other hand, the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice