We’ve recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform).

The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals.

We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:

• Android Market apps
• Opera Mini/ Phone Optimizer apps
• Pornographic apps (sites were unavailable during time of checking)
• App storage sites
• Others (sites that were inaccessible during time of checking)

As for the unavailable sites, it seems that the attacker is still setting them up, or has permanently taken them down. The domains listed under App storage sites, which hosts Apps featured in the other domains, are inaccessible. However, the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites.

The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A.

On the other hand, the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets.

Read the rest of this entry »

Looking for cheaper iPhone 4S this holiday season? Be wary, because cybercriminals can trick you into giving out your online financial credentials. We’ve recently found a phishing attack that specifically targets users who are out to purchase an iPhone 4S through eBay.

The attack involves domains that display replicated eBay posts for iPhone 4S units. The screenshots below show a sample of the fake page, and the original eBay post from which the content was copied.

There are some differences between the two pages. For example, the real post uses US dollar as its currency, while the fake post uses Euro. The price in the fake one is also dramatically cheaper. You’ll also notice that the post the cybercriminals chose to replicate is one by a seller with a good reputation, to gain the trust of potential victims.

The fake eBay pages are hosted on domains that are followed by /www.ebay.ie/ in order to trick users into thinking that it is the real eBay domain. All the links in the fake page will lead to the legitimate one, except for the “Buy It Now“. Clicking “Buy It Now” leads to a fake login page that asks users to enter personal information.

Read the rest of this entry »

We were recently alerted to the reports of an attack leveraging a vulnerability in TimThumb — a PHP script for cropping, zooming, and resizing Web images (.JPG,.PNG, .GIF) and used as an add-on script on WordPress. The said vulnerability enables cybercriminals to perform local file insertion. When successfully exploited, it inserts a PHP script, which may be used for other data hacks.

The vulnerability was first discovered last August and has affected at least over 1.2 million websites.

Based on our analysis, exploiting the said vulnerability allows an attacker to insert a file into the target site’s Web servers. In the attacks we’ve seen, affected websites were injected with PHP scripts hosted in sites that have strings such as flickr.com, picasa.com, wordpress.com, and img.youtube.com.

Note that the URLs used to host the PHP scripts are not related to Flickr, Picasa, WordPress, or YouTube. The exploit includes those strings to bypass TimThumb’s validation process. It turns out that TimThumb looks for media hosting sites strings before allowing the upload to go through.

Read the rest of this entry »

Web Reputation Services (WRS) encountered spammed malicious shortened URLs on Twitter that appear to contain a .JPEG file from a Facebook domain. The said .JPEG file is, in fact, not a picture file but an executable file already detected by Trend Micro as WORM_KOLAB.SMQX. Searching for the image file using Twitter‘s search function reveals an updated list of users who Tweeted the same malicious link.

Clicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to facebook.com.{BLOCKED}e-505.tk . It contains the downloadable file http://{BLOCKED}f.by /images/news/Photo-G05971.jpeg.exe, which is included in the frame set of facebook.com.{BLOCKED}e-505.tk. Since September 2 2011, approximately 600 Tweets using the same link have been posted.

When users post a Tweet, it is followed by the malicious link, http://www.facebook.com.{BLOCKED}e-505.tk/Photo-G05971.jpeg, with the text “hahaha!!!” It is also used in the re-Tweet and reply feature of Twitter.

Read the rest of this entry »

We recently analyzed a Facebook spam that supposedly came from media organization, British Broadcasting Corporation (BBC). This reminded us of how cybercriminals used social networking site, LinkedIn, early last month.

The attack starts with a wall post with the subject, BREAKING: Lady Gaga Found Dead in Hotel Room, and a link to the legitimate site, www.bbc.co.uk, as well as a description that says, “This is the most awful day in the US history.”

This lured users with a video that was supposedly hosted on BBC’s site. Clicking the link in this wall post, however, actually redirected users to a malicious site.

Read the rest of this entry »