Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Paul Pajares (Fraud Analyst)

    We were recently alerted to the reports of an attack leveraging a vulnerability in TimThumb — a PHP script for cropping, zooming, and resizing Web images (.JPG,.PNG, .GIF) and used as an add-on script on WordPress. The said vulnerability enables cybercriminals to perform local file insertion. When successfully exploited, it inserts a PHP script, which may be used for other data hacks.

    The vulnerability was first discovered last August and has affected at least over 1.2 million websites.

    Based on our analysis, exploiting the said vulnerability allows an attacker to insert a file into the target site’s Web servers. In the attacks we’ve seen, affected websites were injected with PHP scripts hosted in sites that have strings such as,,, and

    Note that the URLs used to host the PHP scripts are not related to Flickr, Picasa, WordPress, or YouTube. The exploit includes those strings to bypass TimThumb’s validation process. It turns out that TimThumb looks for media hosting sites strings before allowing the upload to go through.

    Read the rest of this entry »


    Web Reputation Services (WRS) encountered spammed malicious shortened URLs on Twitter that appear to contain a .JPEG file from a Facebook domain. The said .JPEG file is, in fact, not a picture file but an executable file already detected by Trend Micro as WORM_KOLAB.SMQX. Searching for the image file using Twitter‘s search function reveals an updated list of users who Tweeted the same malicious link.

    Clicking the links redirect to a shortened Twitter URL ( Most of these Twitter users are from Indonesia. To lure users to click the URL, cybercriminals incorporated into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to{BLOCKED} . It contains the downloadable file http://{BLOCKED} /images/news/Photo-G05971.jpeg.exe, which is included in the frame set of{BLOCKED} Since September 2 2011, approximately 600 Tweets using the same link have been posted.

    Click for larger view

    When users post a Tweet, it is followed by the malicious link,{BLOCKED}, with the text “hahaha!!!” It is also used in the re-Tweet and reply feature of Twitter.

    Read the rest of this entry »


    We recently analyzed a Facebook spam that supposedly came from media organization, British Broadcasting Corporation (BBC). This reminded us of how cybercriminals used social networking site, LinkedIn, early last month.

    The attack starts with a wall post with the subject, BREAKING: Lady Gaga Found Dead in Hotel Room, and a link to the legitimate site,, as well as a description that says, “This is the most awful day in the US history.”

    This lured users with a video that was supposedly hosted on BBC’s site. Clicking the link in this wall post, however, actually redirected users to a malicious site.

    Read the rest of this entry »


    We were recently able to analyze a certain attack that compromised numerous e-commerce websites in order to steal credit card information from potential customers.

    The affected websites were found using osCommerce, an open source e-commerce solution that allows users to easily manage their online shops.

    Based on our analysis, more than 90,000 pages were compromised. The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections. The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems:

    Successful exploitation of the above-mentioned vulnerabilities triggers a connection to another URL in order to download a final payload that we now detect as TROJ_JORIK.BRU. This malware searches for Internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions. TROJ_JORIK.BRU then forwards the stolen information to specific websites.

    Customers as the Biggest Target

    This attack greatly affects not only the site owners whose businesses get disrupted by a compromise. Even worse, it attacks their potential customers who get their credit card information stolen just for visiting a supposedly trusted site. As Trend Micro threat response engineer Karl Dominguez observes, “This attack is quite efficient. It specifically targets users who visit e-commerce sites since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems.”

    The attacker also seemed to use the “get it and go” approach, as he immediately deleted the malicious file after execution. “This is not like ZeuS attacks wherein the malware hides in the system for continuous monitoring. The malware just executes, takes the information that it wants to steal, then deletes itself. This may be done to prevent detection by the victims,” Dominguez explains.

    Read the rest of this entry »


    Everyone’s talking about the upcoming iCloud, Apple’s newest cloud service offering. From Steve Jobs’ announcement earlier this month at the annual “Worldwide Developers Conference (WWDC)” to the recent Apple trademark lawsuit, iCloud is easily one of today’s fast-rising topics. In the course of our research, we discovered several cybercriminal attempts to peddle FAKEAV malware by taking advantage of the “iCloud” keyword.

    Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger the rise of malicious URLs that lead to pages hosting FAKEAV malware in search engine results pages. These blackhat SEO techniques use Google as referrer to run the malicious file download. In this case, the file downloaded named SecurityScanner.exe has been detected by Trend Micro as TROJ_FAKEAV.HKZ.

    Click for larger view

    Using the keyword “icloud mymobi” results in a possibly malicious URL. MyMobi appears to be a compromised news site containing gadget information. We previously blocked the site because of malicious activities but since it appears that the site has since then cleaned, it is now unblocked. In the image above, the domain has been infected with files with the extension name .php3 and riddled with “icloud” as keyword. In this instance, hackers insert topics containing keywords to gain high page rankings in Google search results as phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012.

    Click for larger view

    These URLs are not accessible via the URL address bar. These instead show up in Google searches. We can say this is so because the URL needs to been referred by Google in order to become accessible. From there, these redirect users to a FAKEAV URL with as top-level domain (TLD). The script for downloading the file is similar to the ones usually used by typical FAKEAV malware.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice