We were recently able to analyze a certain attack that compromised numerous e-commerce websites in order to steal credit card information from potential customers.

The affected websites were found using osCommerce, an open source e-commerce solution that allows users to easily manage their online shops.

Based on our analysis, more than 90,000 pages were compromised. The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections. The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems:

• CVE-2010-0840
• CVE-2010-0188
• CVE-2010-0886
• CVE-2006-0003
• CVE-2010-1885

Successful exploitation of the above-mentioned vulnerabilities triggers a connection to another URL in order to download a final payload that we now detect as TROJ_JORIK.BRU. This malware searches for Internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions. TROJ_JORIK.BRU then forwards the stolen information to specific websites.

Customers as the Biggest Target

This attack greatly affects not only the site owners whose businesses get disrupted by a compromise. Even worse, it attacks their potential customers who get their credit card information stolen just for visiting a supposedly trusted site. As Trend Micro threat response engineer Karl Dominguez observes, “This attack is quite efficient. It specifically targets users who visit e-commerce sites since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems.”

The attacker also seemed to use the “get it and go” approach, as he immediately deleted the malicious file after execution. “This is not like ZeuS attacks wherein the malware hides in the system for continuous monitoring. The malware just executes, takes the information that it wants to steal, then deletes itself. This may be done to prevent detection by the victims,” Dominguez explains.

Read the rest of this entry »

Everyone’s talking about the upcoming iCloud, Apple’s newest cloud service offering. From Steve Jobs’ announcement earlier this month at the annual “Worldwide Developers Conference (WWDC)” to the recent Apple trademark lawsuit, iCloud is easily one of today’s fast-rising topics. In the course of our research, we discovered several cybercriminal attempts to peddle FAKEAV malware by taking advantage of the “iCloud” keyword.

Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger the rise of malicious URLs that lead to pages hosting FAKEAV malware in search engine results pages. These blackhat SEO techniques use Google as referrer to run the malicious file download. In this case, the file downloaded named SecurityScanner.exe has been detected by Trend Micro as TROJ_FAKEAV.HKZ.

Using the keyword “icloud mymobi” results in a possibly malicious URL. MyMobi appears to be a compromised news site containing gadget information. We previously blocked the site because of malicious activities but since it appears that the site has since then cleaned, it is now unblocked. In the image above, the domain mymobi.com has been infected with files with the extension name .php3 and riddled with “icloud” as keyword. In this instance, hackers insert topics containing keywords to gain high page rankings in Google search results as phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012.

These URLs are not accessible via the URL address bar. These instead show up in Google searches. We can say this is so because the URL needs to been referred by Google in order to become accessible. From there, these redirect users to a FAKEAV URL with co.cc as top-level domain (TLD). The script for downloading the file is similar to the ones usually used by typical FAKEAV malware.

Read the rest of this entry »

We have seen several kinds of Facebook spam runs in the past, all of which used different features of the social networking site to spread. We have seen wall posts, events, and chat messages send out links that lead to malicious scripts.

This time, we saw a spam run that uses not only one but all of the above-mentioned Facebook features.

In this attack, the users receive a spam that asks them to click a URL if they want to see how they will look in 20 years. They then land on a site that asks them to follow certain steps, the first of which is to copy a particular snippet of code onto their browser address bars.

Read the rest of this entry »

Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

Read the rest of this entry »

For sometime now we’ve been reporting threats targeting Facebook users, most of which result in users unknowingly spreading spammy links to their networks. We’ve seen different social engineering techniques used such as stalker tracker tools, news involving celebrities, and even footages of the recent Japan tragedy.

The said threats usually involve links accompanied by inviting text posted in affected users’ walls. Other users who get tricked into clicking the said links unknowingly execute a script, which lead to posting the very same spammy content.

Recently, however, we saw a different version of this scheme, which leverages a commonly used feature in Facebook—Events.

Instead of posting the spam links in users’ walls where it can easily get lost in the news feed, cybercriminals now use the Events feature to really grab their targets’ attention.

In this scheme, spammers create an event that will be enticing to many users. For example, we saw one event in a post that said ”How to Find Out Who’s Viewing Your Profile.“ 

In the post’s More Info field, the spammer puts instructions that invited users must follow to be able to “view” or to “enjoy the service” the post promises—in this case, the ability to find out who viewed their profiles. You can see that most of the instructions contain ways to promote the event with the last step being to click a certain shortened link.

Read the rest of this entry »