Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ralph Hernandez (Fraud Analyst)




    Trend Micro fraud analysts recently came across spammed messages targeting customers of the Fifth Third Bank. The messages urged recipients to log in to a temporary link, http://www.53.com.{BLOCKED}.com.pl/wpserver/cmportal/cblogin.php?session=667882698791972326077742654898739&email=p2t2all@tacobell.com, in order to download and install a digital certificate that would supposedly reinforce the bank’s security. Clicking the link, however, led users to a phishing page that prompts them to key in their user names and passwords. This, as you all probably know by now, is a typical tactic to trick users into giving out their personal credentials, which can then be used for further malicious activities or sold in underground forums.

    Click for larger view Click for larger view

    After signing in, users will see a prompt to download the said digital certificate, certificate.exe, which is actually a malicious file Trend Micro has detected as TSPY_ZBOT.SMAP, which is capable of stealing personal credentials via keylogging. The stolen data, mostly banking-related information, are then sent to a couple of URLs via HTTP POST. It also has the capability to stop firewall-related processes to mask its malicious activities.

    Click for larger view Click for larger view

    Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, access to the malicious sites, and the download of the malicious file.

    As additional precaution, however, users are advised to be wary of clicking links in suspicious-looking messages, particularly those that come from unknown senders.

     



    Trend Micro researchers recently found spam emails fashioned to come from Federal Insurance Deposit Corporation (FDIC). The email message informs users that they should visit the “official” FDIC’s website (provided in the email) to check their Deposit Insurance Coverage.

    Click for larger view Click for larger view

    However, clicking the URL leads users to a fake FDIC website where they are ask to download a document file, which in actual fact is an .EXE file detected by Trend Micro as TSPY_ZBOT.AZH.

    TSPY_ZBOT.AZH initially downloads a configuration file that contains a list of URLs that it will monitor, which mostly comprises social networking and banking-related websites. Once the user accesses any of the listed websites, it starts logging keystrokes to steal information such as account credentials. This, in effect, compromises the user’s account, making it available for cybercriminals’ future use.

    Here’s a list of domains used in this spam wave:

    • h1erfae.eu
    • h1erfai.eu
    • h1erfaj.eu
    • h1erfaq.eu
    • h1erfar.eu
    • h1erfat.eu
    • h1erfau.eu
    • h1erfaw.eu
    • h1erfay.eu
    • milki1a.co
    • milki1a.me
    • milki1e.me
    • milki1g.me
    • milki1i.co
    • milki1l.co
    • milki1y.me
    • nyuh1awa.eu
    • nyuh1awb.eu
    • nyuh1awc.eu
    • nyuh1awd.eu
    • nyuh1awf.eu
    • nyuh1awg.eu
    • nyuh1awh.eu
    • nyuh1awm.eu
    • nyuh1aws.eu
    • nyuh1awt.eu
    • nyuh1awv.eu
    • nyuh1awx.eu
    • tt1qwa1.eu
    • tt1qwa1.me
    • tt1qwae.eu
    • tt1qwae.me
    • tt1qwaq.co.uk
    • tt1qwaq.eu
    • tt1qwaq.me.uk
    • tt1qwar.co.uk
    • tt1qwar.eu
    • tt1qwar.me.uk
    • tt1qwat.co.uk
    • tt1qwat.eu
    • tt1qwat.me.uk
    • yh1qab.eu
    • yh1qab.me.uk
    • yh1qak.co.uk
    • yh1qak.eu
    • yh1qak.me.uk
    • yh1qal.eu
    • yh1qao.eu
    • yh1qao.me.uk
    • yh1qaz.me.uk

    According to Advanced Threats Researcher Joey Costoya, the brains behind this spam attack are the same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam.

    He explicated that the characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves.

    As we always say, please do not open unsolicited and suspicious-looking emails such as those shown above. Trend Micro customers need not worry about being bothered by this though, as they are protected by the Smart Protection Network. Non-product users, on the other hand, can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

     
    Posted in Malware, Spam | Comments Off



    A phishing email uses a novel-sounding concept that can sound alarming enough to get unsuspecting users to click on the available links and land themselves in danger.

    Trend Micro Content Security team recently came across a Bank of America phishing site which shows users that their online accounts are recently “logged on from an unregistered computer using a foreign IP without an International Access Code (IAC).” Here’s a screenshot:


    Figure 1. Newly discovered page warning the user of a possible intruder attempt at accessing his/her accounts.

    When the verification link is clicked, the page opens a new window containing the phishing page. Users who have fallen for the breach alert will be more than willing to enter their credentials into the login page which, of course, turns out to be absolutely fake. Here is a screenshot of the phishing page:


    Figure 2. The verification link in Figure 1 leads to this Bank of America phishing page.

    A familiar but still effective phishing technique lends a false sense of credibility to this attack: the use of address bar spoofing to hide the real phishing URL. As seen in the screenshot below, checking the Properties of the phishing page (by right-clicking anywhere on the phishing page and then clicking Properties) shows that the real URL is different from that displayed in the URL address bar.


    Figure 3. The URL of the phishing page in Figure 2 is fake. Here we see the real phishing URL in the page’s Properties section.

    Users are reminded that banks have never been known to register their clients’ computers to their online banking systems. Although we have yet to see specific spam messages pointing to the site in Figure 1, an attack leveraging these made-up sites will not be too long in coming. Trend Micro Smart Protection Network already blocks this phishing Web site.

     



    Trend Micro Content Security recently came across an all-in-one attack that involves a fake postcard, a phishing site and, of course, a malware.

    A fake postcard launcher was found pretending to be Gusanito, one of the most popular Mexican greeting card services.

    After users click the link, the browser points to a Web site where users are prompted to enter their email address.

    The users then receive an email message with a link to a fake Hotmail login page. The said link leads to the phishing site hxxp://{BLOCKED}/essonicman/f4k3z/1/iniciosecion.php?

    Upon entering account information, the user is redirected to a fake postal card site, hxxp://{BLOCKED}/essonicman/f4k3z/1/Wippo-Amistad-Magica.exe, to download the malicious file Wippo-Amistad-Magica.exe, which is detected by Trend Micro as TROJ_QHOST.HQ. This Trojan overwrites entries in the HOSTS file of the victim PC to redirect users when accessing certain Web sites like www.banamex.com and www.bancomer.com.

    Trend Micro Web Threat Protection (WTP) already blocks all malicious URLs.

     
    Posted in Mobile | Comments Off



    Trend Micro uncovered another phishing Web site that attempts to steal confidential credit card information.

    Below is a screenshot of the Web site:

    Phishing Web site screenshot

    Using string manipulation, it is able to spoof the official Web site of the Royal Bank of Canada. Note that the said URL contains a variation on the actual domain name (“banking” vs. “bank”) to trick the users into thinking that it is the official Web site of the affected bank.

    The spoofed URL masks the actual phishing URL by using a certain frame source. This frame source URL is responsible for gathering account-related information, such as credit card numbers and account passwords, from the affected users.

    What is interesting about this phishing attack is that when the first frame source URL is blocked, a second frame source is used. The next time the phishing Web site is visited, it already uses another frame source URL. This is clearly a distinct approach in circumventing security restrictions related to phishing attacks.

    Furthermore, it was determined that the domain used by this phishing Web site is registered for just one year. Dubious indeed, if one considers how a supposedly legitimate Web site intends to operate for such a short term.

    As of this writing, Trend Micro customers are protected from this phishing attack, with the said frame sources already blocked by our products, preventing them from redirecting unknowing users to other phishing Web sites.

     
    Posted in Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice