Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2015
    S M T W T F S
    « Dec    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Rik Ferguson

    Watch a CNN segment where Rik Ferguson briefly talks about this threat attack

    I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure.

    fake Facebook message
    Figure 1. Fake Facebook message

    What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”.

    fake YouTube website
    Figure 2. Fake YouTube website

    Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.

    Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.

    Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well. It first searches for cookies created by the following sites:


    The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.

    Users of the Trend Micro Smart Protection Network are protected from this threat, as both URL and malicious file are blocked and detected, respectively. Other users are advised to ignore such messages, and refrain from clicking links in unsolicited messages, even out of curiosity.


    In a second attack, extremely reminiscent of the one that took place this weekend, Facebook users have once again been victimized by cybercriminals. Reports started surfacing this afternoon of yet another rogue Facebook application posting notifications to user profiles that said: (Name on my friend’s list) has just reported you to Facebook for violating our Terms of Service. – This is your official warning! – [Click here to find out why you were reported!] – Request Facebook look at what has happened and rule immediately.

    Facebook notification
    Figure 1. Facebook notification

    The link in the notification led on to an application named f a c e b o o k – – closing down!!! which, once installed, would proceed to spam all of the affected user’s friends with the same message. It may also harvest personal information along the way.

    In the short time the account was active, it had enough impact to cause the generation of a Facebook group for victims:

    facebook group
    Figure 2. Facebook group

    Surely these two events in just a single week mean that it’s about time that Facebook reviews its application hosting policy. Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed. Users are advised to exercise extreme caution when surfing. It’s always good to research first, to ask, like what one Facebook user did on Yahoo! Answers:

    question on Yahoo! Answers
    Figure 3. Posted question on Yahoo! Answers

    Posted in Spam | TrackBacks (13) »

    UK Justice Secretary Jack Straw had his web-based email account compromised last Thursday. Jack Straw, former Home Secretary, used a Hotmail account as his sole public email address.

    Figure 1. Jack Straw’s contact information from

    In a variation of a theme currently being used on social networking sites, 419 scammers used the compromised account to send hundreds of email messages to Jack Straw’s constituents and others in his address book and inbox. The bogus message, purporting to be from Mr. Straw, claimed that he had lost his wallet while in Nigeria promoting a charity called “Empowering Youth to Fight Racism” and asked the recipient if the could help him out by sending $3,000 to fly home.

    “It was an issue for constituents, not the government. We are checking all that and I am assured there’s no evidence that confidentiality of constituents was affected,” the MP told the Telegraph newspaper in the UK.

    Aside from the fact that constituent confidentiality was clearly breached, in that their email addresses were all available to, and used by, the hacker and clearly any emails in the Hotmail inbox or filed away in online folders would have been visible, it surprises me that he was using Hotmail in the first place. The service is routinely abused by e-criminals for this kind of email scam. Of course, as a past Home Secretary who set up the High Tech Crime Unit, he would have been expected to know better. But the real issue here is: why isn’t the UK Government adopting the same strict guidance given by the US Government–don’t use anything other than anything other than a government email address for parliamentary business?

    These accounts are neither under the control, security protocols or jurisdiction of any government IT program, will not be backed up or indexed by government and almost certainly will not be subject to any Freedom of Information request made against the government data. In addition, shouldn’t privileged communication between Member of Parliament and constituents be routinely encrypted, especially given that Identity-Based Encryption services now offer the opportunity to send encrypted email to anyone with no need for any kind of pre-enrolment or key management?


    3:36 am (UTC-7)   |    by

    Over the weekend, an application of extremely dubious intent was released on Facebook. Called “The Error Check System“, this said application appears to be non-destructive, but spread very quickly and very widely and could in the process have collected thousands, hundreds of thousands even, of personal details.

    The application sent out notifications to Facebook users stating that one of their friends “has faced some errors when checking your profile” and prompted them to click a link to “View the Errors Message.”

    Figure 1. Fake notifications.

    Exploiting users’ fears, uncertainties, doubts, and of course their trust in their friends, ensured the fast spread of this application in the span of time it was available on Facebook.

    Facebook applications need to ask the user’s permission first to access the personal information in their profile. A normal Facebook application installer screen looks like this:

    Figure 2. Facebook application installer.

    The “Errors Message” application redesigned the standard content of this screen to appear like the image below, making no mention of seeking permission to access the user’s information and friends list:

    Figure 3. “Errors Message” installer..

    Once the rogue application is Activated or rather installed in a system and has access to all profile information, a user sees the following screen:

    Figure 4. Note the poor grammar (again).

    The application finally helpfully suggests that the user might want to check friends’ profiles for errors, so in essence, the propagation continues:

    Figure 5. Friends of an affected user may be future victims..

    An interesting side note to this whole affair is what happened on Google search during the time this application was spreading on Facebook. The search term “Error Check System” returned results that were actually pointing to malware and rogue AV applications.

    It appears then, that the purpose of this Facebook application, other than to steal profile information, is to drive people to Google where dangerous links are ready and waiting. This seems like another case of Search Engine Optimization (SEO) poisoning.

    Google searches for the string gmail down (after a Gmail outage) yielded top results that led to malware earlier this week. These series of attacks again show that cybercriminals are intent on exploiting the trust users have on search engines and the results they give back.

    Note: All images in this blog post come from and was used with permission.


    4:37 am (UTC-7)   |    by

    At about 11pm GMT last night, 24th Feb, I heard people complaining that they were being sent unsolicited instant messages from their friends over a number of networks including Facebook, Google Chat, and AOL Instant Messenger.

    The messages weren’t sent by their friends, rather by cybercriminals who were using compromised accounts in order to phish for login details and more accounts to compromise. Instant messages looked like this:

    Figure 1. Sample instant message.

    The link was created using the TinyURL service, which shortens complex or difficult to remember URLs. Just recently, however, this said service was used by cybercriminals to hide the real destinations of their links in spammed messages. Now, TinyURLs are being used in IM-based phishing.

    The obfuscated URL pointed to a phishing site aimed at harvesting login credentials for Google Chat, Facebook, MySpace, MSN, Yahoo, AIM, and ICQ accounts.

    Figure 2. Phishing page.

    The compromised accounts would then be used to further IM spamming attacks to harvest yet more accounts, which could then be used for more sinister endeavours.

    We advise anybody who feels concerned that they may have exposed their login credentials to change account passwords as soon as possible. We previously explained password policy in this Trend Micro blog post.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice