Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Ryan Flores (Senior Threat Researcher)

    Today, personal communication is greatly enabled and enhanced by various messaging apps that provide text messaging, voice calls, photo sharing, and even video chat. These apps are often found in smartphones—devices that have all the features of a desktop computer, plus Wi-Fi, cellular, GPS, and data connectivity.

    Cybercriminals have taken advantage of the convergence of the power of the smartphone and the features of chat apps to lure victims into compromising situations and blackmail them. Our latest paper, Sextortion in the Far East, talks at length about the latest developments concerning online blackmail.

    Sextortion, Old and New

    Sextortion is a form of online blackmail involving persuading a victim into performing sexual acts that are secretly recorded. The attacker then forces the victim to give in to the attacker’s demands by threatening to release the previously recorded acts publicly.

    Previous sextortion incidents had demands that were sexual in nature. Perpetrators would use chat programs to record their victims’ activities and ask for more sexual material as “hush money.” Should victims comply, attackers would often demand more from the victim.

    Our researchers have found that certain gangs in East Asia have improved on the sextortion modus operandi, creating a far more damaging effect on the victims. The new modus operandi involves Android malware that can steal the victims’ contact list and send them to the attackers. Attackers are then able to contact the victims’ families and friends directly—making for a more intimidating threat.


    Figure 1. Comparison of old sextortion scheme to the new one

    (Click to enlarge)

    The techniques aren’t the only things that have changed in the modus operandi. Cybercriminals are now asking for money as payment in lieu of sexual favors. Monetization might seem like a more attractive motive for cybercrooks looking to make bank with this type of blackmail.

    Using Data Stealers

    The Android data stealer’s primary purpose is to retrieve and send victims’ contact lists to the cybercriminals, allowing them to make more effective threats.

    Our investigation revealed the use of four Android data stealer families for sextortion. The malware were classified according to package name. Differences in code and functionality were seen from variant to variant, which suggests ongoing malware development.

    The four variants all contained aggressive techniques. For example, they can intercept and log the victims’ incoming text messages. They can also monitor changes in the infected device’s SMS inbox and prevent victims from receiving new text messages unless they pay up.  They can also prevent victims from receiving calls.

    Sextortion in the Far East and Beyond

    In-depth investigation on various sextortion scams led us to developers in China tasked to create malicious apps and sites using Chinese and Korean. But the incidents weren’t limited to these countries. Our investigation also led us to Japan, where we found victims and bank accounts associated with sextortion scams.

    While our investigation focused on the East Asian region, sextortion cases have also been spotted in other parts of the world. There have been reports in Canada, the UK, and the US.

    The sextortion schemes we uncovered are complex operations that involve people across cultures and nations working together to effectively run a very lucrative business. These once again prove that cybercriminals are not just becoming more technologically advanced— creating stealthier mobile data stealers, using complex stolen data drop zone infrastructures, and outsmarting banks to better evade detection—they are also improving their social engineering tactics, specifically targeting those who would be most vulnerable because of their culture.

    For an in-depth look at our investigations in sextortion, you may read our paper, Sextortion in the Far East.

    Posted in Malware, Mobile |

    ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason. It has continued to evolve, is very successful in hijacking online banking credentials, and added a variety of features designed to counter  various solutions that are supposed to mitigate it. It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception.

    Zeus was designed to automate most of the information stealing behavior, and was specifically built to steal online baking credentials. However, we are seeing a type of under-the-radar online fraud carried out by simple, off-the-shelf keyloggers like Predator Pain and Limitless that are being used to perform corporate email fraud.

    The scale of this fraud is significant – the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone. Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present.

    Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

    This simplicity belies the cunning of the operators behind these keyloggers. Experienced in 419 scams, the operators have the time and determination to target corporations, capture webmail accounts, monitor on-going business transactions, and, when the time is right, hijack the transaction to redirect payments to accounts they control.

    The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.

    Our paper titled Predator Pain and Limitless: When Cybercrime Turns into Cyberspying discusses our findings about these tools, as well as what we know about the attacks that are being carried out with them.

    The following graphs show the distribution of the victims that we observed, both by country and by industry:

    Figure 1. Predator Pain/Limitless Victims by Country

    Figure 1. Predator Pain/Limitless Victims by Country

    Note that the country distribution graph is biased towards Malaysia because one of the actors involved targets South East Asian countries, with a bias towards Malaysia.

    Figure 2. Predator Pain/Limitless Victims by Industry

    Figure 2. Predator Pain/Limitless Victims by Industry


    Posted in Malware, Targeted Attacks | Comments Off on Predator Pain and Limitless: Behind the Fraud

    Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker’s payload malware into the target’s computer. Since exploit documents are one of the first arrival vectors of APT malware, a little knowledge of the most exploited software and vulnerability will go a long way in removing low hanging security holes within one’s organization.

    Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.

    The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.

    Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.

    For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.

    From these graphs, we can easily deduce that:

    • Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
    • A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
    • Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.

    Trend Micro Deep Security protects users this threat, specifically via the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)
    Posted in Exploits, Targeted Attacks, Vulnerabilities | Comments Off on Snapshot of Exploit Documents for April 2012

    The recent tragedy that affected Japan is not the first incident that cybercriminals leveraged. Cybercriminals have established early on just how low they would go just to steal money from users—Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and recently the Haiti Earthquake in 2010 were all used one way or another as social engineering bait.

    From a technical perspective, it is disheartening how closely cybercriminals monitored the entire incident just to take advantage of not only the event itself but also the ones that happened afterward. Let’s trace the events, along with the threats we found leveraging them.

    Information Demand Met with Attacks

    The earthquake happened on March 11, 2011 and, almost immediately, most of the world was aware of the incident and constantly sought out more information on Japan’s status.

    The sudden and fast increasing demand for information on the earthquake was met with blackhat SEO attacks wherein cybercriminals rigged search results for strings related to the incident and led users to malicious sites.

    Unsurprisingly, social networks were also filled with inquiries, footage, bits of information on the tragic event, and, of course, posts set up to look like footage and information but actually led to malicious sites and files.

    A few hours after, the tsunami that was triggered by the earthquake hit the coasts of Aomori, Iwae, Miyagi, and Fukushima, causing more damage to the affected areas. Many people from Japan who managed to get themselves in safer ground by the time the tsunami struck were able to take videos showing how the waves destroyed the infrastructure located near coastal lines.

    The cybercriminals again quickly took action to leverage the event and deployed attacks in social networks such as Facebook. Posts that posed as footages of the tsunami were seen all over the network and led to other malicious pages.

    Read the rest of this entry »


    This blog post is based on my talk last November 17 at the Information Security Summit 2010 in Hong Kong.

    cloud computingCloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.

    Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.

    Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.

    Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe.

    To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far, as documented in our first half report. We can only see this trend continuing in the foreseeable future.

    Aside from malware, however, employees themselves are also part of the problem. They may unwittingly give out critical information on social networking and social media sites. Answering quizzes that virally spread on social networks may reveal information that an attacker may find useful when answering security questions on password-recovery features or when impersonating legitimate personnel.

    One of the appeals of cloud computing is that users can access services in the cloud from anywhere in the world, even when out of the office. This, however, presents new risks for corporations that use cloud services. Users may be tempted to use unsecure access points such as free Wi-Fi.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice