Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ryan Flores (Senior Threat Researcher)




    Click for larger view

    In this YouTube video, Trend Micro CTO Raimund Genes discusses how an attacker can use information from social networks such as LinkedIn and Facebook to hack into a corporate network.

    The picture Raimund paints shows how attackers can get publicly available email addresses on social networks and send a customized targeted email to the person containing a malicious URL, which points to an exploit that triggers the download of a Trojan.

    Some people may scoff at this scenario and say, “Too many things need to happen for me to get infected.” If you are part of this group, you probably have a point. The email needs to pass through spam filters first and needs to be convincing enough for the target to click on the link. Should the target click on it, the exploit scripts need to get through antivirus detection. To do so, the exploit should be a zero-day to become 100 percent successful. Otherwise, the attacker can just keep hoping that the target has not applied the latest patches yet.

    Too many things need to happen in order for the attack to succeed, right?

    Then again, an attacker can take the long route in, as with the Twitter hack last year wherein a hacker going by the pseudonym Hacker Croll was able to infiltrate Twitter’s corporate network.

    Case in Point: Twitter Hack Attack

    Hacker Croll started out by building a profile of Twitter employees from publicly available information using search engines. From there, he was able to gather employee names with their associated email addresses, business positions, and bits and pieces of personal information. Hacker Croll then tried to get access to a Twitter employee’s Gmail account using Gmail’s password recovery feature, which sends a user’s password to a secondary email account.

    Hacker Croll got lucky, as the targeted employee’s secondary email was an inactive Hotmail account. Hotmail removes inactive accounts so Hacker Croll just registered the inactive account to himself, asked Gmail’s password recovery to send the password to the Hotmail account he then owned, and bingo! He gained access to that Twitter employee’s mailbox.

    From there, Hacker Croll was able to gather more information about other Twitter employees. He was able to access other Web services the original target subscribes to (because the target reuses passwords most of the time) and he was able to hack into other Twitter employees’ accounts by exploiting the secret question feature common to Gmail and other Web-based email services. This gave Hacker Croll a detailed profile of his targets so answering a secret question like, “What’s the name of your pet?” was trivial.

    By the time Hacker Croll finished, he was in possession of confidential company information, iTunes accounts, credit card information, and control of Twitter domains in GoDaddy, all because of publicly available personal information.

    Revealing Too Much Can Be Harmful

    The moral of the story? Listen to what our CTO is saying, “Please don’t reveal too much information on social networking sites.” And if I may add, please don’t use the same password for most of your online accounts.

    Trend Micro may be able to protect you from malicious email, websites, and malware using our Smart Protection Network™ but we cannot protect you if the hackers will use information that you yourself made available.

    *Detailed account of the Twitter attack documented by TechCrunch.

     



    Over the weekend, news reports of “hacked” iTunes accounts used to purchase worthless apps surfaced.

    And since there was no evidence nor report of an iTunes App Store data leak, it is most likely that individual iTunes user credentials were stolen via phishing attacks.

    Click for larger view

    What’s interesting about this incident is it doesn’t involve any malicious app. Instead, it led to the sudden rise in rating of common, unpopular apps in Apple’s App Store because stolen iTunes accounts were used to purchase them.

    This is interesting because cybercrime groups have now found a working business model in monetizing phished user accounts in Apple’s App Store. They’ve circumvented Apple’s “strict” app review process by submitting nonmalicious apps (doesn’t matter if the app is worthless) then used phished iTunes accounts to buy (and make money from) the worthless apps.

    This is an interesting business model, by targeting user accounts, cybercriminals attacked the weakest link in the system (the user), only using Apple’s App Store as platform and the worthless apps as means to cash in on phished accounts.

    May this incident serve as a glaring reminder on the importance of our online accounts, especially if our credit and/or debit cards are tied to them.

     
    Posted in Bad Sites | Comments Off



    Twitter is becoming a common medium to spread spam, malware, and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators and there are no signs of them stopping anytime soon.

    Over the past two weeks, several Twitter accounts were created for the sole purpose of Tweeting Poison Ivy or Bifrost download links. Both Poison Ivy and Bifrost are backdoors, malicious programs that allow an unauthorized user access to an infected machine. Interestingly, these backdoor programs are uploaded to either freewebtown.com or leadhoster.com, both of which are free Web hosting sites.

    Click for larger view Click for larger view

    For some of our readers, these things aren’t new but what caught my eye are these Tweets written in Arabic:

    Click for larger view

    Cybercrime groups, it seems, are broadening the scope of their social engineering by employing localization techniques. Quite clever, huh?

    Lastly, these rogue Twitter accounts either have very few or no followers and following, which means the only way for potential victims to see the backdoor URL is to do a Twitter search with the appropriate keywords. Hmmm… blackhat SEO Twitter style anyone?

     
    Posted in Bad Sites | Comments Off



    Malicious JavaScript code used to be contained in single .JS or .HTML files, which made malicious JavaScript analysis and detection pretty straightforward.

    However, in the past few days, a couple of distinct Web compromises caught my attention because the codes involved used the multipart malicious JavaScript technique. In this technique, malicious JavaScript codes can be divided into multiple parts to make up different files.

    In the example below, you can see the .HTML file linking to ap.js while the embedded JavaScript calls the function ac2().

    Click for larger view

    The function ac2(), however, is not in the JavaScript embedded in the current .HTML file but is in the linked .JS file ap.js as shown below.

    Click for larger view

    This technique is noteworthy because a malicious JavaScript code can be divided into several parts, each nonmalicious in nature, but will reveal its true nature only when its parts are correctly pieced together.

    For security researchers and analysts, this means that analyzing .HTML and .JS files should not be limited to the actual files but should be done in the context of the website where the .HTML and .JS files were used.

    The multipart malicious JavaScript technique is not brand new, we have seen it in malicious websites involved in exploiting the OCW ActiveX vulnerability. What is interesting to note, however, is that the use of the multipart technique seems to be increasing, as evidenced by the JavaScript codes found in relation to two distinct Web compromises. This only means the bad guys are realizing the potential of this technique to make analysis and detection a little bit more difficult.

    Fortunately, Trend Micro™ Smart Protection Network™ detects the malicious JavaScript mentioned as Expl_ShellCodeSM. The malicious URLs hosting the said scripts are also blocked.

    Hat tip to advanced threats researcher Lion Gu for initially bringing the malicious scripts to my attention

     



    While conducting blackhat search engine optimization (SEO) investigations, I stumbled upon an SEO attempt hosted in the popular document-sharing site Scribd.

    Click for larger view

    The document that contains the SEO strings and links was actually a .PDF file that has been uploaded to Scribd.

    Click for larger view

    Further investigation revealed that the user account that uploaded this SEO .PDF file has been very actively uploading .PDF files designed for blackhat SEO attacks. As of this writing, 3,003 such .PDF files have been uploaded to Scribd since the creation of the account 26 days ago.

    Click for larger view

    Clicking any of the links leads to a site that has been specifically designed to host or link ads. The site itself is not malicious, as it does not instigate drive-by downloads nor cause automatic redirections but a link that leads to a spammy Viagra site and outright malicious FAKEAV links, in the end, reveal its true nature.

    Click for larger view Click for larger view

    This SEO trail reveals two alarming blackhat SEO trends—the use of document formats apart from HTML to create SEO pages and the use of document-sharing sites, particularly Scribd, to host non-HTML blackhat SEO attacks.

    Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from blackhat SEO-related attacks.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice