Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Ryan Flores (Threat Research Manager)

    This blog post is based on my talk last November 17 at the Information Security Summit 2010 in Hong Kong.

    cloud computingCloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.

    Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.

    Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.

    Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe.

    To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far, as documented in our first half report. We can only see this trend continuing in the foreseeable future.

    Aside from malware, however, employees themselves are also part of the problem. They may unwittingly give out critical information on social networking and social media sites. Answering quizzes that virally spread on social networks may reveal information that an attacker may find useful when answering security questions on password-recovery features or when impersonating legitimate personnel.

    One of the appeals of cloud computing is that users can access services in the cloud from anywhere in the world, even when out of the office. This, however, presents new risks for corporations that use cloud services. Users may be tempted to use unsecure access points such as free Wi-Fi.

    Read the rest of this entry »


    The U.S. midterm elections may have come and gone but cybercriminals have yet to cease related attacks on users eager for news on the turnout. As the Republicans take center stage, so do blackhat search engine optimization (SEO)-poisoned results.

    Case in point, searching for updates on the U.S. midterm election results led to a poisoned link. This, of course, then led to the all-too-common FAKEAV warning prompt and fake scanning page.

    Click for larger view Click for larger view

    What was interesting about this attack, however, is the fact that in addition to relying on keyword density and backlinks to increase a malicious page’s ranking, the cybercriminals also counted on related images to lead unwitting users into their trap. This was most probably done to trick search engines into increasing the doorway page’s ranking.

    Click for larger view

    Elections and other noteworthy sociopolitical events have been known to be typical malware propagation vectors as seen in these posts:

    Even scarier, however, is the fact that cybercriminals will stop at nothing to infect users’ systems. This attack just goes to show that they are getting better at what they do, keeping up with what vendors and service providers (i.e., search engines) are doing to mitigate threats. With the holidays in tow and craftier tricks up cybecriminals’ sleeves, we are urging users to stay vigilant and cautious in their online dealings. As in years past, it should not come as a big surprise should poisoned links crop up every time you search for great gifts and travel destinations, so beware.

    Find out how blackhat SEO poisoning became one of cybercriminals’ favorite malware proliferation tools in the new Trend Micro research paper, “How SEO Became Big.”


    You know that something has become mainstream when people have a lot to say about it. Just like any activity, online gaming has had its share of caveats. For instance, a man from Hawaii sued an online game publisher, for allegedly causing him to lose 20,000 hours of his life. You see, the majority of online gamers are full-time employees and so lose a lot of their time just to succeed in the online games they play.

    Apart from such risks, online gamers also face other threats. Yes, you read that right. There exists a comprehensive cybercrime ecosystem that specifically targets online gamers. Though this may not be as common as targeting online bank users, the cybercriminals’ end goal remains the same—to make money at someone else’s expense.

    If you’re interested to know how all of these adds up, read Lion Gu’s research paper on the dark side of online gaming, something you probably should be aware of, as online gaming has just become mainstream.


    Click for larger view

    In this YouTube video, Trend Micro CTO Raimund Genes discusses how an attacker can use information from social networks such as LinkedIn and Facebook to hack into a corporate network.

    The picture Raimund paints shows how attackers can get publicly available email addresses on social networks and send a customized targeted email to the person containing a malicious URL, which points to an exploit that triggers the download of a Trojan.

    Some people may scoff at this scenario and say, “Too many things need to happen for me to get infected.” If you are part of this group, you probably have a point. The email needs to pass through spam filters first and needs to be convincing enough for the target to click on the link. Should the target click on it, the exploit scripts need to get through antivirus detection. To do so, the exploit should be a zero-day to become 100 percent successful. Otherwise, the attacker can just keep hoping that the target has not applied the latest patches yet.

    Too many things need to happen in order for the attack to succeed, right?

    Then again, an attacker can take the long route in, as with the Twitter hack last year wherein a hacker going by the pseudonym Hacker Croll was able to infiltrate Twitter’s corporate network.

    Case in Point: Twitter Hack Attack

    Hacker Croll started out by building a profile of Twitter employees from publicly available information using search engines. From there, he was able to gather employee names with their associated email addresses, business positions, and bits and pieces of personal information. Hacker Croll then tried to get access to a Twitter employee’s Gmail account using Gmail’s password recovery feature, which sends a user’s password to a secondary email account.

    Hacker Croll got lucky, as the targeted employee’s secondary email was an inactive Hotmail account. Hotmail removes inactive accounts so Hacker Croll just registered the inactive account to himself, asked Gmail’s password recovery to send the password to the Hotmail account he then owned, and bingo! He gained access to that Twitter employee’s mailbox.

    From there, Hacker Croll was able to gather more information about other Twitter employees. He was able to access other Web services the original target subscribes to (because the target reuses passwords most of the time) and he was able to hack into other Twitter employees’ accounts by exploiting the secret question feature common to Gmail and other Web-based email services. This gave Hacker Croll a detailed profile of his targets so answering a secret question like, “What’s the name of your pet?” was trivial.

    By the time Hacker Croll finished, he was in possession of confidential company information, iTunes accounts, credit card information, and control of Twitter domains in GoDaddy, all because of publicly available personal information.

    Revealing Too Much Can Be Harmful

    The moral of the story? Listen to what our CTO is saying, “Please don’t reveal too much information on social networking sites.” And if I may add, please don’t use the same password for most of your online accounts.

    Trend Micro may be able to protect you from malicious email, websites, and malware using our Smart Protection Network™ but we cannot protect you if the hackers will use information that you yourself made available.

    *Detailed account of the Twitter attack documented by TechCrunch.


    Over the weekend, news reports of “hacked” iTunes accounts used to purchase worthless apps surfaced.

    And since there was no evidence nor report of an iTunes App Store data leak, it is most likely that individual iTunes user credentials were stolen via phishing attacks.

    Click for larger view

    What’s interesting about this incident is it doesn’t involve any malicious app. Instead, it led to the sudden rise in rating of common, unpopular apps in Apple’s App Store because stolen iTunes accounts were used to purchase them.

    This is interesting because cybercrime groups have now found a working business model in monetizing phished user accounts in Apple’s App Store. They’ve circumvented Apple’s “strict” app review process by submitting nonmalicious apps (doesn’t matter if the app is worthless) then used phished iTunes accounts to buy (and make money from) the worthless apps.

    This is an interesting business model, by targeting user accounts, cybercriminals attacked the weakest link in the system (the user), only using Apple’s App Store as platform and the worthless apps as means to cash in on phished accounts.

    May this incident serve as a glaring reminder on the importance of our online accounts, especially if our credit and/or debit cards are tied to them.

    Posted in Bad Sites | Comments Off on Cybercriminals Make Money Out of App Store


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice