Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Sarah Calaunan (Fraud Analyst)

    Trend Micro’s Web Reputation Services (WRS) Operations Team recently received a phishing email claiming to be from Blogger (see Figure 1), a free blog publishing tool from Google.

    Click for larger view

    The spammed message instructed users to update their Blogger accounts by clicking the embedded link, which leads them to a fake login page. At first glance, the site’s URL seems legitimate enough. It began with the same domain name as the real Blogger login page. Upon closer examination, however, TrendLabs engineers found that the fake site was not really hosted on the same URL as the real one. It was, instead, hosted on a remote site, thus convincing them that this was indeed a fake login page or a phishing site (compare Figures 2 and 3).

    Click for larger view Click for larger view

    Users basically use blogs as ongoing chronicles of information about anything and everything they are interested in. Some use blogs to promote their businesses or to show what their companies can do. Some use theirs as personal online diaries where they can save their thoughts and feelings in. Whatever use blogs may serve to users, however, signing in to and updating their account records on the bogus login page, will certainly allow phishers to take advantage of them. This kind of attack can lead to not only data theft but also identity theft. This is the reason why we always urge users to be wary of suspicious-looking email messages and sites. Always check the URLs of the sites you are being led to. It never hurts to be paranoid once in a while if it means not falling prey to cybercriminals’ ever-evolving social-engineering tactics.

    Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by preventing the spammed messages from even reaching their inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

    Non-Trend Micro product users can stay protected as well by using free tools such as eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes. It helps users avoid opening and acting on phishing messages attempting to spoof real companies.


    Trend Micro threat analysts found several phishing sites registered in China that target specific people or companies. The said email can customize phishing URLs using the names of intended recipients via a technique called “spear phishing.”

    Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

    In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

    According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

    Click for larger view Click for larger view

    Here’s a list of malicious domains users should be wary of:


    TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

    As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.


    Seems like since micro-blogging, social networking, and banking sites are the ones commonly targeted by phishers nowadays, one attack pulled itself away from the trend and went for a more direct approach: email accounts.

    We’ve recently found a phishing email that informs users to re-configure their Microsoft Outlook through an online procedure. Users are instructed to click on the link to setup, leading them to a phishing website.

    Click for larger view Click for larger view

    Unlike micro-blogging, social networking, or even banking accounts, a user name and password is not enough to take full control of an email account. Mail server information is also necessary, which explains the need for them in the phishing page. Getting hold of such information would gain the phisher total access the affected user’s account, be able to read their emails, possibly steal critical information, or use it to spam other users. Furthermore, using such a widely used email client such as Microsoft Outlook places a large number of end users at risk of getting their email account compromised.

    The Trend Micro Smart Protection Network blocks both the phishing email and URL.


    Formerly known as Ecount, Citi Prepaid Services is a prepaid solution for companies who aim for a customizable solution for payroll, sales incentives, benefit payments, etc. Recently we have encountered a phishing email, informing Citi Prepaid Services customers/clients that their account information needs to be updated due to inactive membership, purported causing fraud and report spoofing due to the account’s inactivity.

    Below is a screenshot of the
    phishing email:
    In the email users are instructed to click on the
    embedded link which, in fact, leads to the phishing website:
    Click Click

    Once customers/clients entered their account credentials believing that this is real, phishers can now take hold of the information and may use it however they wish.

    Citi Prepaid Services actually offers Zero Liability Protection which protects users from this very attack. It means that users are not to be held responsible for any fraudulent activity regarding their account. But since the Zero Liability Protection is a feature limited to Citi Prepaid Service, victims of a similar attack on a different service may not be as lucky, and end up losing their hard-earned money.

    The phishing URL is now blocked by the Trend Micro Smart Protection Network.


    11:45 pm (UTC-7)   |    by

    The Trend Micro Content Security Team discovered fake websites that purport to be login pages of DHL, a company that offers air express transportation of goods between countries. Here’s a sample screenshot of a bogus page:

    Figure 1. Sample phishing page.

    The fraud site asks for users’ email addresses (which are ordinarily used for logging in) their passwords, and also their DHL account numbers. Unknowing users might think that their packages are secure and are being transported to their respective destinations, when in fact only their credentials are being delivered to the phishers behind this threat.

    Express transportation companies like DHL are notable targets of cybercriminals these days. We blogged about previous attacks on UPS and FedEx, two of the more known known global parcel delivery companies. Western Union, a financial services and communications company, also was a cybercriminal target.

    There’s a difference between the earlier set of threats and the current one though. The earlier attacks’ aim was to install malware on PCs by tricking users into believing they are downloading receipts. The objective of the DHL phishing gang, meanwhile, is to steal account and login credentials, which we think could be used for other malicious purposes like using a hacked account for illegal shipments.

    The URL where the site is hosted is now blocked by the Trend Micro Smart Protection Network. Users are still advised to either type in the URL to the website they are accessing, or use their own bookmarks in getting there.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice