Trend Micro threat analysts come across a huge number of phishing cases that feature nearly identical domain names every day. In a Web reputation manual verification exercise, analysts found that three of the most popular phishing targets to date were Chase, the Internal Revenue Service (IRS), and, just recently, Web hosting sites.

To launch such an attack, cybercriminals use the phishing URL format cpanel.{attacked_company}.{phishingdomain}/scripts/cpanel-ftp-confirmation.php.

In this kind of attack, the phishing URL loads a page where users are asked to enter the following information:

• FTP hostname/address
• FTP login
• Password

Once the users enter the required information, they will receive a confirmation message. They will then be redirected to the legitimate Web hosting site to fool them into thinking that they have not just been phished. Little do they know that their sites have been compromised and may be used by cybercriminals to further their own malicious causes. And worse, if they use the same login credentials (username and password) for other sites (e.g., banking and email), they may have just fallen prey to identity theft.

Phishers who use this technique usually target .uk (United Kingdom) domains .be (Belgium) domains.

Trend Micro users are protected from this threat via the Smart Protection Network, which detects and consequently blocks user access to all related phishing URLs.

Trend Micro security experts received email messages that supposedly came from Facebook. It asks recipients to update their login credentials for security purposes. It then instructs them to click the URL provided in the email message. When the user clicks the URL, it points them to a spoofed Facebook website where they are required to input their password only as their email address has been automatically filled up.

 
Once the users hit the “Login” button, it will redirect them to another fraudulent page where a link to download a suspicious update tool file is provided. Trend Micro detects this as TROJ_ZBOT.CDX.

As of this writing, the phishing URL as well as the malicious file has been blocked and detected already via the Trend Micro Smart Protection Network.

This is a great example showing just how cunning cybercriminals can be just to steal precious information. They even claimed to offer recipients security, which is really ironic. Not everyone though may be as hard to fool as, say, security experts. So how can you tell if your personal information is being phished? Here are some useful tips:

• Check the email’s content. Misspellings and grammatical mistakes are very common in spammed messages.
• Do not click embedded links. If you need to update your login credentials, go to the site’s homepage and log in from there.
• Check the URL in the message body. A legitimate Facebook link will not continue beyond .com as in the two bogus email messages.
• Check the time stamps. Facebook has millions of users worldwide so it really is very unlikely that the site’s administrator will send out email messages to all users within the same day.
• Check the sender’s email address. A legitimate Facebook email sender will have a facebook.com and not a facebookmail.com address.

Don’t be just another victim. Keep in mind that cybercriminals will do just about anything to fool those who let their guards down.

Additional text by Det Caraig

We have recently discovered a version, of online fraud that takes the guise of a legitimate-lookng news website. At first glance, the content of the purported news page appears real but after conducting further analysis, one will realize that the news page is actually a spammy site.

What’s supposed to be a news article is actually an writeup that explains how Google can supposedly provide online users the opportunity to earn easy money. To make it more convincing, the page also claims to have several positive responses from anonymous online users. Clicking any of the links from the spam website shown above leads to a phishing page.

The page contains a spoofed countdown timer that hopes to make the user panic and quickly fill up the form. Clicking the See If I Qualify button then directs the user to another page containing an affirmation of the user’s qualifications, which will then require him/her to fill up another form with his/her credit card information.

Related phishing schemes have also been found using the same technique but with different keywords other than Google Cash Club. Below are some of the keywords used:

• Make Money with Google
• Google Money Monster
• Google Home Income
• Easy Google Profit
• Google’s Business Kit

Inquiries on the legitimacy of the service have been posted on Google’s support forum, and we agree with what most of the users have posted: Google Cash Club is a scam.

The phishing URL is already blocked by the Trend Micro Smart Protection Network.

The Trend Micro Content Security team has discovered a phishing attack targeting users of the German-owned file-hosting website, RapidShare.

Aside from their free hosting service, the website also offers a benefit for premium members who opt to pay a certain fee through PayPal, or by means of RapidShare authorized resellers. This nuance was not lost on unscrupulous phishers, who recently began to  to aim for compromising user credentials through a spoofed RapidShare login page.

Figure 1. RapidShare phishing page

In the spoofed web page, phishers attempt to confuse their victims just enough to entice them to enter their login name and password.

In acquiring a victim’s RapidShare credentials, phishers will then be able to enjoy the same privileges as a premium RapidShare user — faster downloads, and downloading multiple files at the same time. Money really isn’t the only driving force for cyber criminals to steal credentials these days — they also attempt to leverage any means to further their crimes.

Premium users of RapidShare, who are also Trend Micro customers, are safe from possible information theft in terms of this attack — the Trend Micro Smart Protection Network already blocks the phishing page.

The Trend Micro Content Security Team discovered two phishing URLs just within hours of each other that use legitimate credit unions to trick unknowing users into giving out confidential information.

Here’s a screenshot of a page that spoofs the O Bee Credit Union:

Figure 1. Sample phishing page.

The page is hosted in the URL http://{BLOCKED}e.com/tmpimages/www.obee.com/, which loads a survey. Credentials such as O Bee access IDs, passwords, email addresses, card numbers, and PIN numbers are stolen when these are entered in the survey boxes.

The Quimper Community Federal Credit Union was also attacked by phishers.

Figure 2. Sample phishing page.

The URL http://www.{BLOCKED}w.net/cu/910331605/ loads a spoofed login site that instructs users to enter personal credentials such as account number and password.

Figure 3. Fake login page.

Clicking on the login button directs users to a spoofed confirmation page about filling the form. This page also asks users for account details such as full names, debit card numbers, and PIN numbers.

The Trend Micro Smart Protection Network already blocks these URLs and protects users from the phishing pages.