Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    A spammed message supposedly from Newegg, a popular online computer hardware/software seller has been found in the wild. It informs users that their online purchase has been charged to their Visa card. It also contains two clickable links that point to the same malicious page, an example of which is http://{BLOCKED} Clicking the link leads to a series of redirections that ultimately land users on a FAKEAV-hosting site where TROJ_FAKEAV.FNZ may be downloaded.

    In addition to the FAKEAV download, the binary on the landing page constantly changes so users may also end up with TROJ_HILOTI.FNZ and ADWARE_ZANGO infections, too.

    Click for larger view Click for larger view

    Upon further investigation, we discovered that the email is not the only malware vector the cybercriminals behind the attack are employing. They also leveraged compromised Blogspot pages to host the same spam. We believe that the cybercriminals are using Blogspot’s email feature. The secret email addresses set up by the blog owners may have somehow been harvested to send out spam, in effect auto-posting these in Blogspot pages. The followers of compromised Blogspot pages can thus be potentially infected, too, since the malicious spam is hosted on a known source.

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    Threats analyst Edgardo Diaz adds that one of the download binary connections lead to {BLOCKED}.{BLOCKED}.117.21, which has its own status page. Further analysis of the IP address and the compromised Blogspot pages revealed that some of the compromised pages’ URLs point to domains hosted on the same IP address.

    Users are advised to be wary of clicking any link even if it is posted on a trusted source. Furthermore, changing one’s secret Mail2Blogger email address once found to have been used in a spam run will definitely help, as the attacker can easily reuse this address to instigate another spam run.

    Trend Micro product users need not worry, however, as they are already protected from this attack via the Smart Protection Network™ , which prevents the spammed messages from even reaching users’ inboxes, blocks access to all malicious URLs, and detects all related malware.

    Additional analysis and screenshots provided by threats analysts Patrick Estavillo and Edgardo Diaz.

    Update as of August 25, 2010, 10:30 p.m. (UTC)

    After further investigation, we’ve found that other kinds of spam were also found posted in affected Blogspot pages. Spam related to UPS, Amazon, LinkedIn, and run-of-the-mill Resume and eCard spam messages were found posted in the said blogs. Affected Blogspot users are advised to change their Mail2Blogger email address as soon as possible.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • MB

      We received this email with an attachment that also contained a script. That script redirected to a page on {BLOCKED}

      Comment edited to remove possibly malicious site.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice