Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Ease is the main reason why users are going online for their purchases, especially during the holiday season. While convenient, online shopping poses risks to users’ login credentials and personally identifiable information (PII), as cybercriminals can easily craft phishing attacks that lead to data theft.

    Using Trend Micro Smart Protection Network™ and other proprietary tools, we identified the top created phishing sites for December 2012. Below is a graph of created spoofed sites limited to 50 popular brand names.

    Based from the information we’ve gathered, the e-commerce site PayPal was the most targeted institution, with 18,947 spoofed sites under its belt, followed closely by the American bank Wells Fargo. Users who are tricked into visiting spoofed PayPal sites may lead to their systems being infected by TROJ_QHOST.EQ. So far, the malware has infected systems from Taiwan, Thailand and the United States (US). As you can see below, the top 10 most spoofed sites are composed of either banks or well-known credit card companies.

    Company name/websites Number of created phishing websites
    PayPal 18947
    Wells Fargo 2049
    Visa 1661
    Citibank 1628
    Bank of America 1477
    Mastercard 986
    Chase 656
    Bancolombia 369
    Natwest 324
    Cielo 310

    Citibank is also one of the most spoofed institutions, possibly bolstered by Blackhole Exploit kit (BHEK) campaign. BHEK is known to use popular companies like Citibank to lure users into opening the spam message and clicking the malicious URL contained in the messages.

    Certain BHEK campaigns spoofing Citibank lead users to download WORM_CRIDEX.CTS, a malware known to steal sensitive data like online banking credentials. Using the Smart Protection Network, we determined that the malware has infected 277 systems, a staggering 88% of which were from the computers located in the United States.

    In addition, this December alone we spotted four BHEK campaigns against Citibank. On the last campaign, we observed that users systems are infected with TROJ_CDOWN.A, SWF_BLACOLE.BBB, JAVA_DLOADR.XM and WORM_CRIDEX.EZ respectively. The .JAR file detected as JAVA_DLOADR.XM, got 3,095 hits,  which mostly affected users in US and Japan.

    On the other hand, the most created phishing sites for the online shopping/auction/deal of the day sites are Taobao, eBay, Amazon, and Alibaba. Taobao, a website based from China, ranked first among e-commerce sites with the most spoofed/phishing pages.

    Company name/websites Number of created phishing websites
    Taobao 1691
    eBay 504
    Amazon.com 251
    Alibaba 150
    Littlewoods 39

    During our research, we also found the following attacks affecting users from around the globe, as well as mobile users.

    • We saw an increase in an attack disguised as the Danish e-payment company Nets Group. This threat usually arrives via email, urging users to confirm an update or activate their account.
    • There is also an ongoing spoofed Mastercard phishing campaign that targets Japanese users. Among the 986 spoofed Mastercard sites, 717 of these (72%) were designed for JP users. For December, these 717 sites generated 2,029 hits, usually from users located in Japan.

    • Certain bad guys created 902 spoofed sites of Remax, a multinational real estate company.
    • On the other side of the world, Brazil is still hounded by spoofed websites hosting Trojans, usually TROJ_BANLOAD variants, which are known to download TSPY_BANKER variants. This attack arrives as emails that spoof banks like Bradesco and Banco de Brasil. The email also contains shortened URLs, usually shortened by shorteners like bit.ly, that lead to these sites. Users located in Colombia were also targeted by a BANKER malware detected by Trend Micro as TSPY_BANKER.TGF. The said malware uses MS Excel icon and purports as a free gift card to trick users into executing the malicious .EXE file.
    • Mobile users, unfortunately, are not exempted from this swath of online threats. Below is an example of a spoofed PayPal for Mobile site that users should be wary of. Because mobile users will typically not see the whole URL, users may readily think that they visited the legitimate website.

    • We also spotted a spammed message that has an attachment that targets Chase bank. Trend Micro detects the attached file as TROJ_DLOADER.YZX. When executed, this malware downloads a plethora of other malware such as TSPY_ZBOT.MDN, TSPY_ZBOT.LOA, and TROJ_FAKE.BMC.

    If there’s one thing that these trends taught us is that we should remain vigilant against phishing attacks especially during the holidays and other special occasions. For tips on how to safeguard your device while shopping online during festive events, read our e-guides, Online Shopping Made Easy and Enjoy a Hassle-Free Mobile Shopping Spree! and our infographic on online shopping tips.

    To know how to differentiate a spoofed, phishing email from a legitimate one, be on the lookout for the following signs:

    • Spoofed email messages usually contain generic greeting and not addressed to the recipient
    • Legitimate email notifications does not contain glaring grammatical errors, typos and formatting gaffes
    • Spoofed email has an “alarmist” tone, usually urging users to click a link or divulge personal information
    • For BHEK-related messages, some may look identical to the legitimate vendor email. Thus, users should read the email thoroughly. Better yet, verify the legitimacy of the email.

    Users are strongly advised to avoid opening any attachments or clicking any URLs even if these came from seemingly known sources. Make a habit of copying the shortcut link and double-checking its legitimacy. Read thoroughly the message body to avoid fraudulent schemes. Always keep your systems up-to-date with the latest security update released by software vendors.

    For mobile users, they should download only legitimate retail-related apps as well as look for HTTPS and lock icon in the address bar before giving credentials away.

    Trend Micro proactively blocks phishing sites and detects spammed messages via Smart Protection Network.

    With additional inputs from Email reputation services group





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice