Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    A few hours ago we discovered a spam run in Brazil that uses a trendmicro address in its From field:

    Figure 1. Sample of Brazilian spam first seen evening of May 22 by our honeypots.

    Our support team in the Latin American region observed some 6,000 samples of this spam since it was first identified. The blast seems to be coming down to approximately 15 samples a minute, according to one of our analysts from the region.

    When translated it reads as follows (grammar lapses intact):

    Subject: you may loose all your information as well as your e-mail

    Our servers have detected a security failure in your email account. for more security without the loose of data or vulnerabilities on your email box we remind you to active your mailbox

    or you will loose all your information as well as your email

    to activate your mailbox is very easy

    1 click on the link below
    2 you will see a window with the button execute press execute
    3 after that click on the button open and you will be redirected to your activated mailbox
    4 write your complete email – full name – city – state – zip.

    [link] Activate your email mailbox

    remember that you have only from 12 to 24 hour To activate your mailbox
    otherwise our system will block your E-mail account.

    to obtain more information you can get in touch with our services team through our E-mail
    [email address]

    This “security failure,” ironically, is what happens when the recipient falls for the ruse and clicks on the link to “activate” his/her email inbox.

    The link actually leads to hxxp://{BLOCKED} (where hxxp is http). Protecao.exe is detected as TROJ_BANLOAD.FAF. Its main purpose is to connect to another URL in the same domain to download a file named plugin-security.exe. (It also accesses another URL which is inaccessible as of this writing.)

    This 3MB file is a Trojan spyware detected by our patterns as TSPY_BANKER.OIZ, and is a bank account info stealing malware. Note that upon clicking the link in the spam, a dialog prompt appears asking the user whether to Open, Run or Save the file. However, upon accepting the file, it goes on to download the spyware without informing the user.

    We advise Latin American users to be especially wary of this attack. Sometimes users are more likely to trust an email message written in their native language, but in this case we must chalk this up to targeted social engineering and should, as always, immediately delete such threatening mail. Note that Trend Micro will NEVER send email such as this.

    Legitimate communications typically come with the appropriate headings, company logos, and proper language. Another possible tell-tale sign that the email is not legitimate is that the link is connected directly to an executable.

    Trend Micro users, on the other hand, need not worry, as our Web Threat Protection technology cuts off infection by both detecting the attack-related files and blocking the malicious URLs. Our antispam definitions already filter this threat.

    What to do if you are a customer and in the future you receive an unexpected or suspicious email that seems to come from Trend Micro? The best thing to do is to contact your local support rep or account manager to verify its legitimacy.

    Thanks to Threats Analyst Jose Lopez Tello for alerting us to this attack.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice