Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2013
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April, 2013

    Bitcoin is still in the news, even if it’s not exactly for the right reasons. From it’s peak value of $263.798 per bitcoin on April 10, it has since fallen to just over $100. That actually represents a recovery from it’s post-peak low value of just over $50. Clearly, the market for Bitcoins is… volatile.

    For those not in the know, Bitcoin is a new digital currency which is generated, or “mined”, by software solving computationally difficult problems. Cybercriminals have latched onto Bitcoin as well, as it represents another way to earn money (Bitcoins are exchangeable for real-world currencies like US dollars via various exchanges.)

    Since 2011, we have found various malware threats that try to use victim machines as Bitcoin miners, or steal user’s Bitcoins. One even tried to pass itself of as a Trend Micro component. Just this past week, malware exploiting the Boston Marathon bombing to spread turned out to be stealing Bitcoin wallets as well. Bitcoin exchanges have also been hit with frequent denial-of-service attacks, with the largest exchange (Mt. Gox) suffering from three DDoS attacks in April alone.

    For criminals, using infected systems as miners makes perfect sense, as using infected machines offloads the costs associated with Bitcoin mining, which can be significant. They would no longer need to purchase expensive graphics cards and/or application-specific integrated circuit (ASIC) chips. (Either one is necessary to mine Bitcoins with any reasonable expectation of profit.)

    Read the rest of this entry »


    No less than a day or so after we discovered the spam campaign taking advantage of the Boston Marathon bombing, we came upon yet another spam campaign, very similar to the previous one except this time it uses the Texas fertilizer plant explosion as a lure.  The fertilizer plant explosion occurred a mere few days after the tragedy in Boston, with 35 suspected dead and more than 160 people injured.

    What’s disturbing about the discovery of this particular campaign is that not only does it come hot on the heels of the previous one, but the fact that they seem eerily similar to each other. Upon further analysis, we’ve discovered that the malicious URLs that the spammed mails link to have identical structures, right down to the domains. Even their spammed mails are similar to each other.


    Fig 1. The Boston Marathon explosion spammed email


    Fig 2. Texas plant explosion spammed email

    The only thing distinguishing them from each other was the document file name that the URL lead to – i.e. one URL from the Boston spam campaign lead to “boston.html” while the one from Texas lead to “texas.html”. It was as if the cybercriminals chose to capitalize on the latest tragedy by simply switching names.  The malicious URLs, of course, lead to exploit landing pages that could compromise an affected user’s system.

    We’ve also noted certain Twitter accounts spreading links using keywords related to the MIT shooting in Boston. These links redirect users to various websites of dubious reputation (most adware or spam-related). Though we have yet to see these links redirect to any malware-hosting website, users must still be cautious with their social media activities.


    Figure 3. Tweets leading to various dubious sites

    Read the rest of this entry »

    Posted in Spam | Comments Off on Cybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast, MIT Shooting

    Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.

    Figure 1. Spammed Facebook post

    However, we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site.


    Figure 2. Users are lead to this site that host fake Adobe Flash plugin

    From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US.

    Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs. We already blocks access to all the URLs related to this threat.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Social | Comments Off on Fake Page With “90 Million Likes” Leads to Fake Adobe Flash

    Facebook Home is now available for (some) Android devices, aside from its launch device, the HTC First. It is easy to understand this direction that Facebook has chosen to take. There are many users who would find something like Facebook Home useful and would like it: people who use their mobile devices primarily to connect with their Friends and share likes, updates, photos, and other such social activities.

    However, people are becoming genuinely concerned about how much of our data is ending up in the hands of Internet companies. Facebook Home doesn’t collect new types of information that existing apps already don’t, as their officials went at some length to explain. The concern though is that they said nothing about the quantity of data that will be gathered. This in and of itself is of great value to Facebook; increasing the amount of data to correlate can only “improve” what Facebook knows about its users.

    What we would suggest is for people to be genuinely mindful and thoughtful about what they do share online. Do you really have to share that photo? Do you really want to send this status update out into the public, where future friends, partners, and employers will be able to find it down the road? A good way to moderate the sharing of information is through privacy scanners, (which we offer for free in Google Play, and is a built-in feature in Trend Micro™ Titanium™ Security) but of course the users’ mindset would play a crucial part.

    One more thing to consider is how companies will treat our data if it’s no longer in use. Google recently released the Inactive Account Manager, which lets Google know what to do with your data if you’re no longer accessing Google. While the advertised use is for someone’s death, it could easily be used for less morbid uses. In this case, if you want Google to forget about you, just stay away for at least three months. Google deserves kudos for steps like these, and other companies would be well encouraged to follow suit.

    In the end, users should remember one thing: nothing ever goes away on the Internet.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Mobile, Social | Comments Off on Being Mindful About What You Share

    Within a short time period of less than 24 hours, cybercriminals have already taken advantage of Monday’s explosion at the Boston Marathon as a newsworthy item. My colleague Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit (clarification below) spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few. Below is a spam sample she found:

    Figure 1. Sample spam email related to the Boston marathon blast

    Figure 1. Sample spam email related to the Boston Marathon blast

    The spammed message only contains the URL http://{BLOCKED}/boston.html , but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:

    Figure 2. Malicious web page with the embedded video

    Figure 2. Malicious web page with the embedded video

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice