Cybercriminals intending to take your data find various ways through social engineering. For example, in our investigation of what seemed to be a run-of-the mill spam run leading to a pharma site, we’ve uncovered the same points we have raised in our eguide, How Social Engineering Works.

The spam run starts as an email notification bearing the familiar Facebook blue lines, and the message itself wants the recipient to confirm their account. Such practice is nothing out of the ordinary, as most membership-based sites (even non-social networking ones) send users an email to confirm their membership. The problem in this case, however, is that the email address to which the message was sent to is not affiliated to any Facebook account.

Further checking on the spam message, it turns out that clicking on the link leads to a fake pharma site:

While this kind of spam run is certainly not new, further analysis has revealed that this run has the potential to lead to more “evil” kinds of payload.

Spam runs such as this one are versatile, and can lead to anything – from survey scams to the popular blackhole exploit kit, and can be changed from one to the other very quickly. So the fact that it loads a relatively “harmless” pharma site today, does not guarantee that it will do the same tomorrow.

Our investigation shows that this spam run is indeed a versatile one. The links in the spammed messages can be redirected to any number of sites, and these sites can lead to differenet kinds of threats such as malware, phishing attacks, and others.

In order to address this, the Trend Micro Smart Protection Network correlates billions of data that is used to actively identify and block spam, malicious URL, and detect and delete malware. This ensures layers of protections for Trend Micro product users against threats such as this one.

This month’s Microsoft Patch Tuesday release is the lightest month in the past year. Not only did Microsoft release just two bulletins, but also both bulletins are rated Important. The last time Microsoft released bulletins as few as two was in May 2011.

In focus this month are two cross-site scripting vulnerabilities found in Visual Studio Team Foundation Server and System Center Configuration Manager 2003 and System Center Configuration Manager 2007. All are used in businesses mainly to facilitate collaboration and consumerization, respectively. And businesses stand to lose when vulnerable products used in a large scale are not patched immediately. Attackers have been using cross-site scripting vulnerabilities in their arsenal, one of the reasons attacks were successful and widespread in 2011.

Trend Micro Deep Security users are protected from cross-site scripting attacks with the rule 1000552 – Generic Cross Site Scripting(XSS) Prevention, which shipped in 2007. The bulletins are further discussed in this Threat Encyclopedia page.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

This month, Microsoft issues nine bulletins that addresses a total of 15 vulnerabilities. Of the five bulletins rated Critical, three point to vulnerabilities found in core components in Windows.

Remote Desktop Protocol (RDP) and Internet Explorer version 6 to 9, both of which were updated in June, are again included in the critical-rated vulnerability list. A Windows print spooler vulnerability and Windows networking components vulnerabilities, rated Critical, are also patched this month. Another update to a Windows Common Controls file (MSCOMCTL.OCX) has been issued. Note that this file exists in a host of Microsoft applications – some of them are MS Visual FoxPro, MS Office, MS SQL Server. Back in April and May this year, another vulnerability (CVE-2012-0158) in MSCOMCTL.OCX was actively exploited by attackers. Some of the exploits were seen in targeted attacks.

Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users are actively protected from exploits targeting these vulnerabilities via the rules that shipped out today. More information on the specific rule protection and the vulnerabilities are found in this Threat Encyclopedia page.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Microsoft released nine bulletins yesterday, including a patch for MS Security Advisory (2719615), which Microsoft put out on the same day of last month’s bulletin release. Although we have not seen an increase in attacks utilizing the said vulnerability, we found several exploit codes and wrote detailed analyses on these.

Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users have been protected since the advisory was put out. The rule 1005061 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889) actively protects from attacks attempting to exploit the Microsoft XML Core Services vulnerability.

In other vulnerability news, we are also shipping out the rule 1004968 – Microsoft .NET Framework Tilde Character Denial of Service Vulnerability that protects against possible attacks that may use the yet-to-be-patched Microsoft IIS tilde character vulnerability. The vulnerability may result in a denial of service (DoS) if successfully exploited.

More information on the bulletins and the corresponding Deep Security/IDF rules are found in this Threat Encyclopedia page.

As we mentioned last week, this month’s Patch Tuesday includes the release of what Microsoft calls as an updater feature for Windows Vista and 7. This updater flags and automatically checks untrusted certificates from time to time. The checking relies on a list of untrusted certificates that Microsoft updates. Trend Micro Deep Security users, on the other hand, must apply the rule 1005040 – Detected Unauthorized Digital Certificate to protect from components of FLAME malware, which were known to use Microsoft certificates.

Of the seven bulletins released this month, three are rated Critical while the rest are rated Important. The Critical-rates bulletins are updates for Remote Desktop Protocol, versions 6 to 9 of Internet Explorer, and several versions of Microsoft .NET Framework. Vulnerabilities mentioned in the said Microsoft products/components allow remote code execution when successfully exploited. Users should immediately apply patches, whenever possible, for these vulnerabilities.

As guidance for Trend Micro Deep Security users, a complete list of rules and information on the bulletins are found in this Threat Encyclopedia page.