Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    In our recently released report, Operation Pawn Storm, we talked about an operation that involved three attack scenarios. For this post, we will talk about the third scenario: phishing emails that redirect victims to fake Outlook Web Access login pages.

    What’s most notable about this is that it is simple, effective, and can be easily replicated. Through one line of simple Javascript code, the millions of Outlook Web Access (OWA) users are placed at risk of becoming a victim of a clever but simple phishing attack. No exploits and vulnerabilities are used here. A feature of JavaScript, the preview pane of Microsoft’s OWA and two typo-squatted domains are used. We have seen this kind of phishing attack being used against US defense companies like Academi (formerly known as Blackwater), SAIC and the OSCE.

    How it works

    To target defense company Academi, the attacker registered two typosquatted domain names:

    1. tolonevvs[dot]com (real news domain: (news site about Afghanistan))
    2. academl[dot]com (real company domain:

    A link to the typosquatted domains are then sent to Academi through spear-phishing emails — to a very limited number of employees who might actually expect to receive email notifications from

    When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site. From the target’s perspective, their browser will look like this:


    Figure 1. The real news site opened in a new tab after clicking the typosquatted domain (Click to enlarge)

    This may seem harmless, but there is more to this than just an opened tab to a news site. The typosquatted domain actually contained a mildly obfuscated JavaScript code:


    Figure 2. JavaScript code in the typosquatted domain,

    This JavaScript is not malicious because it simply sets the windows open property to point to a URL:

    window.opener.location = “hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&”

    What this means is that the legitimate URL of the original OWA session in the first tab of the browser gets changed to the URL of the fake OWA server set up by the attacker, which in this case is mail[dot]academl[dot]com. When the victim is done with reading the news and he returns to his OWA session, he will see this:


    Figure 3. Phishing site opened in the original OWA tab

    At this point, the target is likely to believe that while reading the news on the legitimate website, the OWA server logged him out. The truth, however, is that if the target enters his/her credentials again, his/her information will then be captured by the attacker.

    For the complete details on the attacks we saw using this technique, please check out our paper, Operation Pawn Storm.

    Not Limited to Operation Pawn Storm or OWA

    Although we did see this technique used in a certain operation, basically any company having an OWA web server is at risk becoming a victim of this kind of phish attack. Even two factor authentication might not prevent a one-time complete download of the mailbox of the victim. The only safe way to prevent this kind of attack is to turn off the preview pane in OWA.

    Users of other web mail services than OWA are also are at risk. For example, we verified that Gmail users who read their e-mail in Safari, and Yahoo e-mail users who read their e-mail in Safari or Firefox could become victims of a similar phishing trick. Users are strongly recommended to be very careful when entering their information into login pages, and to make sure that they are logging into the correct site and not a typosquatted one.


    An iPad with a retina display, a blue iPhone and a Beats by Dr. Dre headphone set, please.

    This may read like a Christmas wish list of a spoiled child, but there’s more: a red dot aimpoint for a rifle, six high-end hard drives from Intel, a GPS rescue device for sailors. These are uncommon requests for Santa Claus to receive, even from adults. This list is real though, and part of a much longer wish list of money launderers who instruct mules to ship expensive goods to Russia.

    We’ve been following a group of cybercriminals who launder stolen money in a couple of ways.  Typically, a money mule receives a wire transfer from a compromised account. Then, he is instructed to send the money overseas, using a legitimate money transfer system like Western Union. The other method they use tricks Internet users into believing they are going to work for a legitimate company that ships expensive goods like iPhones out of the US. In reality, these users will start to work for cybercriminals.


    Figure 1. Typical reshipping fraud site

    They are asked to receive expensive equipment at their US home address and then ship these goods to a second address, which is also in the US. From there, the goods are repackaged and sent to an address in Russia by a second mule. Initially, the mules are requested to pay the costs of the shipments themselves. After 10 successful shipments, they supposedly can reimburse expenses and are promised an extra bonus on top of their base salary. We think these reimbursements and salary payments never happen.

    Internal documentation of the money launderers suggests that their employees are indeed not treated very well. First, they are described as “drops” and second, they cannot expect to keep their job longer than 20 days. An internal note says: “the optimal time to work with a drop is 20 days.  An order made close to or after 20 days is not likely to succeed.” After 20 days the drops get dropped themselves.

    This cynical way of using throw-away workers extends to Russia. All steps for dealing with the drops in the West are clearly written in Russian documentation, which we were able to download. This documentation could be for a cybercriminal who cannot memorize a thing, but we think they are meant as a guideline for temporary Russian-speaking personnel that constantly get renewed, just like their unfortunate colleagues in the US. Also, somebody has to be on the receiving end of the parcels that are sent to Russia and the Ukraine. It is likely these workers are temporary and get replaced when the money launderers think they pose a risk to their operations.

    The internal documentation of the money launderers clearly explains in Russian how to instruct drops in the West. A new drop should first complete a test order. If that doesn’t happen within 5 days, the drop is considered “dead”. All goods that get ordered should be worth more than $300. Internet users who realize they got hired as drops for illegal purposes are clearly marked as “not trustworthy” or “not willing to work”: no parcels should be sent to them.

    In table 1 we summarized the items that were shipped by a couple of hundreds of mules. In total, shipped items are worth about $500,000 and as far as we can tell, all parcels were either sent to a suburb of Moscow or to Kiev, Ukraine.


    Table 1. Money Launderers’ list of popular items

    The money launderers seem to take special orders too. Some months ago, they shipped hundreds of aimpoints for close range combat. These aimpoints are the more expensive red dot models for which export restrictions apply. More recently, numerous GPS units are being shipped to Russia. For these units there are export restrictions as well. Because of the export restrictions, the aimpoints and GPS units could be sold at a premium outside the US by the money launderers.

    These launderers have an extensive network of reverse proxies where they host their mule recruitment sites. Trend Micro’s Smart Protection Network blocks these sites, so that customers won’t become a victim of reshipping fraud.

    Posted in Bad Sites | Comments Off

    Four men were arrested a week ago in the Netherlands for spreading the so-called TorRAT malware. This malware only targeted Dutch speaking users and utilized the Tor for is command and control (C&C) servers. Its primary goal was financial theft from online banking accounts. Our Threat Encyclopedia entry for TROJ_INJECT.LMV provides a more in-depth description of the malware. Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages. These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.

    Leave No Trace

    The Dutch threat actors were careful in hiding their tracks. As mentioned earlier, they used Tor hidden C&C servers. They had a account for e-mail communications and they used underground crypting services to evade detection from antivirus software. The digital currency Bitcoin was used to launder their stolen money and make payments to fellow cybercriminals.

    These made investigation into the identity of the actors difficult; however, the Dutch National High Tech Crime Unit (NHTCU) was able to arrest them. We don’t know exactly what fatal errors the gang made, but we know that just a couple of mistakes on their end can reveal their true identities.

    Masked and (Not So) Anonymous

    We have been following the gang for some time and we were able to draw a few useful conclusions. The first obvious one was that we were really dealing with a native Dutch speaker. Looking at one of the 300+ malware binaries the gang has spread, we believe they made use of an Armenian crypting service called “SamArt”. Crypting malware makes detection by antivirus companies more difficult, but when you want to hide your identity, contact with a third-party tool puts you at risk. In addition, during the fall of 2012, some of the C&C servers were not hosted on Tor hidden services, but in a Turkish data center.

    More importantly, the gang faced a classic problem, which their pre-Internet fellow thieves have also faced: stealing money is the easy part. Getting stolen money in your pocket as your own is the difficult part. It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money. The Dutch gang allegedly laundered money through bitcoin transactions and even set up their own bitcoin exchange service, FBTC Exchange that went dark after the arrests.

    Buying a service from a crypting service, using, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks.

    Additionally, at some point the bad actor has to appear from behind the Tor curtain to put stolen assets to actual use. This means that the cybercriminals hiding behind Tor are not untraceable per se. This was proven by the recent arrest of the operator of Silk Road, an underground marketplace for illegal drugs. The Silk Road owner used Tor, but was caught by the FBI by a thorough investigation of bits of evidence left on the Internet.

    The Mevade botnet, responsible for a sudden increase of Tor users in August 2013, was traced back by us to be the work of a Ukrainian/Israeli adware company. And now, the Dutch NHTCU has tracked down a gang who abused Tor for stealing money from Dutch Internet users. We congratulate our friends at NHTCU with this great and impressive result.

    Posted in Malware | Comments Off

    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.

    Posted in Bad Sites, Malware | Comments Off

    Hacktivism and crime is a toxic combination for the health of the Internet. This was shown once again in the recent DDOS attack against that peaked at 300 Gbit/s. Spamhaus is a non-profit anti-spam organization that helps to filter spam for millions of Internet users. When Spamhaus goes down a lot of inboxes will be flooded with spam.

    The DDOS attack was allegedly orchestrated by a Dutch webhosting company called Cyberbunker and CB3Rob. This webhosting company has roots in the hacker scene and has hosted Wikileaks and the Pirate Bay in the past. Cyberbunker claims to have a datacenter in a former NATO bunker in the Netherlands. It is not clear whether that is still true today, and what exact role Cyberbunker had in the DDOS attack against Spamhaus. The owner of Cyberbunker/CB3Rob does act as the spokesman of an attack that tries to blast a company away from the Internet as if that is a normal job. Here is where so called hacktivism on the Internet has derailed totally. The boundary between crime and hacktivism has been blurred. A reality check for Cyberbunker is in order.

    Spamhaus claims that Cyberbunker/CB3rob is among the worst webhosting companies in the world. We do see problems ourselves too, but we wouldn’t rate CB3Rob as the worst webhosting company. However, CB3Rob claims that it will host anything except things related to child abuse and terrorism. This may be inspired by an idealistic view that anybody should have an uncensored access to the Internet and inspired cybercriminals as well. This is where hacktivism meets crime – a toxic combination.

    A good illustration that crime corrupts hacktivsm is that the network of Cyberbunker has been used in a BGP hijack of an IP address of a DNS server of Spamhaus ( The DNS servers of Spamhaus are a vital part of its antispam protection. The hijack was an attempt to inject lots of false positives into the spam reputation system of Spamhaus. Though this hijack did not cause a lot of damage as most networks did not accept the hostile BGP announcement, the intention was clear: someone using Cyberbunker/CB3Rob’s network tried to sabotage the spam reputation system of Spamhaus. It does not resemble hacktivism, but rather resembles crime.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice