I wrote a blog entry last week about fraudulent websites that scam users into purchasing tickets to the much-anticipated FIFA World Cup in Brazil. Just recently I found another threat that used the FIFA World Cup as a social engineering hook, this time it involves a banking Trojan.

Banking Trojans are popular in the Latin American region so this threat seems rather timely considering the World Cup fever. Customers of an online ticketing website received an email that supposedly offered an opportunity for participating in a raffle. However, what’s surprising about this email is that it contains the recipient’s personal information—the same data that the recipient entered when they registered. See the email screenshot below:

Figure 1. The email content claims that the recipient is eligible for a raffle entry for World Cup tickets that will be activated by clicking on a link.

The link embedded in the email leads to a file download at a legitimate file-sharing service called Pastelink.me. Cybercriminals took advantage of the site’s database leak to spread banking Trojans. The downloaded file is detected as TROJ_BANLOAD.SM5, a banking Trojan in CPL format.

The ticket site has published a notification on their website about these spammed messages. The message in the screenshot below translates to “Important Announcement. Alert: Fake E-Mail disguised as World Cup. There are fake e-mails circulating that offer World Cup tickets and are disguised as originating from (name of site). This promotion doesn’t exist.”

Figure 2. Site notification

How did spammers get a hold of the registered users’ data?

Notice that the spammed message contained accurate user data, which included their full names, addresses, birth dates, gender and email address. How was this possible?

In response to a customer complaint, the ticketing site said the user data used in the spammed message did NOT come from their systems. The screenshot below is from a user complaints website, which clarifies this to their registered users. The screenshot below translates to: “Dear customers, the promotion offering World Cup tickets are fake and the data used in the spam did not come from our systems. The case is already handled by the authorities.”

Figure 3. Customer notification

Who’s to blame?

If the leaked data did not come from the site, then who’s to blame? The answer to this remains unknown as there is no legal obligation in Brazil that mandates companies to notify the public about possible or confirmed data breaches. In the event of a possible data breach, it is only recommended for companies to notify individuals when it comes to consumer data (in which the website’s registered users are considered consumers). Additionally, there no existing laws in Brazil that deal specifically with data transfer.

While much of the developed countries (such as in the case of the European Union) seem to be acting quickly to protect users’ personal data, incidents such as these highlight the importance for privacy laws in countries like Brazil. Just last April, the government in Brazil passed a law that can protect user privacy. With less than 2 weeks away, the upcoming 2014 FIFA World Cup is constantly generating a lot of buzz from both avid sports fans and cybercriminals looking to make a quick buck so we can expect more attacks in the coming weeks.

Trend Micro protects costumers by blocking the download URL of associated files, command-and-control (C&C) servers, file hashes and e-mail origin IPs.

The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

Update as of 6:20 AM, June 4, 2014

The hashes involved in this attack are:

• a20336caf34540b17fa183bc270bd970a5f0d0a8
• 15049a31611d6d45c443f40cd1f2afc4c1883e25
• 56514a897da0c6901da295fe7f8dad290cf3b4dd
• 4958174fba26b72073473102611f423619f231bc
• 35cc21cad064da44f4036da7567302abd1f31b0e
• 532956b88a6b6c300de2cd413ae41199aa143d07

As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted fake FIFA websites selling game tickets.

One of the sites we found even have different subdomains for different countries, as shown in the diagram below:

Figure 1. Multiple subdomains of scam site

(Click above image to enlarge)

For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for  8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website.

At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email.

Figure 2. Screencap of the complaint

The domain name was registered last May 27, 2013, with no clear owner. However, it was registered in Spain. As for its hosting, it is hosted on a major cloud service provider. The Brazilian site accepts payment via a legitimate online payment service with offices in São Paulo, Brazil.

This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe.

We protect our customers by blocking the fraudulent sites we encountered here. We also would like to remind users not to visit scam sites like these, and remember that only FIFA is authorized to sell tickets for the World Cup games.

The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

Last month, we published a blog post describing how Control Panel malware was being distributed via malicious attachments to Brazilian users. We have continued to look into these threats, and we have now released a research paper titled CPL Malware: Malicious Control Panel Items covering the structural aspects of CPL files and how criminals are using it to spread malware mainly in Brazil.

Currently, this particular threat is being commonly used to spread banking malware in Brazil. Typically, these users are sent financial-themed mails that contain a link to a malicious compressed file. When the contents of this file are uncompressed, the user sees several the malicious .CPL file(s).

Figure 1. Typical CPL Malware Behavior

In terms of analysis, looking at a CPL file is essentially identical to a DLL file. However, unlike the latter, it is automatically run when double-clicked. This makes it similar to EXE files; however uneducated users may be more likely to try to execute CPL files if they do not know any better. Most CPL malware from Brazil were written in Delphi, which is a popular programming language in the country.

In Brazil, CPL files are used for banking malware almost as frequently as EXE files, with both file types combining for almost 90% of the banking malware seen in Brazil from March to November 2013. For the past two years (2012 and 2013), we have detected approximately a quarter million CPL malware in the country. It is currently a significant problem for Brazilian users and organizations.

Google Code is Google’s official open source site meant for developers to host their program’s source code and related files, mostly in text format. However, using our sourcing system in Brazil, we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this bogus project has nothing to do with Adobe.

The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TSPY_BANKER.VIX, renamed from TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers.

Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there.

Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading.

If this threat seems familiar, it’s because this abuse of open-source project sites has been done before. Last June, we blogged about GAMARUE variants being hosted on SourceForge, which like Google Code, is popular among developers and users alike.

This incident shows that as we have predicted for 2013, legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days. Trend Micro protects users from this by detecting and deleting these BANKER variants.

As of this writing, the said files are no longer available on Google Code.