Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Noriaki Hayashi (Senior Threat Researcher)

    We found a spam mail written in Japanese leveraging the Olympics to sell illegal products. We fully expected this event to be used by cybercriminals to profit. It appears that among the first to strike are sellers of B-CAS cards for TVs, which are supposed to allow the users to watch the Olympics without paying.

    These spammed messages – which have the subject line オリンピック全日程が見放題 (translated as Free access to all Olympic games in English) – have a link which leads to websites selling the illegal B-CAS card. The message itself says that normally, you have to pay more than 400,000 Japanese yen (more than 5,000 US dollars) per year in order to watch premium channels. Instead, the (illegal) B-CAS cards allow you to watch these channels for free.

    The website of these illegal cards describes these cards as “miracle cards” in Japanese:

    The order form – which asks the user for their name, email address, number of cards to be bought, shipping address, and contact information – does not use HTTPS, which all reputable vendors use to secure the transaction from possible interception. Not only is the site selling illegal goods, it’s set up in an insecure manner for any online commerce site.

    We have identified the server as being located in Hong Kong because of its IP address. Other landing pages for sites also selling B-CAS cards are located on this server as well.

    Here are some of the malicious URLs that we found on the server:

    • http://www.{BLOCKED}.com/
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}

    Note that the above URLs are all hosted on a single IP. The following diagram shows the relationship between the various sites and this single IP address, as well as the overall infection chain:

    The Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching users’ inboxes via the Email Reputation Service. It also blocks access to malicious sites via the Web Reputation Service. We have blocked more than 2,500 attempts from Japanese users to access these sites for the last 30 days.

    We advise users to not purchase anything from these sites, as they could face criminal prosecution for merely buying these devices. Recently, the Kyoto Prefectural Police announced they had arrested both buyers and sellers of illegal B-CAS cards.

    With the Olympics only days away from starting, we expect other threats related to this event soon. Here are some blog entries and Web Attack entries that discuss similar threats:

    Web Attack Entries

    Malware Blog entries

    For complete information on the latest Olympic-themed threats—including quizzes and safety guides, you can visit Race to Security, the Trend Micro security guide to major sporting events such as the Olympics, by clicking the banner below:

    Related posts:

    Posted in Bad Sites | Comments Off on Illegal TV Cards Allowing Free Olympic Viewing Sold Online

    In the past we’ve reported about one-click billing fraud schemes starting to target smartphone users. The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. The past attack we saw involved a website wherein target victims were asked to pay for a certain amount in order to prevent their information from being sent to an adult site.

    We’ve found a similar scheme, but this time it specifically targets Android users through a malicious app.

    The attack is triggered by a blog site that features videos showing gamers playing. The said blog, called “Game Dunga”, has changed its domain three times in the past. In the previous versions, there were a lot of links leading to the game-playing videos (not only adult content). The current one, however, (the third generation) includes links leading to only adult contents.

    Trying to view any of the videos triggers a pop-up asking the user to download a malicious app detected as ANDROIDOS_FAKETIMER.A. ANDROIDOS_FAKETIMER.A gets the Android user account information, and sends them as to a certain URL as parameters for the following methods:

    • getAccounts() method – to acquire Gmail account information managed by the affected users’ devices.
    • getDeviceID() method – to acquire the SIM information of the affected devices
    • getLine1Number() method – to acquire the mobile number of the affected devices.

    The information gathered by these methods is sent to the cybercriminals.

    ANDROIDOS_FAKETIMER.A also displays a pop-up window that shows the message “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.”

    ANDROIDOS_FAKETIMER.A also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.

    App usage for this one-click billing fraud gives the scheme a level of persistence that was not evident before. In past schemes, the routines were mostly executed through a malicious website, and closing the browser would stop the attack. For this, however, since the one responsible for the routines is an app installed in the device, the prompts asking for the user to pay are shown repeatedly. We studied the code and found that the pop-up is set to show every 5 minutes.

    Should users encounter a similar site, they are advised to leave the site immediately and not click any links to avoid getting victimized. Smart Protection Network already blocks the related URL via our Web Reputation technology and detects the malicious application.

    For more information on other mobile threats, as well as tips on how to keep one’s device safe, please check our Mobile Threat Information Hub.


    One-click billing fraud, a scheme known for targeting PC users in Japan, now appears to target smartphone users as well.

    The scheme, as its name suggests, tricks a victim into registering and paying for a certain service after being falsely led to a specific website. Instances of successful attacks have been increasing in Japan since 2004, which already amounts to 903 inquiries to the Information Technology Promotion Agency Japan in November 2009.

    A typical attack involves a spam sent to the victim, which includes a link to a website that hosts free videos. The website lists videos with sensational titles to catch users’ attention. Trying to view any of the video displays a trailer, which explains why viewing it is free.

    Click for larger view

    Once the trailer ends, a link that says “view more” is displayed, which the users must click to supposedly see the video they originally wanted to view. Instead, users are redirected to a page that they should register first to in order to become a member and are told to pay a fee. The window that informs users to pay will continuously be displayed on the screen unless they pay the said amount.

    Click for larger view

    Read the rest of this entry »

    Posted in Mobile | 1 TrackBack »

    Today’s social media sites like Twitter and Facebook can be convenient tools for users to easily get the information they want. Such sites can easily satisfy users’ desire to know more, especially in the wake of life-changing events.

    In the case of the recent disasters in Japan, hash tags related to victims’ safety, rolling blackouts, and public transportation, which were spontaneously created helped provide information at the time and continue to be effectively utilized.

    Click for larger view

    However, users should keep in mind that there is a lot of fake information mixed in with facts. There are a lot of cases wherein people simply accepted information as truth, leading to unnecessary anxiety and inadvertently contributing to the spread of lies. To help prevent such cases, we would like to share some tips on how to verify the sources of Tweets.

    The Jackie Chan Hoax

    Just recently, false news about the untimely death of the famous actor made the rounds online. According to the hoax, Jackie Chan died of a heart attack, prompting fans from all over the world to post related Tweets. A bogus news site Yahoo!7 News was used in this attack, effectively redirecting users to the malicious URL{BLOCKED}.html. The website was created using a hosting service known as PasteHTML, which allows users to anonymously register sites.

    Read the rest of this entry »


    Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by using an open-source social networking system Jcow 4.2.1. It is hosted on the IP address 50.61.{BLOCKED}.{BLOCKED}, which is located in the United States. We’ve confirmed that the site is still active as of this writing.

    Click for larger view Click for larger view

    Aside from hosting a phishing site, the cybercriminals behind this attack also abused the blog function of the website and inserted advertisement-looking posts, possibly to increase the site’s SEO ranking.

    Click for larger view

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice