Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Karla Agregado (Fraud Analyst)

    In continuing our research on scams that offer free followers to Instagram users, we found out that similar services for other social networks are also available online.

    Among those that we found is this particular Russian site that comes off as a one-stop-shop for those looking to purchase followers, likes, retweets, and other activities for social networks like Twitter, Google+, Facebook, and Instagram.

    Figure 1. Scam site selling followers for different social networks

    The required payment would depend on the number of followers, retweets, or likes preferred. The payment process requires the customer to transact via payment sites like and (for mobile users).

    Figure 2. Payment options for buying followers, retweets, or likes

    In the end, as with the other cases we’ve reported, no followers, retweets, or likes is provided to the customer, only the risk of information and money theft.

    This comes as an easy way for cybercriminals to make money, since influence in social media depends greatly on the number of followers an entity has. This type of scheme works, as many users are being lured by the idea of acquiring a huge number of followers in a very short amount of time, and with almost no effort at all.

    That said, it is important to note to those who are interested in employing such services that doing so leads to more harm than good. This scheme has been consistent in terms of duping users, regardless of whether they offer Instagram followers for free, or for a paid amount. With this, we recommend users to not employ such schemes. These services either just scam their customers by not delivering their promised service, or actually deliver, but do so through dubious means (usage of malicious scripts or botnets).

    The site reported above is already blocked by the Trend Micro Smart Protection Network to protect users from being victimized.

    Posted in Bad Sites, Social | Comments Off on From Fame to Shame: Busting the “Free Followers” Myth in Social Media

    Another scam site is offering to increase a user’s Instagram followers. Unlike previous attacks, however, these sites require payment – with the amount depending on the number of followers you prefer.

    Figure 1. Pricelist for Instagram followers

    Despite the site’s liberal use of the Instagram logo, it has nothing to do with the service. It has a reservation form that asks for user’s name, e-mail address, telephone number, and payment information. Even if you try to fill-up the form using a dummy account it will accept the any information that the user inputs. It even has information about the site itself, as well as a FAQ page.

    Figure 2. About page

    Figure 3. FAQ page

    In the end, however, not only does the user not get the promised followers, he has handed over his personal information to scammers. This particular site has a .RU domain name, was only registered earlier this year, and is also hosted in Russia; in fact it is one of many malicious Instagram-related domains on the .RU country top-level domain. These sites are already blocked in order to protect Trend Micro customers from these threats.

    Instagram’s recent introduction of video means that more users may be looking at using the already-popular service. Users should keep in mind that all offers of added followers – whether it be free or paid – are likely scams that will steal the user’s information, money, or both.

    Posted in Bad Sites, Social | Comments Off on Scam Sites Now Selling Instagram Followers

    The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware.

    I found the following accounts who wanted to ‘follow’ me on Instagram. This is the standard if your Instagram account is set to private. While checking these requests, the security researcher inside me noticed something off with some of the accounts.


    Figure 1. Screenshot of Instagram request

    To validate my suspicions, I checked the page of these Instagram accounts and noticed that they all posted this “Get Free Followers!” photo. This post reminded me of the Pinterest free items promo survey scam we blogged in the past.


    Figure 2. Get Free Followers Post on Instagram

    Another thing that I found dubious is that these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”.


    Figure 3. Screenshot of sample spamming account

    Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was lead to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.


    Figure 4. Page offering ‘Get Free Follower’ app

    Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work.

    Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes.

    Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense. Trend Micro protects users from this threat by blocking the related URLs.

    To know more about how these scammers (or online crooks in general) use and benefit from your data, you can check out our infographic How Cybercriminals Are Getting Better At Stealing Your Money.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Mobile | Comments Off on Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead

    In the past few weeks, many WordPress blogs have been under a large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites.

    It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog.

    We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack, as seen by the Smart Protection Network.

    Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Brute-Force WordPress Attacks Affect Thousands of Sites

    The truth about the Facebook Profile Viewer is simple: it doesn’t exist.

    You can check every Facebook page or app available, but you can be 100% sure that each one that says “See who viewed your profile!” or “Who’s stalking you?” is just a ruse for Facebook users to reveal their passwords or spread spam. How do they do this? Clickjacking is a surefire way. In a typical clickjacking attack, cybercriminals hide malicious content under the guise of legitimate pages and may use malicious JavaScript to load content from third-party sites, all in a few clicks.

    But what happens if cybercriminals turn to different and newer techniques? Having users type in commands on their keyboard would be a real game changer. Here’s how:


    A closer look at a comment within a spammed wall post showcases the start of a different strategy for spammers this time around.


    Once you click the link on the comment box, it will redirect again to Facebook Log in Page with Pinterest.


    Once logged in, the site redirects to another malicious URL that claims to be “Official Facebook Profile Viewer.” Clicking the ‘Get Started’ button redirects to image with keyboard shortcuts with instructions for users to carry out.

    Read the rest of this entry »

    Posted in Social | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice