Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Maela Angeles (Fraud Analyst)

    The long-awaited London Olympics 2012 has officially opened. Apart from the fraudulent website that claims to sell tickets and another website that sells illegal cards to Japanese users, we also spotted several fake live streaming sites leveraging this sporting event. Some of these are the following:

    • http://olympicsopeningceremony2012live.{BLOCKED}
    • http://olympicgames2012live.{BLOCKED}
    • http://olympics-2012-live-stream.{BLOCKED}
    • http://olypiccoverage2012.{BLOCKED}
    • http://{BLOCKED}12openinglivestream.{BLOCKED}
    • http://{BLOCKED}
    • http://{BLOCKED}
    • http://{BLOCKED}ndonolympics2012liveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}ympics2012livestreamfree.{BLOCKED}
    • http://{BLOCKED}donolympics2012liveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}peningceremony2012.{BLOCKED}
    • http://{BLOCKED}

    When users searched for the keywords “watch london olympics opening ceremony live,” “watch london olympics online,” and “watch london olympics 2012 live,” the above-mentioned websites appeared as one of the top search results via Blackhat Search Engine Optimization (BHSEO).

    Upon analysis, some of these sites redirected to fake live broadcasts of London Olympics 2012 and contained a link for buying cheap albeit bogus tickets. The said URL has been previously discussed in this blog entry.

    Other fake live streaming sites redirect to another site requiring an email address. As such, cybercriminals can harvest email addresses, which may be used for their spamming activities.

    We were also alerted to reports of malicious websites disguised as the Google Play store. The webpage content is written in Russian language and has a search box. When users search for London Olympics-related application, a rogue application, London2012-Official game is seen. The said site also contains a QR code and download button. Once unsuspecting users clicked the download button, it redirects to a web hosting site that serves a variant of ANDROIDOS_SMSBOXER malware family. This malware is notorious for sending messages to premium numbers without the user’s consent.


    In the same bogus Google Play store, we also saw another rogue application (called The Dark Knight Rises mobile game) leveraging the movie, The Dark Knight Rises.

    Users are strongly advised to download apps related to London Olympics in the official Google Play store and watch live streaming on legitimate sites only.

    Trend Micro™ Smart Protection Network™ protects users from these threats by blocking all the related URLs and detecting the malicious file.

    For more information on threats leveraging sporting events like Olympics, visit Race to Security.

    Additional text provided by Fraud Analyst Paul Pajares.

    Hat tip to Jovi Umawing for first writing about the malicious Olympics-related app in Google Play store.


    Not long after we found sites offering rogue versions of Instagram and Angry Birds Space, another malicious site hosted in Russia was found to peddle fake Farm Frenzy 3 versions. The perpetrators behind this fake app are hoping that users who are not discriminate enough may download their malicious version, which is detected by Trend Micro as ANDROIDOS_FAKE.DQ.

    If users would try to play the said app, the malware displays the image below:

    Clicking the first button on the image triggers an SMS message to be sent to the premium numbers listed below:

    • 8883
    • 8887
    • 6151
    • 1
    • 2855
    • 9151
    • 9685
    • 9684

    In turn, affected users incur unnecessary charges for the said message. Unfortunately, paying fees for unauthorized messages is only half the problem for users. Choosing the said button also changes the display on the screen (see below), wherein choosing the top button may lead users to a malicious website.

    This incident is just one of the several Android malware we’ve seen spoofing popular apps. Aside from the previously mentioned bogus Instagram and Angry Birds Space, we recently uncovered a malware that masquerades itself as an Adobe Flash Player app for Android OS.

    Trend Micro protects your Android OS phones via Mobile Security Personal Edition app, which prevents access to these malicious sites and blocks the download of malicious .APK files into mobile devices.

    To know more on how to better protects yourself from these rogue apps and other threats hovering Android OS, you may read our comprehensive e-guide “5 Simple Steps to Secure Your Android-Based Smartphones” .


    TrendLabsSM recently encountered a phishing email specifically targeting Standard Chartered Bank clients. The spammed message instructs recipients to log in to their online accounts and to visit the Secure Messages section to read a specific message. The email body includes an embedded link, which when clicked leads to a phishing page.

    Click for larger view Click for larger view

    The use of bogus login pages has become a typical attack vector that phishers continue to use. Similar phishing attacks via spammed messages have been documented here in the Malware Blog:

    While this is an old trick, clients who visit the page may still unwittingly provide their bank credentials to cybercriminals’ waiting hands. Users are then advised to constantly exercise caution when opening email messages and when clicking embedded links. Standard Chartered Bank likewise reminds its clients to be wary of the reality of online threats, including phishing attacks.

    Trend Micro™ Smart Protection Network™ already protects product users from this particular threat by preventing the spammed message from even reaching their inboxes via the email reputation service and by blocking access to the phishing site via the Web reputation service.

    Non-Trend Micro product users can also stay protected from malicious URLs by using one of free tools like Web Protection Add-On, a lightweight add-on solution designed to proactively protect computers against Web threats.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice