Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Marco Dela Vega (Threats Researcher)

    Wouldn’t it be cool if you had immediate access to your favorite music and bands? What if these are readily available on your favorite social networking site?

    Unfortunately, spammers also find this cool. We recently noted messages and wall posts circulating on Facebook that promote a supposed new music player feature. Below is a screenshot of what these spammed messages typically look like.

    Click for larger view

    Read the rest of this entry »

    Posted in Spam | TrackBacks (5) »

    Recently, my colleague Ryan Flores wrote about the sudden spike in demand for information that was triggered by the Japan earthquake and how it was met by cybercriminals with blackhat SEO attacks. The spike was evident as well in terms of search engine stats from Google and malicious URL traffic blocked by the Trend Micro™ Smart Protection Network™.

    After the blackhat SEO attacks that leveraged the recent earthquake in Japan, we opted to look back and to continue investigating the infection chains related to the said attack and found some interesting trends.

    Monitoring the daily infection chain starting from search engine results pages, we found that each infection chain and its infrastructure did not remain static. Below is a screenshot for one instance of such an infection chain:

    Click for larger view

    We observed that cybercriminals used different malicious registered sites that rapidly varied as much as every 10 minutes. These malicious registered sites were embedded in doorway pages with such frequency that different users may be redirected to different chains every visit. The technique is used in order to evade traditional URL blocking for malicious sites.

    Read the rest of this entry »


    For the last two decades, the RSA Conference has enabled some of the best minds in the security industry to gather and engage in valuable discussions. For engineers like me, however, one goes to security conferences to watch and soak up the industry talk and see real, compelling security issues as they are inspected from all sides. Here, new technologies and technology applications are dissected, connections are made, and secret stories are revealed.

    Is antivirus really, truly dead?

    Considering some truths already well-known to security practitioners, it may appear quite strange to see a panel entitled, “The Death of Signature-Based AV: How to Stop Today and Tomorrow’s Malware.” We already know that the malware volume is exponentially growing and that just as technology has evolved, the number of threats and the means by which they are delivered have also changed over the years. So, one-to-one signatures are no longer effective overall.

    The panel’s title perhaps expresses a final poke at the issue because we do know that the question about whether antivirus is dead has been summed up time and again by several security experts, including our very own Eva Chen in 2008, with a strong “yes.” Or maybe a qualified yes. After all, signature-based antivirus will continue to be a necessary but insufficient element of security measures. However, insofar as using it as the singular strategy to combat malware in the foreseeable future, its heyday is very much over.

    The panel comprised executives from some of today’s top security companies (Raimund Genes, Nikolay Grebennikov, George Kurtz, and Stephen Trilling) so anything that was to come out of the discussion would more or less carry some weight. True enough, all of the panelists were in agreement that a silver bullet solution for threats no longer exists. As Trend Micro CTO Raimund Genes said, signature-based technology is only good for system cleanup and in identifying the specific system modifications made in order to restore the system to its original state. Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.

    Enter: The cloud, etc.

    This similar thinking was evident in the overall theme of the tracks for this year’s conference. With cloud computing, virtualization and their various models and implementations, and the consumerization of mobile devices as the industry’s current major “new frontiers,” security experts and users alike need to keep up and take full responsibility for the what, when, where, how, and even why data is transmitted. Consider the entry to the cloud as an opportunity to challenge existing notions about security and to build security from the ground up instead of bolted on as an afterthought.

    The discussion ended with the host asking the panelists if they think that after five years they will still be talking about the same topic. All agreed that malware will still be discussed. However, talks will focus more on malware that use different technologies and attack vectors.

    As Arthur Coviello said in his keynote speech, we are only as good as the last attack we have withstood. Cloud computing works and it will continue to work as it becomes further integrated into the industry. It is no longer a question of whether the cloud can be trusted to do its job or not. The real challenge is protecting the cloud so it can do its job securely and can enable an effective ecosystem of trust.


    Facebook Security is the official Facebook page that the site uses to provide user-friendly security information that is particularly relevant to its users. However, it is now being used in phishing attacks.

    Spammed messages purportedly from Facebook Security are being sent to Facebook users. According to the message, the user’s account has been found to be suspicious and has been blocked. Facebook Security’s account was either accessed from an unknown location or was abused.  The message then asks the user to verify and unblock the account by going to a site that turned out to be a phishing page:

    Another way users are targeted are via fake Facebook Security profiles. Many profiles seemed to have been registered by Facebook Security with diacritic marks inserted.

    As is in this case, be careful about opening messages and websites, even if they supposedly come from official sources such as Facebook Security. One can see that the messages and websites contained several glaring errors in grammar and punctuation–a common issue for phishing attacks in general, and something that should warn users that the site they’re visiting is not legitimate.


    Holidays, gifts, decorations, vacation packages… These are just some of the words that come to mind when we hear the word “Christmas.” These are also the words that we are most likely to use as search strings to find the best gifts, travel destinations, and holiday ideas on the Web. And because where users are likely to be at is where cybercriminals will want to be, search string combinations with these words are also what malicious users will poison. As just like legitimate businesses that hope to cater to every user’s need, so will cybercriminals try to trick users to fall for their malicious ploys.

    Click for larger view

    This early, we already found bad links turning up in searches for holiday-/Christmas-related sites:

    • Christmas albums
    • Christmas decoration
    • Christmas e-cards
    • Christmas gadgets
    • Christmas package
    • Christmas travel
    • Holiday recipes

    The list above comprises just a small sample, however. Cybercriminals can easily add new or take out search strings every minute in a bid to set up traps for early Christmas shoppers, bargain hunters, and well-wishing users.

    Poisoning search results in time for one of the most-celebrated holidays worldwide is certainly not a first and should already be expected. Like any other big event or holiday, Christmas is just another means for cybercriminals to spam and scam users into parting with their hard-earned cash or, worse, with their precious credentials.

    Click for larger view

    Instead of gift and travel bargains and ideas, of course, the sites we found either led to fake Adobe Flash Player updates or the now-infamous FAKEAV scan pages. Other users, on the other hand, may end up in spamdexing sites designed to increase the traffic to and the ranking of malicious sites.

    Click for larger view Click for larger view
    Click for larger view

    Though they say that Christmas is the season to be merry, it is also a time to be more wary. Users should be very careful of the sites they visit. Here are some best practices to follow on your online forays:

    1. If you have a fairly good idea what online e-commerce site you want to visit to do your shopping, directly type in its URL in the browser’s address bar to avoid stumbling upon bad links in search engines.
    2. Do not click suspicious-looking URLs even if these appear as top search engine results. Consider a link suspicious if any or some of its components (e.g., <protocol>://<domain>/<folder>/<file>?<parameter>) is made up of random characters.
    3. Read the overview of the search result (the set of text that appears right after the title page in bold). The search result can also be considered suspicious if the overview does not provide a sensible brief description of the site. A sure sign of blackhat-SEO-related sites is the presence of randomly stuffed keywords in the overview.
    4. Install a good URL-filtering program such as Web Protection Add-On that can be integrated into browsers.
    5. Keep in mind that the best things in life are hardly ever free. In fact, too many sites that advertise free stuff usually just give you free malware so beware!

    Find out what lurks behind spamdexing and doorway pages in the research paper, “The Dark Side of Trusting Web Searches: From Blackhat SEO to System Infection.”



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice