Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Gelo Abendan (Technical Communications)

    While users are trooping to the cinemas to watch Iron Man 3, some may scour the Internet for bootleg copies or free movie streaming. Unfortunately, this gives the bad guys an opportunity to serve users with their dubious schemes.

    We conducted a simple Google query and found more than a hundred websites claiming that they provide movie streaming of Iron Man 3. (The movie has already opened in some countries but not the United States, making these claims more credible at first glance.) These supposed streaming sites use popular blog providers, with half of these sites using Tumblr.

    Figure 1. Half of the fake Iron Man 3 sites we found use Tumblr

    Once visited, these sites would ask users to download a video installer file. Based on our analysis, we found that this file was what it said it was – a legitimate video player. This particular video player has been known to display aggressive ads in the past, although we did not see that behavior this time. In addition, the player could be used to download and view pornographic materials.

    However, it’s still possible that these legitimate files would be replaced with malware at a later time. Thus, it won’t be a complete surprise if we find a malware-hosting webpage disguised as an Iron Man 3 streaming or downloading page anytime soon.

    Unsurprisingly, some bad guys have also used Facebook to spread links advertised as providers of free Iron Man 3 movie streaming. Users may encounter these as feeds on their Facebook page, together with a link to the said site. But once users click the link, they are redirected to several web pages until lead to another survey scam, not to mention spamming their Facebook contact with the same post. Other similar ruses we documented in the past include the “Facebook Profile Viewer” and the survey scam under the veil of the much talked-about Google Glass competition.


    Figure 2. Screenshot of page leading to survey scam

    Needless to say, these sites do not lead to the actual Iron Man 3 movie. Some of these sites, however, may ask users to register and ask for their credit card number, which is highly suspicious.

    High-profile summer flicks like Iron Man 3 are typical cybercrime baits because they have been effective in tricking users into visiting shady websites, including those the host malware and dabble in survey scams. Because of the clever use of social engineering tactics, users may end up falling into the bad guys’ traps. Thus, it is important to be aware of how social engineering works and be conscious with what you click and share on your Facebook and other social media accounts. Trend Micro blocks the related sites and domains related to this threat.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    With insights from Fraud analyst Paul Pajares.

    Posted in Social | Comments Off on Fake Iron Man 3 Streaming Sites Sprout on Social Media

    Patch-Tuesday_grayFor this month’s patch Tuesday, Microsoft released security updated to resolve nine bulletins, including a bulletin for two critical issues found in all versions of Internet Explorer on all supported versions of Windows (which includes Windows 8 and Windows RT).

    These issues received a critical severity rating, which means IT or security administrators should consider this bulletin high-priority. These issues affect all versions of Internet Explorer, from IE 6 to 10. If successfully exploited, these vulnerabilities could permit a possible attacker to execute a malware once user visits certain malicious website via Internet Explorer (or what we call drive-by downloads or attacks). The other IE issue may allow a successful attacker to gain the same rights or privileges that an affected user has. Fortunately, this may have less impact if victim has no administrator privileges.

    The other critical bulletin addresses a privately disclosed vulnerability in Windows Remote Desktop. Like the IE bulletin, this issue may allow a remote malicious user to execute malicious code onto the vulnerable system.

    Besides this month’s roster of security updates, Microsoft announced another major reminder, specifically its plan to stop supporting Windows XP and Office 2003 by April 8, 2014. Thus, we might be seeing less and less of updates for the platform until this deadline. To prevent any possible problems, Microsoft is encouraging its customers, who are still using Windows XP, to upgrade to a “more modern platform” such as Windows 7 and 8 the soonest possible.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on April 2013 Patch Tuesday Includes Fix for Critical IE Issues

    The Internal Revenue Service (IRS) opened up the filing season on January 30, 2013 to help taxpayers prepare for the looming April 15 tax deadline. April 15 or colloquially known as Tax Day is when individual income tax returns are due to the federal government. Typical of cybercriminals, they have also prepared their own tax-related scams for taxpayers with scams that aren’t a far cry from the usual attempts.

    Tax-themed attacks usually arrive in the form of spammed messages claiming to be from the IRS or other government-related entities. In order to appear a little more convincing, the messages are crafted in order to intimidate and scare users into to acting on it immediately, without having the chance to verify whether the these emails are legitimate. Below are some of the common trends in tax-themed messages seen in 2012:

    • Rejected Federal Tax Transfer
    • Rejected Federal Tax Transaction
    • Rejected Federal Tax Payment
    • Federal Tax Payment returned
    • Federal tax transfer canceled
    • Federal tax transfer rejected
    • Federal tax transfer returned
    • Your IRS federal tax transfer is cancelled
    • Your federal tax transaction has been not accepted
    • Your transaction is cancelled
    • IRS report of not accepted tax bank transfer
    • Report of tax transaction decline
    • Report of tax bank transfer decline
    • Income Tax Refund CANCELED
    • Income Tax Refund RETURNED
    • Income Tax Refund TURNED DOWN
    • Income Tax Refund NOT APPROVED

    …And the list goes on. Notice that these messages are made to warn users of their “negligence” in terms of payment. Due to the serious penalty involved and to avoid any kind of scuffle with the law, people would naturally try to remedy the situation by clicking the links or downloading attached files, only because the email instructed them to.


    Figure 1. Detected phishing URLs related to the IRS

    Read the rest of this entry »

    Posted in Bad Sites, Spam | Comments Off on Cybercriminals Threaten Tax Day Once Again


    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    As expected, shady developers are now taking advantage of Candy Crush, one of the hottest gaming apps in both social networks and Android.

    Recently, Candy Crush grabbed the top spot from FarmVille 2 as the most popular gaming app on Facebook. This boost in popularity, however, has its perils. In particular, Candy Crush’s popularity made it the perfect target for dubious developers and cybercriminals who want to lure and profit from fans of the game – similar to what happened with other popular mobile apps and games like Instagram, Bad Piggies, and Temple Run in the past.

    In a development that surprised no one, we discovered fake Candy Crush apps online, proving that cybercriminals are indeed hoping to capitalize on the game’s current trending status. These apps contain code for the Leadbolt and Airpush ad networks; apps containing said code were some of the most prevalent found last year. (We detect these as  ANDROIDOS_LEADBLT.HRY and ANDROIDOS_AIRPUSH.HRXV.)

    Figure 1. Screenshot and notification of fake app

    While not inherently malicious, adware can be abused by cybercriminals for their own gains. Adware not only uses aggressive advertising tactics such as persistent notifications, but also collects information about the user. This could be construed as a violation of the user’s privacy.

    Read the rest of this entry »


    Patch-Tuesday_grayAfter releasing 12 security bulletins resolving a whopping 57 security flaws last month, this month’s Patch Tuesday is relatively light.

    For March, Microsoft unveils seven bulletins, in which four are rated Critical and three Important. Three of the bulletins deemed Critical may allow remote code execution, resulting to attackers installing malware onto unpatched systems. The other critical bulletin may permit possible aggressors to gain admin rights, basically giving them control over vulnerable machines.

    The first of these Critical bulletins addresses flaws found on Internet Explorer versions 6 to 10 for all versions of Windows, including Windows 8. In particular, Microsoft noted CVE-2013-2888 as its exploit code is said to be publicly available, giving possible attackers enough information to create working exploits in the near future.

    The other critical bulletins concern Microsoft Silverlight, Office and Server Software. Two bulletins tagged as Important, both for Microsoft Office, may lead to unwanted exposure of important and personal data. The last Important bulletin addressing vulnerability in Windows may lead to elevation of privileges.

    However, this month’s roster of bulletins does not address the IE 10 vulnerabilities found during the Pwn2Own hacking contest last week, in which researchers were able to pawn MS Surface Pro by way of these IE flaws. More importantly, abusing these zero-day vulnerabilities enabled them to fully compromise Windows 8 with sandbox bypass.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on Microsoft Unveils 7 Bulletins for March 2013 Patch Tuesday


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice