Sometime near the start of the year, we noticed that the old malware family TSPY_USTEAL resurfaced. This information stealing malware now includes new routines including malicious packers, obfuscation, and bundling ransomware.

TSPY_USTEAL variants were seen in the wild as early as 2009, and is known to steal sensitive information like machine details and passwords stored in browsers. It can act as a dropper, dropping plugins or binaries in its resource section. The stolen information is stored in an encrypted .bin file, which is uploaded to a C&C server via FTP. This was part of the behavior of the previous variants, and continues on in newer variants.

A newer variant that we detect as TSPY_USTEAL.USRJ, drops ransomware—detected as TROJ_RANSOM.SMAR—on affected systems. These ransomware files are created by a new toolkit builder that gives the attacker full control over the ransomware’s behavior, from the types of files it will encrypt to the ransom note to be displayed.

We detect this toolkit as TROJ_TOOLKIT.WRN. Below are the features translated from Russian to English. Included are the file types to be encrypted, the ransom note, the appended extension to encrypted file, and the name of the dropped copy of the encoder.

Figure 1. Translated ransomware toolkit
(Click image above to enlarge)

The ransomware, TROJ_RANSOM.SMAR, drops a copy of itself in the user’s machine. It then encrypts certain files with the same icon and extension name. For example, it can add the extension .EnCiPhErEd on selected extension names like .LNK, .ZIP, etc., as marker. Next, it drops an image file containing the ransom details.

Figure 2. Ransom note

When encrypted files are accessed, it shows the ransom note along with the contact details to retrieve the password. The retrieval method may either be through a text message or an email. Next, it displays a message asking for the password. If password given is correct, it decrypts and restores the encrypted files to its original form. Consequently, the ransomware file deletes itself. On the other hand, if the password is incorrect and the number of attempts has reached the pre-set limit, it displays the error message shown below. It then searches for files to encrypt (besides the already-encrypted files) and deletes itself afterward.

Figure 3. Error message

This particular combination of threats is worrisome because it steals your credentials and information while the ransomware extorts additional money from the victim by encrypting their files. It’s highly probable that the malware author wanted to wring a fortune out of the victim, extorting any leftover funds from the same victim with the use of ransomware.

Feedback from the Trend Micro Smart Protection Network shows that there was a spike mid-April for TROJ_RANSOM.SMAR, with the United States as the affected country . Trend Micro protects users from all threats releated to this attack.

With additional analysis from Adremel Redondo and Nazario Tolentino II

We’ve seen “get Twitter followers” scams in the past, but a recent one stood out for a very good reason: it actually delivers what it promises—and then some.

This scam tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a redirector to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.

Figure 1. Sample tweets promoting the site

When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts.

The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.

Figure 2. Choice between the free or premium service

What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well.

In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle.

Figure 3. Service confirmation page

Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads.

We’ve seen 35 separate domains in this attack, all of which lead to an IP address hosted in the United States. The US also accounts for almost 70% of this site’s visitors, based on Smart Protection Network feedback. Other countries in the top 5 include Turkey, New Zealand, Britain, and the Philippines.

Users are encouraged to avoid clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known.  Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts.

Trend Micro blocks all URLs related to this scam. Twitter has suspended some accounts that were involved in this attack, and spammed tweets have also been removed.

According to news stories, Apple is now the most valuable brand in the world. One party that would agree: cybercriminals, who are now targeting Cupertino in increasing numbers.

Earlier in the year, the number of identified Apple phishing sites would only be in the hundreds per month, as seen in the chart below:

Figure 1. Number of identified Apple-related phishing sites

Some cases of these Apple-related threats just use Apple as social engineering bait. For example, here, the need to “verify” one’s Apple products or services is used to phish email services:

Figure 2. Phishing site

As we noted earlier this year, Apple ID itself is now being targeted for theft. For users of all Apple products – whether they be Macs, iOS devices, or just the iTunes store – the Apple ID is a key ingredient in how they use these products. For example, it can be used to control the data stored in your iCloud account, make purchases of both music and apps, and even manage your iOS or Mac device.

Not only that, users from all over the world are being targeted. For example, this phishing site is in French:

Figure 3. Apple ID phishing site

Unsurprisingly, the number of phishing sites seems to spike in months where Apple-related rumors are high as well. For example, the month with the most identified sites – May – was also the month when iOS 7-related rumors were most prevalent, particularly before its June announcement at the Apple Worldwide Developer Conference.

Similarly, June itself saw many rumors related to what became the iPhone 5c. The same was true for the succeeding months, up until the new generation of iPhones was launched on September 20.

It would appear that cybercriminals are using Apple-related rumors as a gauge of potential interest from users/victims and increase the number of their attacks as needed.

This growth in Apple-related threats highlights how Apple users, far from being safe, are continuously targeted by threats today as well. We discuss these problems in more detail in the eguide Why Macs Need Security.

Summer movies are highly anticipated by the moviegoers, because Hollywood traditionally releases its biggest blockbusters during this season. Fraudsters are relentless in creating fake streaming sites, not just on the screening date of these movies, but also before the release of movies in theaters.

The next two charts show which movies are most popular with attackers, as well as where these fake sites are hosted.

Figure 1. Commonly used summer movie titles

Figure 2. Popular hosts for fake streaming sites

How do these scams work? Cybercriminals want to lead users to download video players or sign up for streaming sites via affiliate links. Alternately, they may want to lead users to more traditional survey scams.

Figure 3. Fake streaming sites infection chain

The attackers use various social media sites like Facebook, Google+, Youtube, LinkedIn, and many others to drive users to the fake streaming pages.  These are hosted on blogging services like Tumblr, WordPress, and Blogger.

Most pages on these blogs have shortened URLs that lead to the final sites we talked about earlier. Because they used the services of URL shorteners, we were able to view the number of visits per selected movie. It appears that Man of Steel, Fast and the Furious 6 and Iron Man 3 got the highest number of viewers. This data is for a two-month period from late April up to the end of June.

Read the rest of this entry »

Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.

Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:

Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.

As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:

We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.

The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
Read the rest of this entry »