Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Paul Pajares (Fraud Analyst)

    Despite the presence of the legitimate Google Play app store, cybercriminals are still hooking users by distributing malicious Android games themselves. Now, they’re taking advantage of a list of best-selling Android games.

    As before, the criminals have created .RU domains for each Android game they’re (supposedly) distributing. Links to these domains will spread via forum or blog posts, as well as email. Here’s a full list of the games that are being used by this new wave of mobile malware:

    If you look closely at the above list, you can see the wide selection of targeted apps. These include newly developed games like Cut the Rope: Experiments and Amazing Alex; Editor’s Choice apps like World of Goo, Shadowgun, Sprinkle, Where’s My Water, Osmos HD, Riptide GP and Angry Birds Space Premium. Many of these are top sellers as well.

    Aside from best-selling games, some popular movie franchises like The Amazing Spiderman and The Dark Knight Rises are also being exploited, even if the actual games themselves don’t exist. Here’s the page for the supposed Spiderman game:

    All of the download links in these pages actually redirect users to a separate site, where the malicious APK files are actually hosted. Some of the sites in question also include QR codes, although these lead to the same files. (We detect these files as ANDROIDOS_SMSBOXER.B.) This particular malware family is notorious for abusing premium services numbers, which may result in high phone charges for the user.

    Trend Micro customers are now protected by blocking the malicious URLs and detecting the files via the Smart Protection Network. In particular, Trend Micro Mobile Security for Android also detects these malicious apps, preventing their installation on mobile devices.

    As we mentioned earlier, these particular attacks against Russian Android users are not new. Previous attacks have claimed they were websites for Angry Birds Space, Farm Frenzy 3 and Temple Run. (We have compiled a Web Attack entry discussing these threats as well.)

    Posted in Bad Sites, Malware, Mobile | Comments Off

    The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites.

    Malicious Domain Hosts Multiple Threats

    While conducting proactive research, we spotted the site {BLOCKED}, which tried to mimic the official site Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Social, Spam | Comments Off

    The continuing increase in visitors to the Pinterest site may be a primary reason why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams. This new wave of survey scams I found came from my search using “pinterest” as keyword.

    Users who re-pin the posts from the sample above will most likely spread the post.

    In addition, I also spotted posts using URL shorteners such as and When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

    • http://pinterest.{BLOCKED}
    • http://pinterestgift.{BLOCKED}
    • http://pinterests.{BLOCKED}

    Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

    Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are not clickable. The clickable links are those that redirect to survey scams such as Body Age Quiz.

    After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message.

    And Via Email, Too

    Another thing I’ve noticed is that the fake site requires an email address:

    Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages.

    Upon closer investigation of these attacks, I noticed that before users are redirected to the fake Pinterest sites, the connection passes through ad-tracking sites. This way, the number of visitors are tracked, determining the supposed earnings of the scammers. Based on our data, the fake Pinterest URLs are being visited since May 2. Fake Pinterest posts hosting scams are likely to spread within Pinterest via users who re-pin the posts. The “offers” in these fake Pinterest posts look enticing after all. Plus, some users would want to ask the rest of the Pinterest community to verify such offers, like this user.

    Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

    Posted in Social | Comments Off

    We’ve recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform).

    The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals.

    We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:

    • Android Market apps
    • Opera Mini/ Phone Optimizer apps
    • Pornographic apps (sites were unavailable during time of checking)
    • App storage sites
    • Others (sites that were inaccessible during time of checking)

    As for the unavailable sites, it seems that the attacker is still setting them up, or has permanently taken them down. The domains listed under App storage sites, which hosts Apps featured in the other domains, are inaccessible. However, the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites.

    The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A.

    On the other hand, the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets.

    Read the rest of this entry »


    Looking for cheaper iPhone 4S this holiday season? Be wary, because cybercriminals can trick you into giving out your online financial credentials. We’ve recently found a phishing attack that specifically targets users who are out to purchase an iPhone 4S through eBay.

    The attack involves domains that display replicated eBay posts for iPhone 4S units. The screenshots below show a sample of the fake page, and the original eBay post from which the content was copied.

    Click for larger view Click for larger view

    There are some differences between the two pages. For example, the real post uses US dollar as its currency, while the fake post uses Euro. The price in the fake one is also dramatically cheaper. You’ll also notice that the post the cybercriminals chose to replicate is one by a seller with a good reputation, to gain the trust of potential victims.

    The fake eBay pages are hosted on domains that are followed by / in order to trick users into thinking that it is the real eBay domain. All the links in the fake page will lead to the legitimate one, except for the “Buy It Now“. Clicking “Buy It Now” leads to a fake login page that asks users to enter personal information.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice