The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites.
Malicious Domain Hosts Multiple Threats
While conducting proactive research, we spotted the site {BLOCKED}uro2012.com, which tried to mimic the official site http://www.uefa.com/uefaeuro/. Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product.
The FAKEAV “activation page” is actually a phishing page designed to trick users into giving out sensitive information. TROJ_FAKEAV.HUU was also found to disable web browsers (Internet Explorer, Mozilla Firefox, and Google Chrome).
This domain also hosts the file TROJ_DLOADR.BGV, which connects to three different URLs to download the ZBOT variant TSPY_ZBOT.JMO. ZBOT variants are notorious information stealers that target users online banking login credentials. To know more about the ZBOT/ZeuS variants, you may refer to Trend Micro research paper Zeus: A Persistent Criminal Enterprise.
Blackhat SEO Continues Its Streak
Cybercriminals also used the fight between Portugal and Czech Republic last June 21 as its social engineering ploy for Blackhat Search Engine Optimization (BHSEO).
When users searched the keywords “Watch Portugal vs Czech Republic Live”, the malicious site appears as one of the top search results. When clicked, users are redirected to a “video offer” page instead of a live video streaming of the game. If users choose the offer, it will unknowingly access affiliate sites that track user’s location and IP address. In doing so, scammers can earn money by using these details as page visits to their advertisements.
Another similar attack took advantage of the recent Italy vs. England fight. The site {BLOCKED} glandvsitalylivestreameuro2012online.com redirects users to http://www.{BLOCKED}og.com/2012/06/england-vs-italy-live-stream/, which supposedly offers a live video streaming of the event. In reality, the page will only lead users to a survey scam page, which eventually leads to affiliate and ad tracking sites.
UEFA 2012 Web Extension, Facebook Clicjacking
We also encountered a bogus Google Chrome extension hosted on Chrome Web Store. Based on our analysis, once users add the said extension to the browser and is launched, it redirects to the malicious site http://www.{BLOCKED}linetv.biz/livesports.php that also leads to affiliate/ad tracking sites.
Unfortunately, Facebook users were not spared from this threat as we’ve noticed several wall posts that purportedly lead to a video streaming page for the event. However, like the rogue web extension, the page too leads to affiliate sites that enable scammers to earn money from users’ visits.
Euro 2012 Spam Leads to Fake Pharmacy Site
Rik Ferguson also spotted spammed messages that use Euro 2012 team scores, as seen below:
Users who received email similar to the one above are warned not to click on the link as it leads to fake Canadian pharmacy sites peddling fake drugs.
Trend Micro Protects Users From These Threats
Trend Micro users are already protected from these threats via Smart Protection Network™, which blocks these malicious URLs and detects the related malware, as well as blocking the spammed messages. Using sporting events such as the UEFA Euro 2012 as bait to malicious sites is a popular social engineering technique, thus users should visit and bookmark reliable websites for their latest UEFA fix. To know more about web threats that target sports fans, you may read our FAQ entry Sports as Bait: Cybercriminals Play to Win.
Update as of 12:26 AM June 28 2012, PST Time
TROJ_DLOADR.BGV has been renamed to TSPY_ZBOT.BGV, which connects to specific URLs to download files.
