• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Cybercriminals Kick Off UEFA Euro 2012

Cybercriminals Kick Off UEFA Euro 2012

  • Posted on:June 25, 2012 at 9:55 am
  • Posted in:Bad Sites, Malware, Social, Spam
  • Author:
    Paul Pajares (Fraud Analyst)
0

The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites.

Malicious Domain Hosts Multiple Threats

While conducting proactive research, we spotted the site {BLOCKED}uro2012.com, which tried to mimic the official site http://www.uefa.com/uefaeuro/. Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product.

The FAKEAV “activation page” is actually a phishing page designed to trick users into giving out sensitive information. TROJ_FAKEAV.HUU was also found to disable web browsers (Internet Explorer, Mozilla Firefox, and Google Chrome).

This domain also hosts the file TROJ_DLOADR.BGV, which connects to three different URLs to download the ZBOT variant TSPY_ZBOT.JMO. ZBOT variants are notorious information stealers that target users online banking login credentials. To know more about the ZBOT/ZeuS variants, you may refer to Trend Micro research paper Zeus: A Persistent Criminal Enterprise.

Blackhat SEO Continues Its Streak

Cybercriminals also used the fight between Portugal and Czech Republic last June 21 as its social engineering ploy for Blackhat Search Engine Optimization (BHSEO).

When users searched the keywords “Watch Portugal vs Czech Republic Live”, the malicious site appears as one of the top search results. When clicked, users are redirected to a “video offer” page instead of a live video streaming of the game. If users choose the offer, it will unknowingly access affiliate sites that track user’s location and IP address. In doing so, scammers can earn money by using these details as page visits to their advertisements.

Another similar attack took advantage of the recent Italy vs. England fight. The site {BLOCKED} glandvsitalylivestreameuro2012online.com redirects users to http://www.{BLOCKED}og.com/2012/06/england-vs-italy-live-stream/, which supposedly offers a live video streaming of the event. In reality, the page will only lead users to a survey scam page, which eventually leads to affiliate and ad tracking sites.


UEFA 2012 Web Extension, Facebook Clicjacking

We also encountered a bogus Google Chrome extension hosted on Chrome Web Store. Based on our analysis, once users add the said extension to the browser and is launched, it redirects to the malicious site http://www.{BLOCKED}linetv.biz/livesports.php that also leads to affiliate/ad tracking sites.

Unfortunately, Facebook users were not spared from this threat as we’ve noticed several wall posts that purportedly lead to a video streaming page for the event. However, like the rogue web extension, the page too leads to affiliate sites that enable scammers to earn money from users’ visits.

Euro 2012 Spam Leads to Fake Pharmacy Site

Rik Ferguson also spotted spammed messages that use Euro 2012 team scores, as seen below:

Users who received email similar to the one above are warned not to click on the link as it leads to fake Canadian pharmacy sites peddling fake drugs.

Trend Micro Protects Users From These Threats

Trend Micro users are already protected from these threats via Smart Protection Network™, which blocks these malicious URLs and detects the related malware, as well as blocking the spammed messages. Using sporting events such as the UEFA Euro 2012 as bait to malicious sites is a popular social engineering technique, thus users should visit and bookmark reliable websites for their latest UEFA fix. To know more about web threats that target sports fans, you may read our FAQ entry Sports as Bait: Cybercriminals Play to Win.


Update as of 12:26 AM June 28 2012, PST Time

TROJ_DLOADR.BGV has been renamed to TSPY_ZBOT.BGV, which connects to specific URLs to download files.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.