Here are the latest updates for security-news@awsoda.net
- Rogue AV Tactics Continue to Threaten
- Caution Needed: JP Yahoo! Auctions Site Phished
- More Recent Articles
- Search TrendLabs | Malware Blog - by Trend Micro
October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals we have been documenting on this blog.
Figure 1. Fake BSOD (actually a screensaver) now sports a specific mention of the problem — an unregistered version of a certain AV product.
Figure 2. Now even the fake reboot screen (also a screensaver) has text
Project Manager Paul Fan reminds us that malware criminals continue a “take no prisoners” approach to vandalizing PCs in their bid to convince victims to purchase bogus security software.
Advanced Threats Researcher David Sancho even calls it the “Annoy and Conquer Strategy” — cybercriminals literally calling attention to themselves by using all visual means available to instill a sense of discomfort in users that may just be enough to get these users to fall for the act — an unfortunately common scare tactic.
We’ve already discussed this threat and how the Smart Protection Network protects users in recent blog posts:
This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV.
One additional note — it is nice to see Microsoft and the State of Washington going after “scareware” purveyors. We completely support efforts to bring these criminals to justice.
On September 27, Trend Micro researchers found phishing emails and sites pretending to be the Japanese localized site of Yahoo! Auctions. Japanese users, be warned.
According to researchers, the said phishing mails were delivered to users with a subject title in Japanese, which when translated to English, reads "To Yahoo! Japan site users" and appearing to come from the Yahoo! Japan Support Center.
This phishing mail pretends to be some type of user ID and password verification where the phisher intends to lead the victimized users to a site where confidential information such as Yahoo! Japan user IDs, passwords, credit card numbers, etc. can then be stolen.
If the users click a link in the said mail, they are redirected to a webpage entitled, "Update your Yahoo! Japan ID user account," again in Japanese.
Figure 1. The fake site entitled "Update your Yahoo! Japan ID user account" in Japanese. The users visiting this phishing site are asked to input their passwords and credit card numbers.
Trend Micro Web Reputation technology correctly and swiftly analyzed the danger of this site and has categorized it as a phishing site. If Trend Micro users unwittingly connect to this site, they are blocked from access and are thus safely protected.
Figure 2. This shows that the said phishing site has been blocked by Web Reputation technology. When connecting to a specific website, Trend Micro users automatically query the reputation server to check the rating of this site.
This phishing site is quite similar to the real Yahoo! Japan site in terms of design and layout. In fact, some of the links are connected to the legitimate Yahoo! Japan site. Therefore, any users who may hover their mouse over random links may tend to believe that the site is legitimate. The IP address, 210.188.{BLOCKED}.{BLOCKED}, further suggests that the site is located in Japan.
Fortunately, this phishing site is currently inaccessible. (We also confirmed that it was accessible from 16:30 of September 27 to 23:00 on September 28, all in Japan time.)
It is possible that similar phishing sites can be found to be hosted on different servers. This places Yahoo! Auction fans at greater risk as it expands the threat further. If ever you have updated your ID and password when this phishing site was accessible, once more, you had better check if your update was properly done in the legitimate site.
We have seen several other cases targeting Japanese users by using phishing mails and websites written in Japanese. Below are some of the typical cases.
Table 1. Just a sampling of arrests made against cybercriminals. Details can be found at the Metropolitan Police site.
On September 6, Yahoo! Japan announced support for victimized users on such incidents that their Yahoo IDs were used illegally, etc. Users can even refund the amount lost in valid cases of fraud.
While this is good news, the most important thing is to protect against being victimized by this kind of attack.
Yahoo! Japan also has the particular pages devoting to best practices on how users can protect themselves from such auction-related fraud and troubles, at Yahoo! Security Center and Self-defense techniques on the auction sites. Japanese Yahoo! Auctions fans are encouraged to take time to read these reminders.
More Recent Articles
