The IRS and the New York Times websites security have been breached.

Trend Micro warns users of the latest spam campaign that targets US taxpayers with Foreign Bank and Financial accounts. The said spam rides on the September 23 extended deadline set by the Internal Revenue Service (IRS) for filing ‘FBAR’ or the Report of Foreign Bank and Financial Accounts.

The spammed message bears the subject “Notice of Underreported Income” and lures users to click the link that supposedly contains the tax statement. Users who click the URL are led to a site where they get infected by various ZBOT variants. ZBOT variants are notorious for their information theft routines.Trend Micro detected these ZBOT variants as TSPY_ZBOT.BZJ, TSPY_ZBOT.BZT, TSPY_ZBOT.BZS, and TSPY_ZBOT.COB.

Ever since this spam run began, ZBOT creators have been generating new binaries, probably to avoid detection and removal.

Spammers often ride on the tax season to trick users into giving their credentials and even infecting their PCs with malware. We blogged about it in the following posts:

• Fake Form W-8BEN Used in IRS Tax Scams
• Tax Season is Phishing Season
• Phishers Hit Multiple Banks with One Stone
• IRS Used by Spammers Again

Trend Micro already detects and blocks this spam attack with its Trend Micro Smart Protection Network. Users are advised to get only their tax statement straight from IRS.

Sep16

We have encountered a new phishing scam that targets ClickandBuy. The London-based competitor to eBay offers both billing ang payment solutions, so it’s no surprise cybercriminals would be interested in stealing the login information of ClickandBuy users.

Phishers have created a duplicate of a legitimate German-language ClickandBuy login page on at least one malicious website. The fake site can be seen below:

Figure 1. Phishing website

After entering their credentials, users would be redirected to the legitimate ClickandBuy site. Users would then think everything was normal, when nothing could be further from the truth. The phishing website is a very close match to the legitimate site, which is shown below for comparison:

Figure 2. Legitimate website

Users are advised to be very careful about where they enter their login credentials to guard against attacks like this. For example, the user’s connection to the phishing site was not encrypted, whereas the connection to the legitimate website was encrypted. (All browsers show this in their user interface, usually using a padlock.)

The phishing URL in this attack is already blocked by the Trend Micro Smart Protection Network.

Sep15

People who get their regular dose of news from the New York Times website were recently told to be careful when browsing through the said site as malicious advertisements—also known as “malvertisements”—are found on its pages and are displaying pop-up windows that falsely report malware infections on their systems.

As reported in detail by Trend Micro researcher Rik Ferguson in the Counter Measures blog, the New York Times issued warnings through both Twitter and its website’s front page about malvertisements that trigger the display of a malicious pop-up window. The said pop-up window displays the typical fake antivirus warning indicating malware infection. This forces the affected user to purchase a full version of a rogue antivirus software. Of course, the reported infections are in reality nonexistent. The alarming messages are mere distractions to convince the user into giving away important information.

Not only is good money wasted on purchasing a useless software. Important information such as credit card details are also compromised and made available to cybercriminals.

However, this attack turns out to be short-handed when placed against the Smart Protection Network. Not only are the fake antivirus software used so far already detected as TROJ_FAKEALE.SMF and TROJ_FRAUDPAC.LH; the URL to which the malvertisement redirects to is also blocked. These prevent the whole infection process from even starting.

Other users are advised to ignore such pop-up messages.