Holiday Season Unwraps Phishing, Blackhole Exploit Attacks

Ease is the main reason why users are going online for their purchases, especially during the holiday season. While convenient, online shopping poses risks to users’ login credentials and personally identifiable information (PII), as cybercriminals can easily craft phishing attacks that lead to data theft.

Using Trend Micro Smart Protection Network and other proprietary tools, we identified the top created phishing sites for December 2012. Below is a graph of created spoofed sites limited to 50 popular brand names.

Based from the information we’ve gathered, the e-commerce site PayPal was the most targeted institution, with 17,573 spoofed sites under its belt, followed closely by the American bank Wells Fargo. Users who are tricked into visiting spoofed PayPal sites may lead to their systems being infected by TROJ_QHOST.EQ. So far, the malware has infected systems from Taiwan, Thailand and the United States (US). As you can see below, the top 10 most spoofed sites are composed of either banks or well-known credit card companies.

Company name/websites Number of created phishing websites
Paypal 18947
Wells Fargo 2049
Visa 1661
Citibank 1628
Bank of America 1477
Mastercard 986
Chase 656
Bancolombia 369
Natwest 324
Cielo 310

Citibank is also one of the most spoofed institutions, possibly bolstered by Blackhole Exploit kit (BHEK) campaign. BHEK is known to use popular companies like Citibank to lure users into opening the spam message and clicking the malicious URL contained in the messages.

Certain BHEK campaigns spoofing Citibank lead users to download WORM_CRIDEX.CTS, a malware known to steal sensitive data like online banking credentials. Using the Smart Protection Network, we determined that the malware has infected 277 systems, a staggering 88% of which were from the computers located in the United States.

In addition, this December alone we spotted four BHEK campaigns against Citibank. On the last campaign, we observed that users systems are infected with TROJ_CDOWN.A, SWF_BLACOLE.BBB, JAVA_DLOADR.XM and WORM_CRIDEX.EZ respectively. The .JAR file detected as JAVA_DLOADR.XM, got 3,095 hits,  which mostly affected users in US and Japan.

Company name/websites Number of created phishing websites
AOL 1475
Yahoo 1349
Hotmail 1205
Gmail 1200
Others 188

On the other hand, the most created phishing sites for the online shopping/auction/deal of the day sites are Taobao, eBay, Amazon, and Alibaba. Taobao, a website based from China, ranked first among e-commerce sites with the most spoofed/phishing pages.

Company name/websites Number of created phishing websites
Taobao 1691
Ebay 504
Amazon.com 251
Alibaba 150
Littlewoods 39

During our research, we also found the following attacks affecting users from around the globe, as well as mobile users.

  • We saw an increase in an attack disguised as the Danish e-payment company Nets Group. This threat usually arrives via email, urging users to confirm an update or activate their account.
  • There is also an ongoing spoofed Mastercard phishing campaign that targets Japanese users. Among the 986 spoofed Mastercard sites, 717 of these (72%) were designed for JP users. For December, these 717 sites generated 2,029 hits, usually from users located in Japan.

  • Certain bad guys created 902 spoofed sites of Remax, a multinational real estate company.
  • On the other side of the world, Brazil is still hounded by spoofed websites hosting Trojans, usually TROJ_BANLOAD variants, which are known to download TSPY_BANKER variants. This attack arrives as emails that spoof banks like Bradesco and Banco de Brasil. The email also contains shortened URLs, usually shortened by shorteners like bit.ly, that lead to these sites. Users located in Colombia were also targeted by a BANKER malware detected by Trend Micro as TSPY_BANKER.TGF. The said malware uses MS Excel icon and purports as a free gift card to trick users into executing the malicious .EXE file.
  • Mobile users, unfortunately, are not exempted from this swath of online threats. Below is an example of a spoofed PayPal for Mobile site that users should be wary of. Because mobile users will typically not see the whole URL, users may readily think that they visited the legitimate website.

  • We also spotted a spammed message that has an attachment that targets Chase bank. Trend Micro detects the attached file as TROJ_DLOADER.YZX. When executed, this malware downloads a plethora of other malware such as TSPY_ZBOT.MDN, TSPY_ZBOT.LOA, and TROJ_FAKE.BMC.

If there’s one thing that these trends taught us is that we should remain vigilant against phishing attacks especially during the holidays and other special occasions. For tips on how to safeguard your device while shopping online during festive events, read our e-guides, Online Shopping Made Easy and Enjoy a Hassle-Free Mobile Shopping Spree! and our infographic on online shopping tips.

To know how to differentiate a spoofed, phishing email from a legitimate one, be on the lookout for the following signs:

  • Spoofed email messages usually contain generic greeting and not addressed to the recipient
  • Legitimate email notifications does not contain glaring grammatical errors, typos and formatting gaffes
  • Spoofed email has an “alarmist” tone, usually urging users to click a link or divulge personal information
  • For BHEK-related messages, some may look identical to the legitimate vendor email. Thus, users should read the email thoroughly. Better yet, verify the legitimacy of the email.

Users are strongly advised to avoid opening any attachments or clicking any URLs even if these came from seemingly known sources. Make a habit of copying the shortcut link and double-checking its legitimacy. Read thoroughly the message body to avoid fraudulent schemes. Always keep your systems up-to-date with the latest security update released by software vendors.

For mobile users, they should download only legitimate retail-related apps as well as look for HTTPS and lock icon in the address bar before giving credentials away.

Trend Micro proactively blocks phishing sites and detects spammed messages via Smart Protection Network.

With additional inputs from Email reputation services group

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Holiday Season Unwraps Phishing, Blackhole Exploit Attacks

Read more: Holiday Season Unwraps Phishing, Blackhole Exploit Attacks

Story added 3. January 2013, content source with full text you can find at link above.