Cybercriminals mostly targeting LinkedIn, PayPal and Amazon
GFI Software released a collection of the most prevalent threat detections encountered last month. In December, GFI threat researchers found a handful of phony Google Play app markets hosting mobile Trojans as well as a number of spam email campaigns posing as messages from Amazon, PayPal and LinkedIn.
“Cybercriminals often make the effort to create phony websites and spam emails that appear authentic in order to increase the chances of catching users off guard and infecting their PCs,” said Christopher Boyd, senior threat researcher at GFI Software.
“Over the past year, we have seen cybercriminals improve their ability to fabricate even more convincing sites that prey on users who rush into providing personally identifiable information or installing applications without completely investigating the legitimacy of the source. Users should be extra careful in every situation by taking the time to look at URLs and manually navigating to the sites that they want to visit,” Boyd added.
Android users searching for Windows drivers for their smartphones on Yahoo! encountered various types of infections from the same malicious URL last month, depending on the type of device they used to conduct their search.
Users browsing from a PC initiated an automatic download of a Trojan when they clicked on the malicious link, while users searching from an Android device were redirected to a number of infected websites filled with bogus search results.
These results lead to fake Google Play app markets hosting two kinds of Android Trojans which, similar to the Boxer Trojan, hijacked the victim’s phone and sent out SMS messages to premium numbers.
LinkedIn users were the victims of an email spam campaign which sent messages indicating that another member had requested to connect on the popular social networking site. Users who clicked the link to accept the invitation were sent to one of several compromised websites containing Blackhole Exploit Kit code which redirected them to a site hosting the Cridex Trojan.
Amazon customers were also victims of a similar campaign which sent emails disguised as order confirmations, receipts, or Kindle e-book order confirmations.
Last month, the same Trojan also infected the systems of spam victims who received fake PayPal emails fraudulently claiming that their sizable payment had been processed for a Windows 8 operating system upgrade. Links contained in the email led to sites with Blackhole exploits serving Cridex.
All of the scams above preyed on users’ belief that they were visiting authentic sites and required active participation by victims who needed to click on malicious links within the spam emails. Each could have been avoided by simply verifying that the email addresses used by the senders and the URLs that each link directed to were associated with trusted websites and organizations.