Darkmarket closed shop recently. If you hadn’t heard from them, don’t worry much. This web site operating from different places worldwide managed to join all sorts of credit card crooks and provided different levels of seller verification, escrow services and malware consulting.

It finally went offline and their owners put in custody thanks to the effort of different law enforcement units throughout the world. It’s in moments like these that the combined efforts of the IT security industry and law enforcement can really be appreciated.

For the cybercriminals, it is of course, just a drop in the ocean, and I’m sure the underground will recover (in fact, it has probably already done so!) but this is definitely a step in the right direction and that feels reassuring.

The arrest of these two individuals, one in London and the other one in Turkey, sends a message to all cybercrooks out there: no matter where you are, you are not above the law.

Source:  TrendLabs

After the holidays, spammers now are capitalizing on the upcoming tax season.

Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject, “W-2 Form update,” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax.

The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposedly PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA.

BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address (192.168.29.1). This may be the attacker’s misconfiguration, or an attack targeting a specific internal network environment.

In the past, Trend Micro has blogged about how cybercriminals ride on the IRS and the tax season in the following posts:

• § Social Engineering Watch: Another IRS Scam
• § Fake Form W-8BEN Used in IRS Tax Scams
• § Tax Season Is Phishing Season

Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not. Trend Micro protects users from this kind of attack via the Smart Protection Network, which blocks the said spammed messages and detects and consequently deletes related malicious files.

Author:  TrendLabs