Threat Intelligence Blog

Posted December 17, 2014


New Trojans targeting banks in South Korea have been using Pinterest as a Command and Control channel

Last summer Trend Micro observed online banking Trojans that were targeting South Korean banks. Now, compromised sites that contain exploit kits are delivering banking Trojans to site visitors. Some of the banks being targeted include Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, Kookmin Bank, and the Consumer Finance Service Center. Once a customer has been infected with malware and is redirected to a phishing site that looks like a legitimate banking website, the criminals are able to steal their credentials.

One interesting characteristic of this particular Trojan is that it is using Pinterest as its command-and-control server to redirect users to various spoofed banking sites:


Photo courtesy of Trend Micro

These comments show that when the letters are replaced with dots, the code becomes an IP address for the phishing page server host.

To demonstrate how the Cyveillance Cyber Threat Center can be used to add context to data points found with traditional anti-virus and anti-malware services, we entered one of the IP addresses,, into our geolocation tool and found the following:

  • The IP Range 70.39.104.* is being run out of Cleveland, Ohio by an ISP
  • Most of the domain names in this range contain Chinese content
  • At least two instances of malware can be located on a website hosted in this range

With this added context, a security team could be confident in blacklisting this IP address and possibly the entire range because it has a recent history of hosting malware, and seemingly does not contain any websites that an employee of a U.S.-based company would need to access for normal business activities. Additional investigations into owners of IP ranges and domain names should be part of due diligence investigations before contracting with any ISP-related vendors.

It’s not surprising that criminals have figured out another way to use social media as an attack vector. It will be interesting to see if this type of malware spreads to other social networks, as well as how attacks are tailored to specific platforms.

Learn more about how to proactively monitor these types of threats with the Cyveillance Cyber Threat Center.

Additional Posts

Pick a Strategy for Dealing with BIND Vulnerabilities

It’s well known that DNS servers and protocols were first designed decades ago without security ...

Cyveillance Weekly Trends Report–December 16, 2014

Welcome to the Cyveillance Weekly Trends Report Since threat intelligence is constantly evolving, ...