Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(February 2010) Posts

Blackhat SEO turns to PDF with Chile and Hawaii disasters

Posted: 28 Feb 2010 01:33 PM | Patrik Runald | no comments


Over 13% of all searches on Google looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products. Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file. As you can see above Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India. By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link. This is the first time we've seen the attackers use this approach but considering how aggressive the rogue AV gangs are, it's not a surprise that they continue to refine their techniques to get people to "buy" their products. The Rogue AV file itself is currently detected by 26,20% of the antivirus engines used by VirusTotal. Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

Searching For Joannie Rochette Leads To Rogue AV

Posted: 26 Feb 2010 07:16 PM | WebsenseSecurityLabs |


Websense Security Labs™ ThreatSeeker™ Network has detected that the black hat Search Engine Optimization (SEO) techniques are abusing the name of an Olympic figure skater who is very popular in recent news. Joannie Rochette is a Canadian figure skater and the 2009 world silver medallist. In the 2010 Winter Olympics in Vancouver, despite the loss of her mother just 48 hours before her competition, she delivered a sensationalperformance and qualified to compete for gold. The bad guys still took advantage of this tragic incident and used it in the infamous Black SEO poisoning attacks. Searching for Joannie Rochette in reputable search engines leads to rogue AV. This use of the Black SEO technique is even more pertinent now that the results have been announced, with Rochette receiving a bronze medal for her performance. Once the victim clicks on the poisoned search results, he/she is redirected to the rogue AV page, and a fake Anti-virus executable asks for the victim's confirmation before being downloaded. Related topics are 4th and 7th on Google's Hot Trends USA list. Joannie Rochette is currently the most popular search term on Google Canada at the time of writing: This isn't the first time Black SEO attacks target events and figures related to the olympics this year. Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

Top Secrets About Your Passwords

Posted: 24 Feb 2010 07:52 AM | Tamas Rudnai | no comments


Recent hacker activity highlights how insecure we are in the online world. Black hats keep focusing on collecting passwords in many different ways. Instead of breaking the computer security system or brute-forcing pass phrases, they use a variety of easier techniques to get our credentials. The ways they make us give up sensitive information include setting up fake mailing lists, forums, and social network sites to harvest logon details. Then, using this information there is a good chance that the attacker can sign in to valuable sites like social networks or even online banks with the same user name and password. Four months ago we highlighted this problem in a blog . The main concern stems from the fact that most people are using the same user name and password pair on many different sites. The reason behind this is very simple: nowadays we need to pass too many authentication protocols, and it is very hard to keep remembering all of those credentials. Later on we will show some alternative methods for creating and managing passwords. Because of this fact, a fake site could act as a legitimate user forum or Web 2.0 site, which requires a user to be registered before making a post. When the user registers, the hacker immediately has access to all the necessary information needed for the attack: the user name and the matching password. Also, the criminal can collect other information like the IP address the user originated from, his or her email address, gender, age and so on. From the email address for example, a hacker can guess the mail server and can possibly access it with the given password. One of the obvious purposes of this is that malware can be harvested through email or a spam campaign. Even further, this bad guy could try to use the same credentials all over many well-known sites like Facebook, MySpace or Twitter. In the worst case, they can even log in to online banks which then allows them to steal money as suggested in the Trusteer's Security Advisory . There is nothing new about this type of fraud, really: similar techniques have been used for the last decade for stealing credit card numbers. However, there is a distinct difference between bank cards and passwords: we cannot change the number on the plastic card, but we could use a unique password for each site - so the real question is, is it actually our fault if someone gains an advantage because of our laziness? The above example clearly shows the risk we take when signing up to a new site. So what, you might ask: I never visit malicious sites. Here is another scenario then. You visit a site for years and you are certain that the company behind the site is legitimate. Unfortunately many Web sites store passwords in an unencrypted form. An attacker therefore has a chance to steal your password even if they do not know anything about you. Just three months ago, the social network site RockYou was compromised and over 32 million user accounts were stolen as they were stored in...

Read more > 

Filed under: ,

Bloom Box Black SEO

Posted: 22 Feb 2010 12:22 PM | WebsenseSecurityLabs | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected that search terms related to the Bloom Energy and its Bloombox Fuel Cell have become the latest target for Blackhat SEO poisoning attacks. Bloom Box is a breakthrough technology in the energy sector that could revolutionize the way electricity is generated today. As people become interested in finding more information on this technology, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings. At the moment, according to the VirusTotal report only 10% of antivirus products are detecting the threat. Video of the Bloom Box SEO in action: Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

The Wizard of Buzz

Posted: 16 Feb 2010 08:04 AM | Tamas Rudnai | no comments


Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys. The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages. What we intend to explain is how Buzz connects different social networks together, creating a super-network. What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure - see below for details of how to do this. Google has also promised a new tab for the Gmail settings screen, to give people better control over their existing account. Picture 1: The blogspot "szilvasyz" is not even mine! But what was wrong, you might ask? As you can read in this alert , just two days after Buzz became available to the crowd, spammers started to use it for their unwanted mail marketing. I expect our ThreatSeeker™ Network to detect more threats like this in the near future. Were you surprised how quickly spammers just jumped into this platform? The reason is simple: not only were Buzz users able to build up an audience in an uncontrolled way, but they could also attach other Web sites to their Buzz accounts. In fact, some of these external sources were already attached to users' Buzz accounts by default. This is what Google has realized and corrected - however, people who have already subscribed are still vulnerable. What does it mean? If you have a Google Reader account, then your public posts and shared items are automatically displayed in Buzz. Similar to this, Picasa also shares public photos to Buzz by default. Further, you can manually set up virtually any unrelated public posts in your account. This means whenever you post a message on an application such as Twitter, Flickr, or Blogspot, the same message appears in your Buzz account as well. If this isn't eyebrow-raising enough already, here is the next privacy issue: you can even attach someone else's Twitter or Flickr account to your Buzz. This latter issue opens many security and privacy related questions. Picture 2: This is a typical scenario of what Google Buzz does in the real world How can Buzz be made more secure? As mentioned above, Google has already made changes to the default settings. However, existing users are still suffering from these privacy and security issues. To make your Buzz account safer, you need to tweak the settings manually...

Read more > 

Filed under:

Microsoft's Ninemsn Australia Web Site Compromised

Posted: 16 Feb 2010 04:30 AM | WebsenseSecurityLabs | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected that the ninemsn support Web site (ninemsn.com.au) has been compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections, and the injected code is hidden deep within the ninemsn ad engine, served on request. The injected code leads to a site that has also been compromised by Gumblar. The compromised code is hidden specifically within the "Women's Weekly" banner script. Other ad banners are not affected. Screenshot of the Web site: Screenshot of the ad element: At this time, the malicious code isn't available or reachable, but this could change at any time. An interesting implication is that this ad can be dynamically served on multiple Web pages within ninemsn. This is unlike a typical injection where Web sites are compromised in a single static page; in this case, the infected banner ad can be pulled to various locations within the site, serving its malicious purpose silently. Ninemsn, a joint venture between PBL Media and Microsoft, is one of the most visited portal Web sites (Alexa traffic rank 573) delivering online and mobile content, news, information, entertainment, and social networking capabilities. We contacted Microsoft when we discovered the attack and the ad banner has now been removed from the ninemsn support Web site. Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

Zeus targeted attacks continue

Posted: 11 Feb 2010 04:33 AM | WebsenseSecurityLabs | no comments


Websense Security Labs™ ThreatSeeker™ Network has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally. Figure 1 - Zeus Campaign: The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency (see Figure 2). The email subject is: "Russian spear phishing attack against .mil and .gov employees" Figure 2 - Content of the email: Jeffery Carr, the spoofed victim himself, has published a comment regarding this attack: The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate . Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate . Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data. Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

Spammers already using Google Buzz

Posted: 11 Feb 2010 12:32 PM | WebsenseSecurityLabs | no comments


With all the buzz this week about Google Buzz, we were just waiting for malicious activity to show up on the newly launched service. We didn't quite expect it to happen this fast. Today we saw the first spam using Google Buzz to spread a message about smoking: The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking. When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages. We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links.

Read more > 

Filed under: ,

"Ex-Girlfriend" Facebook worm: Check!

Posted: 02 Feb 2010 11:11 AM | Defensio, the blog | no comments


Nick O'Neil of AllFacebook.com recently reported that his Facebook wall was compromised by a new worm: the "Ex-Girlfriend" worm. Using some CSS and IFrame wizardry, the worm can post on your own wall in your own name, without you knowing it. Here's an example of Nick's wall: You can protect your Facebook wall and pages from this worm by installing the Defensio Facebook application. Get started here...

Read more > 

Filed under: , , ,