Over 13% of all searches on Google looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products.

Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file.

As you can see above Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India.

By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link.

This is the first time we've seen the attackers use this approach but considering how aggressive the rogue AV gangs are, it's not a surprise that they continue to refine their techniques to get people to "buy" their products.

The Rogue AV file itself is currently detected by 26,20% of the antivirus engines used by VirusTotal.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs™ ThreatSeeker™ Network has detected that the black hat Search Engine Optimization (SEO) techniques are abusing the name of an Olympic figure skater who is very popular in recent news.

Joannie Rochette is a Canadian figure skater and the 2009 world silver medallist. In the 2010 Winter Olympics in Vancouver, despite the loss of her mother just 48 hours before her competition, she delivered a sensationalperformance and qualified to compete for gold. 

The bad guys still took advantage of this tragic incident and used it in the infamous Black SEO poisoning attacks. Searching for Joannie Rochette in reputable search engines leads to rogue AV.

This use of the Black SEO technique is even more pertinent now that the results have been announced, with Rochette receiving a bronze medal for her performance.

This isn't the first time Black SEO attacks target events and figures related to the olympics this year. 

Websense® Messaging and Websense Web Security customers are protected against this attack.

Recent hacker activity highlights how insecure we are in the online world. Black hats keep focusing on collecting passwords in many different ways. Instead of breaking the computer security system or brute-forcing pass phrases, they use a variety of easier techniques to get our credentials. The ways they make us give up sensitive information include setting up fake mailing lists, forums, and social network sites to harvest logon details. Then, using this information there is a good chance that the attacker can sign in to valuable sites like social networks or even online banks with the same user name and password.

Four months ago we highlighted this problem in a blog. The main concern stems from the fact that most people are using the same user name and password pair on many different sites. The reason behind this is very simple: nowadays we need to pass too many authentication protocols, and it is very hard to keep remembering all of those credentials. Later on we will show some alternative methods for creating and managing passwords.

Because of this fact, a fake site could act as a legitimate user forum or Web 2.0 site, which requires a user to be registered before making a post. When the user registers, the hacker immediately has access to all the necessary information needed for the attack: the user name and the matching password. Also, the criminal can collect other information like the IP address the user originated from, his or her email address, gender, age and so on. From the email address for example, a hacker can guess the mail server and can possibly access it with the given password. One of the obvious purposes of this is that malware can be harvested through email or a spam campaign. Even further, this bad guy could try to use the same credentials all over many well-known sites like Facebook, MySpace or Twitter. In the worst case, they can even log in to online banks which then allows them to steal money as suggested in the Trusteer's Security Advisory.

There is nothing new about this type of fraud, really: similar techniques have been used for the last decade for stealing credit card numbers. However, there is a distinct difference between bank cards and passwords: we cannot change the number on the plastic card, but we could use a unique password for each site - so the real question is, is it actually our fault if someone gains an advantage because of our laziness?

The above example clearly shows the risk we take when signing up to a new site. So what, you might ask: I never visit malicious sites. Here is another scenario then. You visit a site for years and you are certain that the company behind the site is legitimate. Unfortunately many Web sites store passwords in an unencrypted form. An attacker therefore has a chance to steal your password even if they do not know anything about you. Just three months ago, the social network site RockYou was compromised and over 32 million user accounts were stolen as they were stored in clear text. These passwords could be used on other sites as well, thanks to the bad habit we have of using the same password.

Phish and chips

The figures show how high the value of the problem is, and this is only a small part of the overall picture. Another favorite technique is the phishing campaign, which Websense has seen in high volume for years. This is another well-known technique to trick unaware users into giving away their secrets. This could be done by sending an email that seems to be from a legitimate company or organization. The fake contents vary, and sometimes it it really difficult to spot the difference between the valid and the phishing mail, even for an experienced user. It can be a malicious link that looks normal, suggesting that the user should log in to the site; or asking for a password reset due to various issues; it can also be an attachment that contains a password stealing trojan. If there is an email in your inbox asking for a password, a big red flashing light should remind you about the danger - this is possibly a phishing scam and you should delete the email without even reading it. But if you are expecting that email (for example because you explicitly asked your favorite site to reset your password) then you should not click on any link in the message, but rather copy and paste the link from the message into your browser.

Secrecy of the secret word

There are many methods out there advising you how to generate a secure password for yourself. Some of them are even fun to apply, like picking your favorite cartoon characters and mixing them together, or taking all the first letters of each word from a sentence that you can remember.

Nice, but are these really secure? To answer to this question we need to raise a couple of other questions: did not we just mention that we must use individual keys for every single site we sign in to? Have not we said that we should change passwords every so often on each of these sites? Then how can we remember tens or hundreds of these cartoon figures or favorite sentences that we used for the generation method?

One possible solution is to use password patterns. This means that we use basically the same pass phrase for every single site, but we insert some alteration into it each time. For example, if the secret word is "MyP@ssw0rd", we could use "MyP@ssG00gl$w0rd" and "MyP@ssY$h00w0rd" for Google and Yahoo respectively. It looks different, it's easy to remember, and it seems to solve the problem of using the same passwords on different sites. However, it is quite easy to guess the static and dynamic part of the password, so it does not really harden the authentication. We need to look for another way of generating secure passwords and also something that is possible to remember in the future. There is a type of software that can offer both of these, called password manager.

There are many solutions available for generating and storing our credentials. If you search for the phrase "password manager" on the Internet, you will see a huge selection of these. These tools can remove both of the heaviest weights from our shoulders: in a split second, we can have a new and secure password, and also it can be stored in a safely encrypted file. All you need then is to remember one master pass phrase that allows you to access the rest of your passwords. Look at it this way: passwords are just like keys, and a password manager is like a key box. You still need one key that opens up the box, but then you can access all of the keys that you store in it.

Choosing the right tool

Before you select your password manager, check what it offers. First of all, there are two main types you have to choose from: online password managers and local ones. A local one can be used without Internet access, and the secret file is stored on your local hard drive or USB stick. Alternatively, an online version puts all your credentials into a remote server, therefore you are no longer relying on the safety of your local storage. Also, you can access the same online password storage from another place or computer.

There are many discussions about which one is safer. One side says that with an online version you have less control over whoever is accessing your database, and also there is a chance that a hacker could gain illegal access to the password database. Meanwhile, the other side says there is a bigger chance that your laptop will be stolen than an online security site will be compromised. A stolen laptop therefore presents a higher risk with the stored passwords, they say, not to mention the threat of password-stealing trojans. Instead making a judgment on these arguments, we only would like to stress that whatever method you choose is most probably much safer than using weak and/or the same passwords on all forums and Web 2.0 sites.

Many thanks to Ivan Sabo for sharing his idea about this subject.

Websense Security Labs™ ThreatSeeker™ Network has detected that search terms related to the Bloom Energy and its Bloombox Fuel Cell have become the latest target for Blackhat SEO poisoning attacks.

Bloom Box is a breakthrough technology in the energy sector that could revolutionize the way electricity is generated today. As people become interested in finding more information on this technology, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings.

At the moment, according to the VirusTotal report only 10% of antivirus products are detecting the threat.

Video of the Bloom Box SEO in action: 

Websense® Messaging and Websense Web Security customers are protected against this attack. 

Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys.

The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages. What we intend to explain is how Buzz connects different social networks together, creating a super-network.

What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure - see below for details of how to do this. Google has also promised a new tab for the Gmail settings screen, to give people better control over their existing account.

Picture 1: The blogspot "szilvasyz" is not even mine!

But what was wrong, you might ask? As you can read in this alert, just two days after Buzz became available to the crowd, spammers started to use it for their unwanted mail marketing. I expect our ThreatSeeker™ Network to detect more threats like this in the near future. Were you surprised how quickly spammers just jumped into this platform? The reason is simple: not only were Buzz users able to build up an audience in an uncontrolled way, but they could also attach other Web sites to their Buzz accounts. In fact, some of these external sources were already attached to users' Buzz accounts by default. This is what Google has realized and corrected - however, people who have already subscribed are still vulnerable.

What does it mean? If you have a Google Reader account, then your public posts and shared items are automatically displayed in Buzz. Similar to this, Picasa also shares public photos to Buzz by default. Further, you can manually set up virtually any unrelated public posts in your account. This means whenever you post a message on an application such as Twitter, Flickr, or Blogspot, the same message appears in your Buzz account as well. If this isn't eyebrow-raising enough already, here is the next privacy issue: you can even attach someone else's Twitter or Flickr account to your Buzz. This latter issue opens many security and privacy related questions.

Picture 2: This is a typical scenario of what Google Buzz does in the real world

How can Buzz be made more secure? As mentioned above, Google has already made changes to the default settings. However, existing users are still suffering from these privacy and security issues. To make your Buzz account safer, you need to tweak the settings manually.

When you open your Buzz window, you can see a row of links on the top of the page containing your name, an Edit function, connected sites, and followers. The first thing you need to do is click the Edit link:

Picture 3: Click Edit to set up your profile

On the setup screen, make sure you clear the boxes marked with red in the picture below. The most important one is Display the list of people I'm following and people following me - as this means everyone can see who you are following. In the early Buzz defaults, someone could even track down your mailing partners as Buzz was automatically following your most frequent mail buddies. Also it is recommended that you never put personal information on social networking sites (and in general on any sites) as that information could be used for social engineering.

Picture 4: Clear these boxes

The next step is to click the connected sites link, to see which sites are sharing information with your Buzz account. You can see that the dialog box is similar to the one in Picture 1. Make sure you remove sites you do not want to share with Buzz buddies. For example, my Picasa and Google Reader were connected automatically with the early default settings, so I had to remove the connections manually. To do this, click on Edit, then Remove site.

Picture 5: Remove unwanted connections

The final step is to review all the people following you and those you follow already. Just click the Followers link at the top of the Buzz page, and click Unfollow next to whoever you do not wish to follow any more. You can also block people, preventing them from following you. Take your time and check that you are happy with everyone on your list.

Picture 6: Unfollow and block people in your Buzz list

Google Buzz has just showed us how these social networks are getting connected together and how they are likely to get closer and closer in the near future. They are a quickly-expanding open platform for spamming, phishing, and fraud, all brought to you automatically.

Everywhere in the social network might appear to be good, and at first it sounds like a good idea to connect them together. However, the great Buzz has only one piece of advice for Dorothy: click your heels three times and repeat "There's no place like home."

Websense Security Labs™ ThreatSeeker™ Network has detected that the ninemsn support Web site (ninemsn.com.au) has been compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections, and the injected code is hidden deep within the ninemsn ad engine, served on request. The injected code leads to a site that has also been compromised by Gumblar. The compromised code is hidden specifically within the "Women's Weekly" banner script. Other ad banners are not affected.

Screenshot of the Web site:

Screenshot of the ad element:

At this time, the malicious code isn't available or reachable, but this could change at any time. An interesting implication is that this ad can be dynamically served on multiple Web pages within ninemsn. This is unlike a typical injection where Web sites are compromised in a single static page; in this case, the infected banner ad can be pulled to various locations within the site, serving its malicious purpose silently.

Ninemsn, a joint venture between PBL Media and Microsoft, is one of the most visited portal Web sites (Alexa traffic rank 573) delivering online and mobile content, news, information, entertainment, and social networking capabilities.

We contacted Microsoft when we discovered the attack and the ad banner has now been removed from the ninemsn support Web site.

Websense® Messaging and Websense Web Security customers are protected against this attack. 

Websense Security Labs™ ThreatSeeker™ Network has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally.

Figure 1 - Zeus Campaign: 

The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency (see Figure 2). The email subject is: "Russian spear phishing attack against .mil and .gov employees"

Figure 2 - Content of the email: 

Jeffery Carr, the spoofed victim himself, has published a comment regarding this attack: 

The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data.

Websense® Messaging and Websense Web Security customers are protected against this attack.

With all the buzz  this week about Google Buzz, we were just waiting for malicious activity to show up on the newly launched service. We didn't quite expect it to happen this fast. Today we saw the first spam using Google Buzz to spread a message about smoking:

The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking.

When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages.

We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links. 

Nick O'Neil of AllFacebook.com recently reported that his Facebook wall was compromised by a new worm: the "Ex-Girlfriend" worm. Using some CSS and IFrame wizardry, the worm can post on your own wall in your own name, without you knowing it.  Here's an example of Nick's wall:

You can protect your Facebook wall and pages from this worm by installing the Defensio Facebook application. Get started here...