Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP).  The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves.  As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified.

The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site - sefi.unep.org. SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies.

Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised.

However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code.  Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero.

 Trailing through a chunk of the appended code, you can see the use of drug names such as 'viagra' and 'levitra'. These keywords help result in a better search engine ranking. 

Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones.

At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.

If you are seeing tweets right now from Twitter users, you may be misled into thinking that U.S. news organization CNN has revealed that Osama bin Laden is alive.

The tweets lead to a phishing page.  Websense customers are protected from this scam by ACE, our Advanced Classification Engine.

Tweets are being posted by users right now at the rate of several hundred tweets per second and include:

   omgg osama is alive!!! cnn confirmed that he's still out there :((

   I cant BELIEVE osama is still alive - CNN confirmed he around stillll :O

   OMG CNN confirmed that they found Osama alive still ! ! !

Tweets lead to a bit.ly redirector that takes the user to a convincing phish page designed to harvest the user's Twitter account credentials.

Screenshot of the phish page:

A user who enters credentials is then taken to a YouTube video related to the topic of the scam, a CNN video discussing the news "'Osama is alive' say protestors."

The redirection chain is thus: hxxp://bit.ly/m[removed]Y -> hxxp://twitter.[removed].ru/relogin.php -> hxxp://www.youtube.com/watch?v=Ga[removed]Mg

Twitter trend-tracking service Trendistic recorded this scam as being 1% of the volume of all tweets some 8 hours ago.  The current rate of tweets is around 200 per minute, so the phishing page could be successfully harvesting Twitter account credentials and then tweeting on their behalf, thereby spreading the phishing links.

When Osama bin Laden's death was announced, we saw Facebook status updates offering a video of the events.  Malware authors often use news events to entice and trick users into performing actions such as following website links.

Websense Security Labs advises Twitter users who believe they may have fallen for this scam to change their passwords immediately and to check their Twitter feeds for postings related to this scam topic.

Fake Apple Store Order Notifications have been making rounds for months now.  The volume of this particular spam campaign is not as astonishing as other past campaigns.  It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly stop the next day.  Websense customers are protected from this blended attack by ACE, our Advanced Classification Engine

Typically, the email contains a link that redirects users to a very familiar pharmacy spam site.  These links either belong to compromised sites or newly registered domains.

Screen shot 1 :  Fake Apple Store Order Notifications sample email

Today, we noticed the same fake Apple Store email redirecting users to a different, relatively new pharmacy spam web template.  The new template channels a wikipedia feel to it and is cleverly titled "WikiPharmacy".

Screen shot 2 : WikiPharmacy web spam template

Looking deeper into the IP where this domain is hosted, we learned that it caters to over 24,000 other domains.  These domains were all used in pharmacy spam campaigns at one point.

Major Hits

Automattic, the company that maintains WordPress.com admitted a breach in which parts of their sensitive code could have been copied. Even though WordPress is an open source project, there are apparently bits which are not that open.

We all presume that U.S. federal sites are protected the most. They really should be. However, the latest hack on the Oak Ridge National Laboratory showed us the contrary. Spear-phishing is really a challenge for everyone these days.

April was also a month of data breaches including marketing company Epsilon, the European Space Agency, and Sony. These breaches may have affected millions of individuals in their recipient databases. Be wary of and suspect all emails coming from your usual and otherwise trustworthy senders. Remember also to regularly change your passwords. 

With all of the breaches running around, the news about the kidnapping of Kaspersky's son sounded like something unusually new. It apparently took only two days for Russian police to free him from the kidnappers. It would be great if we could fix all data breaches so quickly.

Web 2 dot uh oh

How can you tell whether a Facebook scam is effective or not? By the number of "likes" it can gather. All you need is a very provocative title, like "The Hottest & Funniest Golf Course Video" scam then sit back and see how many facebook users dare to click the Like button to see the said video. As expected, the end result is a number of survey scams and no trace of the promised video.

Scammers are picky, too, sometimes, as demonstrated in "My Top 10 stalkers" scam. This scam targets specific countries based on the user's IP address. The U.S., Norway, U.K., and the United Arab Emirates are some of the targeted locations.

A CAPTCHA image sitting on top of a Facebook comment box is the pawn used by scammers in a recent click-jacking attack. The lure promises yet another provocative video while the real intent is of course for scammers to offer surveys and games.

Facebook issued a fix on a glitch discovered by Turkish researcher Serkan Gencel involving users who linked their Facebook profile to a Hotmail email address.

In early April, reports surfaced about Google adding a banner to GMail accounts warning if someone from China accessed someone's user account. This sort of security blanket, along with Google's two-factor authentication, seem to be Google's response in the wake of the infamous Aurora attack.

Exploit kits appear to be stealing the spotlight from the usual rogue AV payload on poisoned search results. Searching for celebrity child "Presley Walker" returned some poisoned image search results with both exploit kit and rogue AV as its payload.

Apparently, even Twitter users are curious to see who tried to view their tweets. Twitter-ers who fall victim to this rogue app called "Profile Spy" are offered endless surveys, pop-ups and ads.

Smartphone apps invading privacy? That's the case federal prosecutors are making on Pandora, claiming that the company has been supplying advertisers with consumer information using one of its free smartphone apps running on Google's Android OS.

Microsoft

Microsoft released its biggest ever Patch Tuesday of this year in April. It updated 17 bulletins covering 64 vulnerabilities in Windows, Office, Internet Explorer, Visual Studio, SMB, .NET Framework, and GDI+. Among them, 9 bulletins are rated critical and 8 as important.

The most important fix is MS-018 that provided a cumulative security update for Internet Explorer. This security update is rated as critical for Internet Explorer 6, 7, and 8 on Windows clients; and Moderate for Internet Explorer 6, 7, 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities. Microsoft encouraged all users to apply this bulletin first.

The other top 8 critical bulletins fixed vulnerabilities in the SMB client and server, .NET Framework, GDI+, DNS Resolution, JScript and VBScript Scripting Engines, and CFF Driver.

From 60 vulnerabilities Microsoft patched, 30 of them are addressed by a single bulletin MS11-034 which resolved the vulnerabilities in Windows Kernal-Mode Drivers that lead to elevation of privilege. The XSS vulnerability CVE-2011-0096 has been patched in MS11-021.

Beginning in April 2011, the MSVR(Microsoft Vulnerability Research) program began issuing MSVR Advisories that Microsoft had privately disclosed to third-party vendors. It published two bulletins in April. One is covering Use-After-Free Object Lifetime Vulnerability in Google Chrome, the other is about HTML5 Implementation in Chrome and Opera. All the vulnerabilities were already patched by December 2010.

Hello ThreatSeeker® Network. You've got mail!

Another malicious e-card campaign attacked innocent users. What was on the menu this time? Nicely obfuscated content providing spicy iframe to rough AV. Sounds good to you? Sorry, we don't serve this juicy content to our users.

Do you have a small business and wouldn't $1,500 make your month nicer? Well, forget about promises offering easy money for an "innocent" money transaction. First, you give up your confidential data to "who-knows-who" followed by installing some malicious friend on to your computer.

Osama Bin Laden's death is big news. Everybody is curious and wants to see the proof. Why not, right? Be wary though. It is better to live without the proof than infect your computer with an unwelcome maliciously crafted guest.

Security Trends

"Coreflood" botnet was taken down by the U.S. Justice Department and the FBI. "Coreflood" was an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the U.S.

A new marketplace has sprung up to buy and sell IPv4 addresses (or rather, to broker transfers from one organization to another with dollar figures attached). Sites like www.depository.net, www.addrex.net, and www.tradeipv4.com look like they'll be with us for a while.

Nikon's Image Authentication System has an vulnerability that revolves around cryptographic shortcomings in how the secure image signing key is handled by Nikon digital cameras. The Russian encryption specialist, ElcomSoft, has already created a gallery of hoax images that successfully pass validation with Nikon Image Authentication Software. 

Apple's iPhone and iPad constantly track users' physical location and store the data in unencrypted files on both the iOS device and any computers that store backups of its data. That information can be used to reconstruct a detailed snapshot of the user's comings and goings.

Websense solutions with the ThreatSeeker Network and our Advanced Classification Engine (ACE) helped protect customers from April’s blended threats

This month's roundup contributors:

• Ivan Sabo
• Grace Timcang
• Qiong Ran
• Xue Yang
• Lei Li

Websense Security Labs™ ThreatSeeker® network has determined that the popular online Pakistani newspaper Web site the 'Daily Jang' (at jang.com.pk) has been compromised. Websense customers are protected from this attack by ACE, our Advanced Classification Engine. 

The Web site has been injected with malicious code in several locations. The code redirects visitor browsers to exploit Web sites. At the time this writing, the exploit sites that the Daily Jang redirects to are active and serve malicious code.

The paper is one of the most popular and oldest newspapers in Pakistan. The Web site gets a lot of daily traffic from its many loyal readers, both within and outside Pakistan. It also links to many other Web sites (Alexa report). Some reports indicate an average of more than 40,000 unique visits to the Web site a month. 

An infection can occur while visiting the main page of the site. The visiting user's browser is redirected silently, in the background, to an exploit site loaded with an exploit kit called 'g01pack' (we blogged not long ago about mass injections leading to this exploit kit). If one of the kit's many exploit attempts is successful, a Trojan Backdoor file is dropped onto the user's machine. The backdoor file currently holds a detection rate of 26%.

One of our internally developed power tools that we use in the labs to research and analyze Web sites is Fireshark™. Fireshark allows researchers to visually see and map all the Web sites that the browser connects to when visiting a Web address. (The Fireshark project is open source and also comes as a Firefox plugin. You can check it out at its official Web site: fireshark.org).

Fireshark can map exactly what happens to the browser when surfing to a Web address. When jang.com.pk is loaded to Fireshark, at the end of the process Fireshark creates a visual map of all of the connections made by the browser during the site visit. In the image below, the malicious Web site that the browser connects to when visiting jang.com.pk is marked with the color red and the string TLD vv.cc (jang.com.pk is also marked in red because it is compromised).

This is what the main page of jang.com.pk looks like:

This is how Fireshark sees jang.com.pk (depicts all of the connections made by the browser when browsing to jang.com.pk; click to enlarge).

Injection Information

The site is injected in several places. The injection appears as an Iframe at the bottom of each injected page. A snapshot is provided below. You might think it ends here, but any security holes that leave the door open for attackers to inject malicious code may also be revealed by other attackers as well, this is the main reason why the Web site has another kind of malicious injection on many of its pages. In total there are two kinds of injections on jang.com.pk. The first appears as an Iframe (the first snapshot below), the second appears as obfuscated Javascript code that also silently redirects any browsing user to exploit sites; however, those exploit sites appear to be down at the time of writing of this post.

The ThreatSeeker network monitors jang.com.pk constantly for security risks and as soon as it's cleaned we'll also update this blog post.

The injected Iframe on the main page of jang.com.pk:

The second injection appears as obfuscated Javascript code that eventually gets translated by the browser to an Iframe:

Special thanks to Websense researchers Tamas Rudnai and Artem Gololobov who contributed information to this post.

Websense Security Labs™ ThreatSeeker® network has noticed a typosquatting activity targeting google.com. Typosquatting is a popular Internet behavior that generates domain names based upon misspelling famous brand names. It is often abused by scammers to host malware and phishing content on these misspelled domains. Apparently, the Anticybersquatting Consumer Protection Act(ACPA)  was enacted in 1999 to fight against any illegal intention of registering or using a domain confusingly similar to a trademark or famous name. As we know, it has been 13 years since Google was founded in1998. Scammers have taken this opportunity to spread spyware through typosquatting on google.com, claiming that you can win an iPad on Google's 13th birthday.

Here is an example of a Google typosquatting: googole.com. Users will happen to get to the fake domain if they mistype google.com.

A pop up window says that:

After you click on the button, you will be redirected  to a site that some people may be interested in, hence dropping their guard:

Whether it's a MacBook Air, iPad, or iPhone 4, why not try, as it's free? However, you may be a little disappointed:

On the last page, the file you download reveals its real face on Virustotal detection: 22/42 .

Many other big names such as Facebook and YouTube also suffer from typosquatting; only domain registrars can control the selling of typosquatting domain names. Websense customers are protected by our Advanced Classification Engine - ACE.

An example of YouTube typosquatting: youtue.com

An example of Facebook typosquatting: facebock.com

We believe that cybercriminals wil continue their criminal activities through the abuse of Google's 13th birthday. Be aware of the term  when you surf, and we welcome any report of suspicious behavior.

Now this is what I call moving forward or at least being very bold: a targeted scam attack on Websense.  Do not misunderstand my point though, as this is not to congratulate squatters - however, it definitely is a progression from simpler times when all one had to do to initiate a phishing attack was to register a domain name which was closely related to one which was used for commerce or similar. The example below elaborates on how far people are willing to go to get a response. 

The domain used for this targeted scam is dornfordeve.com and has nothing to do with Websense as it is not owned by the company. However, when the company received a letter from a supposed legal firm with a Cease and Desist action on the use of the domain name, it got a few people "scratching their heads".  It is unusual to receive letters or emails such as these, and the subject line is sure to grab one's attention or invoke a little curiosity.

Below is the phishing message example intended for the Legal department.

The content of the message sounds quite stern; however, a little digging on the domain using a simple wget gave us the source code of "index.html" (below).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"  "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>

  <title>dornfordeve.com</title>

</head>

<frameset rows="100%,*" border="0">
<frame src="https://www.mailcontrol.com/login/login_form.mhtml" frameborder="0" />
<frame frameborder="0" noresize />
</frameset>

 <!-- pageok -->
<!-- 05 -->
<!-- -->

</html>

Instead of the cybercriminal simply buying a corresponding or closely-related domain name, they have an embedded frame to Websense's Hosted Email Security page.  An unsuspecting user entering the URL into the address bar  of a browser is automatically and transparently presented with Websense's Hosted Email Security logon page (mailcontrol.com).

 Further investigation into the domain name using robtex also shows similarly listed domains up for sale. 

Although there is nothing malicious about this, the intent is pretty obvious as this is not a domain owned by us.  Whoever was behind this clearly knew what they wanted, and in some circumstances would probably achieve their aim (although sadly for them, not today). 

Piecing things together suggests this hypothesis:

• Cybercriminal decides on most eligible targets
• Cybercriminal buys domain name either directly or via proxy
• Cybercriminal plants a frame on bought domain that points to the target's Website
• Cybercriminal masquerades as law firm and contact the legal department of targeted company

Desired outcomes for group:

• Company panics and offers to buy domain at extortionate price
• Company bites or tugs on the bait to start a dialogue, with the group eventually being offered a settlement

Best bit of advice:

If a domain does not belong to you, check first on the legitimacy of senders, report this as an incident (a company's Information Security team would have a means of reporting incidents), and monitor further communication (if any). 

Cybercriminals are on the move again. And, this time, Canada is the prime target. IP addresses in China and Eastern Europe are highly scrutinized and undergoing intense evaluation. So hackers are on a quest to move their networks to countries, like Canada, that have better cyber reputations.

It's a little surprising to me as well. Previously, Canada was a place of great beer and hockey (next year, Habs!). But Websense recently conducted an analysis of Canada’s cyber security risk profile, and all trends pointed to Canada as the new launchpad for cybercriminals. For example:

• Jump in Hosted Phishing Sites - Canada saw a huge increase in the number of servers hosting phishing sites, jumping 319 percent in the last year. This tremendous increase over the last 12 months is second only to Egypt in terms of the growth of sites hosting crimeware.                           
• Increase in Bot Networks – Cybercriminals are moving their command and control centers to safer grounds. In the past eight months, Canada saw a 53 percent increase in bot networks. In fact, Canada scored the second highest for hosting bot networks, when compared to the U.S., France, Germany and China.  
• Malicious Websites – We’re seeing a trend of malicious websites decline across the board. However, Canada’s decline is tremendously slower, when compared to the countries listed above.
• Overall Increase in Cybercrime – In Websense’s most recent Threat Report, Canada was #13 in the world for hosting cybercrime. Now they have jumped to #6 in the world in 2011. And, this number continues to rise.

More malicious content is being hosted in Canada than ever before. How will the public and private sector protect Canada? And, will the Canadian government be able to take down major Internet crime networks - similar to when the US brought down Rustock and Coreflood?

Here's a quick peek at the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of crimeware.

So, the question I have for you folks - is this surprising to you? Why or why not? We'd love to hear from you in the comments below.

>>>>>>>>>>>>>>>>>>>>>>>>>

Download video file:

Windows  |   Mac

>>>>>>>>>>>>>>>>>>>>>>>>>

Websense Security Labs™ ThreatSeeker® network has noticed a low-volume threat circulating as a Microsoft update with a very low detection.  This attack ties in almost perfectly with the release of patches on the upcoming "Patch Tuesday" from Microsoft.  The attack lures the unsuspecting user into following the link provided within the email message, which evidently infects their system as it downloads a malicious executable to the user's machine. The executable (the fake patch) is being hosted on a compromised domain and at the time of writing holds an 11% detection rate as seen here on VirusTotal.

Websense customers are protected by our Advanced Classification Engine - ACE.

The email message looks quite legitimate, as the display names within the headers actually say they originate from Microsoft Canada (spoofed).  Other attributes of the message include a sense of urgency with the subject: "URGENT: Critical Security Update". The body of the message is presented in two different languages (English and French): indicative of some effort being put into the creation, making it look more legitimate and targeting a larger audience. Installing the fake patch will result in an infected machine with the Zeus Trojan variant: the Trojan variant calls home to its command & control server at visitortracker.net.in .

Below we have the contents of the message together with the body.

Just as a heads up of what to expect of this "Patch Tuesday"; it's a pretty small update as Microsoft will release only two updates to patch two undisclosed vulnerabilities: a Critical update affecting MS Windows and an Important update affecting MS Office.

Messages inviting users to see the "real photos" of Osama Bin Laden's remains made the rounds in the email realm today, in addition to the Facebook scams and malware recently spread via Twitter abusing the same topic.  Our customers are protected from these types of blended attacks by ACE, our Advanced Classification Engine.

Subjects being used in this attack are "As Fotos do Terrorista Osama Morto" and "As Fotos de Osama Binladem Morto" which of course are designed to tap into the user's curiosity. 

The email sample we got hold of today is in Portuguese, like the one below.

The text translates as:

After the pronouncement of the death of Osama Bin Laden several pictures of the body were released on the internet. According to American newspapers not all are real.
The real photos are available on the link below.

Clicking on the provided link prompts the user to download a file called FOTOS.Terroris.zip, which is fairly detected by AV engines.