Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(May 2011) Posts

Green Energy Black Hat SEO

Posted: 27 May 2011 10:00 AM | Anonymous | no comments


Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP). The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves. As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified. The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site - sefi.unep.org . SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies. Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised. However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code. Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero. Trailing through a chunk of the appended code, you can see the use of drug names such as 'viagra' and 'levitra'. These keywords help result in a better search engine ranking. Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones. At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.

Read more > 

Filed under:

An Apple a day promotes WikiPharmacy

Posted: 19 May 2011 07:06 PM | Mary Grace Timcang | no comments


Fake Apple Store Order Notifications have been making rounds for months now.  The volume of this particular spam campaign is not as astonishing as other past campaigns.  It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly stop the next day.  Websense customers are protected from this blended attack by ACE, our Advanced Classification Engine

...

Read more > 

Filed under: ,

This Month in the Threat Webscape - April 2011

Posted: 17 May 2011 05:03 PM | Ivan Sabo | no comments


Major Hits Automattic, the company that maintains WordPress.com admitted a breach in which parts of their sensitive code could have been copied. Even though WordPress is an open source project, there are apparently bits which are not that open. We all presume that U.S. federal sites are protected the most. They really should be. However, the latest hack on the Oak Ridge National Laboratory showed us the contrary. Spear-phishing is really a challenge for everyone these days. April was also a month of data breaches including marketing company Epsilon , the European Space Agency , and Sony . These breaches may have affected millions of individuals in their recipient databases. Be wary of and suspect all emails coming from your usual and otherwise trustworthy senders. Remember also to regularly change your passwords. With all of the breaches running around, the news about the kidnapping of Kaspersky's son sounded like something unusually new. It apparently took only two days for Russian police to free him from the kidnappers. It would be great if we could fix all data breaches so quickly. Web 2 dot uh oh How can you tell whether a Facebook scam is effective or not? By the number of "likes" it can gather. All you need is a very provocative title, like " The Hottest & Funniest Golf Course Video " scam then sit back and see how many facebook users dare to click the Like button to see the said video. As expected, the end result is a number of survey scams and no trace of the promised video. Scammers are picky, too, sometimes, as demonstrated in " My Top 10 stalkers " scam. This scam targets specific countries based on the user's IP address. The U.S., Norway, U.K., and the United Arab Emirates are some of the targeted locations. A CAPTCHA image sitting on top of a Facebook comment box is the pawn used by scammers in a recent click-jacking attack . The lure promises yet another provocative video while the real intent is of course for scammers to offer surveys and games. Facebook issued a fix on a glitch discovered by Turkish researcher Serkan Gencel involving users who linked their Facebook profile to a Hotmail email address. In early April, reports surfaced about Google adding a banner to GMail accounts warning if someone from China accessed someone's user account. This sort of security blanket, along with Google's two-factor authentication, seem to be Google's response in the wake of the infamous Aurora attack. Exploit kits appear to be stealing the spotlight from the usual rogue AV payload on poisoned search results. Searching for celebrity child "Presley Walker" returned some poisoned image search results with both exploit kit and rogue AV as its payload. Apparently, even Twitter users are curious to see who tried to view their tweets. Twitter-ers who fall victim to this rogue app called " Profile Spy" are offered endless surveys, pop-ups and ads. Smartphone apps invading privacy...

Read more > 

Filed under:

The Daily Jang - The Online Pakistani Newspaper Jang.com.pk Compromised

Posted: 13 May 2011 02:59 PM | Elad Sharf | no comments


Websense Security Labs™ ThreatSeeker® network has determined that the popular online Pakistani newspaper Web site the 'Daily Jang' (at jang.com.pk) has been compromised. Websense customers are protected from this attack by ACE, our Advanced Classification Engine . The Web site has been injected with malicious code in several locations. The code redirects visitor browsers to exploit Web sites. At the time this writing, the exploit sites that the Daily Jang redirects to are active and serve malicious code. The paper is one of the most popular and oldest newspapers in Pakistan. The Web site gets a lot of daily traffic from its many loyal readers, both within and outside Pakistan. It also links to many other Web sites (Alexa report ). Some reports indicate an average of more than 40,000 unique visits to the Web site a month. An infection can occur while visiting the main page of the site. The visiting user's browser is redirected silently, in the background, to an exploit site loaded with an exploit kit called 'g01pack' (we blogged not long ago about mass injections leading to this exploit kit). If one of the kit's many exploit attempts is successful, a Trojan Backdoor file is dropped onto the user's machine. The backdoor file currently holds a detection rate of 26% . One of our internally developed power tools that we use in the labs to research and analyze Web sites is Fireshark™. Fireshark allows researchers to visually see and map all the Web sites that the browser connects to when visiting a Web address. (The Fireshark project is open source and also comes as a Firefox plugin. You can check it out at its official Web site: fireshark.org ). Fireshark can map exactly what happens to the browser when surfing to a Web address. When jang.com.pk is loaded to Fireshark, at the end of the process Fireshark creates a visual map of all of the connections made by the browser during the site visit. In the image below, the malicious Web site that the browser connects to when visiting jang.com.pk is marked with the color red and the string TLD vv.cc (jang.com.pk is also marked in red because it is compromised). This is what the main page of jang.com.pk looks like: This is how Fireshark sees jang.com.pk (depicts all of the connections made by the browser when browsing to jang.com.pk; click to enlarge). Injection Information The site is injected in several places. The injection appears as an Iframe at the bottom of each injected page. A snapshot is provided below. You might think it ends here, but any security holes that leave the door open for attackers to inject malicious code may also be revealed by other attackers as well, this is the main reason why the Web site has another kind of malicious injection on many of its pages. In total there are two kinds of injections on jang.com.pk. The first appears as an Iframe (the first snapshot below), the second appears as obfuscated Javascript code that also silently redirects...

Read more > 

Filed under: , ,

Spyware celebrates Google's 13th birthday!

Posted: 11 May 2011 11:53 AM | Ran Qiong | no comments


Websense Security Labs® ThreatSeeker® network has noticed a typosquatting activity targeting google.com. Typosquatting is a popular Internet behavior that generates domain names based upon misspelling famous brand names. It is often abused by scammers to host malware and phishing content on these misspelled domains. Apparently, the Anticybersquatting Consumer Protection Act(ACPA)  was enacted in 1999 to fight against any illegal intention of registering or using a domain confusingly similar to a trademark or famous name. As we know, it has been 13 years since Google was founded in1998. Scammers have taken this opportunity to spread spyware through typosquatting on google.com, claiming that you can win an iPad on Google's 13th birthday.

...

Read more > 

Filed under: ,

High court scams legal dept.

Posted: 11 May 2011 09:53 AM | Anonymous | no comments


Now this is what I call moving forward or at least being very bold: a targeted scam attack on Websense . Do not misunderstand my point though, as this is not to congratulate squatters - however, it definitely is a progression from simpler times when all one had to do to initiate a phishing attack was to register a domain name which was closely related to one which was used for commerce or similar. The example below elaborates on how far people are willing to go to get a response. The domain used for this targeted scam is dornfordeve.com and has nothing to do with Websense as it is not owned by the company. However, when the company received a letter from a supposed legal firm with a Cease and Desist action on the use of the domain name, it got a few people "scratching their heads". It is unusual to receive letters or emails such as these, and the subject line is sure to grab one's attention or invoke a little curiosity. Below is the phishing message example intended for the Legal department. The content of the message sounds quite stern; however, a little digging on the domain using a simple wget gave us the source code of "index.html" (below). <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>dornfordeve.com</title> </head> <frameset rows="100%,*" border="0"> <frame src="https://www.mailcontrol.com/login/login_form.mhtml" frameborder="0" /> <frame frameborder="0" noresize /> </frameset> <!-- pageok --> <!-- 05 --> <!-- --> </html> Instead of the cybercriminal simply buying a corresponding or closely-related domain name, they have an embedded frame to Websense's Hosted Email Security page. An unsuspecting user entering the URL into the address bar of a browser is automatically and transparently presented with Websense's Hosted Email Security logon page (mailcontrol.com). Further investigation into the domain name using robtex also shows similarly listed domains up for sale. Although there is nothing malicious about this, the intent is pretty obvious as this is not a domain owned by us. Whoever was behind this clearly knew what they wanted, and in some circumstances would probably achieve their aim (although sadly for them, not today). Piecing things together suggests this hypothesis: Cybercriminal decides on most eligible targets Cybercriminal buys domain name either directly or via proxy Cybercriminal plants a frame on bought domain that points to the target's Website Cybercriminal masquerades as law firm and contact the legal department of targeted company Desired outcomes for group: Company panics and offers to buy domain at extortionate price Company bites or tugs on the bait to start a dialogue, with the group eventually being offered a settlement Best bit of advice: If a domain does not belong...

Read more > 

Filed under: ,

The Next Hotbed of Cybercrime Activity is... Canada?!?

Posted: 11 May 2011 04:25 AM | Patrik Runald | no comments


Cybercriminals are on the move again. And, this time, Canada is the prime target. IP addresses in China and Eastern Europe are highly scrutinized and undergoing intense evaluation. So hackers are on a quest to move their networks to countries, like Canada, that have better cyber reputations. It's a little surprising to me as well. Previously, Canada was a place of great beer and hockey (next year, Habs!). But Websense recently conducted an analysis of Canada’s cyber security risk profile, and all trends pointed to Canada as the new launchpad for cybercriminals. For example: Jump in Hosted Phishing Sites - Canada saw a huge increase in the number of servers hosting phishing sites, jumping 319 percent in the last year. This tremendous increase over the last 12 months is second only to Egypt in terms of the growth of sites hosting crimeware. Increase in Bot Networks – Cybercriminals are moving their command and control centers to safer grounds. In the past eight months, Canada saw a 53 percent increase in bot networks . In fact, Canada scored the second highest for hosting bot networks, when compared to the U.S., France, Germany and China. Malicious Websites – We’re seeing a trend of malicious websites decline across the board. However, Canada’s decline is tremendously slower, when compared to the countries listed above. Overall Increase in Cybercrime – In Websense’s most recent Threat Report , Canada was #13 in the world for hosting cybercrime. Now they have jumped to #6 in the world in 2011. And, this number continues to rise. More malicious content is being hosted in Canada than ever before. How will the public and private sector protect Canada? And, will the Canadian government be able to take down major Internet crime networks - similar to when the US brought down Rustock and Coreflood? Here's a quick peek at the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of crimeware. So, the question I have for you folks - is this surprising to you? Why or why not? We'd love to hear from you in the comments below. >>>>>>>>>>>>>>>>>>>>>>>>> Download video file: Windows | Mac >>>>>>>>>>>>>>>>>>>>>>>>>

Read more > 

Filed under: ,

Administrators and users beware - Fake Patch Tuesday Alert!

Posted: 09 May 2011 04:07 PM | Anonymous | no comments


Websense Security Labs ™ ThreatSeeker® network has noticed a low-volume threat circulating as a Microsoft update with a very low detection. This attack ties in almost perfectly with the release of patches on the upcoming " Patch Tuesday " from Microsoft. The attack lures the unsuspecting user into following the link provided within the email message, which evidently infects their system as it downloads a malicious executable to the user's machine. The executable (the fake patch) is being hosted on a compromised domain and at the time of writing holds an 11% detection rate as seen here on VirusTotal . Websense customers are protected by our Advanced Classification Engine - ACE. The email message looks quite legitimate, as the display names within the headers actually say they originate from Microsoft Canada (spoofed). Other attributes of the message include a sense of urgency with the subject: "URGENT: Critical Security Update". The body of the message is presented in two different languages (English and French): indicative of some effort being put into the creation, making it look more legitimate and targeting a larger audience. Installing the fake patch will result in an infected machine with the Zeus Trojan variant: the Trojan variant calls home to its command & control server at visitortracker.net.in . Below we have the contents of the message together with the body. Just as a heads up of what to expect of this " Patch Tuesday "; it's a pretty small update as Microsoft will release only two updates to patch two undisclosed vulnerabilities: a Critical update affecting MS Windows and an Important update affecting MS Office.

Read more > 

Filed under: , , ,

The "real" Osama Bin Laden dead pics

Posted: 04 May 2011 03:26 PM | Mary Grace Timcang | no comments


Messages inviting users to see the "real photos" of Osama Bin Laden's remains made the rounds in the email realm today, in addition to the Facebook scams and malware recently spread via Twitter abusing the same topic. Our customers are protected from these types of blended attacks by ACE, our Advanced Classification Engine . Subjects being used in this attack are " As Fotos do Terrorista Osama Morto " and " As Fotos de Osama Binladem Morto " which of course are designed to tap into the user's curiosity. The email sample we got hold of today is in Portuguese, like the one below. The text translates as: After the pronouncement of the death of Osama Bin Laden several pictures of the body were released on the internet. According to American newspapers not all are real. The real photos are available on the link below. Clicking on the provided link prompts the user to download a file called FOTOS.Terroris.zip , which is fairly detected by AV engines.

Read more > 

Filed under: ,