The site Instantshift.com was compromised on August 28, 2011. It was then quickly fixed. 

InstantShift is a leading design resources community for Web designers and developers. It is worth noting that the compromise of a Web site like instantshift.com may lead to mass compromises, as many other Web site owners may potentially get compromised by accessing this site for design templates, among other resources. At this point, we have detected other Websites compromised with the same injected code. Websense Security Labs will continue to monitor the malicious injections closely and provide protection against them.

Websense customers are protected from Web-based threats by ACE, our Advanced Classification Engine. 

Compromise Details

Exploits are sent via the injected iframe. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today - the Blackhole exploit kit. Any successful exploitation results in the Zeus/Zbot Trojan being installed silently on the user's machine. The malicious contents are currently cleaned up.

SSL certificates are used to validate the identity of a website to users. Over the weekend, it was found that DigiNotar, a Dutch Certificate Authority, had issued a rogue SSL certificate for *.google.com. Today, this was confirmed by DigiNotar in a press release.

According to DigiNotar's own investigation, they found out that they were compromised on July 19, 2011, and several rogue SSL certificates had been issued including the one to *.google.com. All the other ones were revoked, but for some reason, DigiNotar missed revoking the one issued for Google's domain. Why is this important? With the rogue certificate issued by a trusted CA, it's possible to do Man-in-the-Middle attacks and listen in to any traffic going to Google's services, such as Google Mail, Google Docs, Google Plus, and Google Apps, without any visible warnings to users.

Websense products

If you have SSL Inspection enabled in Websense Web Security Gateway (Anywhere) solutions and have the Certificate Validation Engine enabled, you will already have the revoked certificates downloaded and installed.

If you want to follow Microsoft and Firefox and disable trust for DigiNotar's Root CA, we do offer that option as well.

1. Open up the Administration UI for Websense Content Gateway (https://123.123.123.123:8081 by default)
2. Go to Configure -> SSL -> Certificates
3. Scroll down and select DigiNotar Root CA and "Click to change status to Deny"
   
   

Transocean, one of the world's biggest offshore drilling contractors, is currently compromised: its main Web site at deepwater.com is hosting malicious exploit code. Recently, Transocean has been implicated in the Deepwater Horizon oil spill resulting from the explosion of one of its oil rigs in the Gulf of Mexico. 

UPDATE: Transocean got in touch with us and we can confirm that the malicious code has now been removed. We appreciate the fast response by the Security team at Transocean.

Websense customers are protected from Web based threats by ACE, our Advanced Classification Engine.

Compromise Details

A few pages hosting exploit code have been created on the compromised Web server. Some of these pages are referred to by Iframes through the main page of the site. The pages use the CVE-2011-1255 vulnerability, which affects Microsoft Internet Explorer versions 6 through 8 and was patched on June 14 2011, and also CVE-2010-2884, a vulnerability in Flash Player that was patched on October 5 2010. Virustotal detection for the latter file is at 15%.

You can follow this site category on our AceInsights portal with this link.

Similar to Search Engine Optimization, this activity poses risks to users and organizations, and we predict that cyber-criminals could capitalize on these social Web phenomena. Websense®  is updating the current URL category set today, and new categories will provide more granular control of the social Web and broaden protection in the area of modern security threats. Social Web controls will allow organizations to control and monitor user behavior on popular Web domains, such as, but not limited to: Facebook, Twitter, YouTube, and LinkedIn.

In this week’s Websense Security Labs Video, Chris Astacio discusses a mass injection attack that is compromising a wide swath of WordPress sites through a vulnerability in TimThumb.php, a common module used in many WordPress themes.
 
This widespread attack compromised tens of thousands of domains which led to a site hosting injected malicious code. After the video, you can read an analysis of the exploit in our blog post here. That post features a link to the patched version of TimThumb that users can download to remove this vulnerability.

Websense ThreatSeeker® Network has been monitoring an increase in malicious spam activity over the last 28 days, and a recent spike which seems to be spreading quickly and in large amounts begs the suspicion that a spam bot or a bot network is awake. 

Some of the message subjects that we've seen include, but are not limited to:

1. DELIVERY CONFIRMATION FROM FedEx [Reference Number]:
2. FedEx DELIVERY CONFIRMATION [Reference Number]
3. Your FEDEX id. [Reference Number]
4. Wrong transaction from your credit card in The [Hotel Name]
5. Changelog: [Reference Number]
6. Re:Fw: Intercompany inv. from [Organization Name] Corp
7. From USPS [Reference Number]
8. DHL id. [Reference Number]
9. DHL ATTENTION [Reference Number]
10. Your credit card is blocked

Many of the varied subjects seem to be based around major courier service names such as DHL, UPS, and similar, and bear a resemblance to a receipt confirmation or delivery note.  Others are recycled subject lines such as the 'credit card blocked' types mentioned in a previous blog.

Sample messages with attachment:

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

If you follow our blogs or you are an active user of Facebook, you must have noticed that Facebook scams are very popular. A shocking video appears on your friends' walls and a few curious clicks then trick you into filling in a fake survey and spreading the scam message unintentionally - we have covered such cases before with the Death of Amy Winehouse and Walmart gift card offer. People might ask: how does it work? how many people are involved in the campaign? how long does a campaign last? and what can we do to combat these contaminations? Let us show our recent research on the Web 2.0 campaign.

Root of Social Network Contamination?

Taking Facebook as an example, cyber criminals seed messages such as "Shocking video", "Free Facebook credits", and current hot topics. You may have seen messages on someone's wall similar to this:

You may be asked directly to share this post out to all your friends, or it can be done for you in 2 clicks as below...

A curious click will lead you to a template site which asks you to click the "Jaa" button twice. "Jaa" means "Share" in Finnish. If you do it, you will share the above message on your wall. Here is the code used to facilitate sharing in the background.

After sharing the message, visitors will be redirected to a page to do a survey. My gut feeling tells me that no one is going to get anything out of it except the cyber criminals...

Duration of the contamination?

Let's take an sample campaign that happened in the middle of July. The title of the campaign is "FATHER gets TOTALLY Embarrassed after entering Daughters Room", and here is the snapshot of the campaign in Facebook.

This campaign broke out on July 13th and peaked on July 21st according to our research: we can see in the graph below that there were on average 1600+ visitors online every few seconds on that date. The number then dropped as the URLs were perhaps blocked by the security vendor or the customer was educated by seeing alerts published by security companies. So the campaign lasted about two weeks, and new campaigns will last even less time.

People are the new "Worm"?

There was a fresh campaign titled "This ls what happens when ex GF forgets to turn her vvebcam off" on Facebook. It started on August 2nd and soon peaked on August 4th. Here is the graph which shows the online visitors every hour on August 4th.

The average number of online visitors every few seconds is 1760. If we assume that every visitor spends 2 minutes on the site for completing the survey or some other reason, let's do a rough account:

There will be 1,267,200 visitors for this campaign in a day. (24 X 60) / 2 X 1760 = 1,267,200

If one in two visitors shares the message on their wall and completes the survey, there will be 633,600 Facebook users involved in the campaign. 1,267,200 / 2 = 633,600

People click to see the shocking video, but most of them should not want to share it with their friends, especially after they are cheated into doing a survey. So I guess most of them will delete the message from their wall page as soon as they find it. Assuming that 99% of the visitors will delete the shocking video message from their wall as soon as they find it, the number of people who really share it will be 6,336.

According to Facebook Statistics, a user has 130 friends on average; therefore 82,368,000 Facebook users are exposed to the message via their friends' walls. 6,336 X 130 = 823,680

The above data was taken from an accounting site (http://whos.amung.us) which is used by cyber criminals.

As Facebook is so popular around the world, people from everywhere may be involved in the worldwide contamination. Look at the map of online users when the US is sleeping:

Currently, the scams only redirect Facebook users to a phishing Web site to complete a scam survey. If this type of contamination directs users to install rogue antivirus software and to exploit kits, the security impact is unthinkable. 

I am always on the social Web, what can I do?

1. Be cautious about suspicious newsfeeds from your friends, and do not click suspicious links. Facebook sometimes gives you warnings, simply cancel them.  Notify your friends about suspicious newsfeeds.

2. Clean up your wall page if you happened to be tricked into spreading suspicious content, and report it to Facebook by clicking the "X" button on the right corner of the message.

3. Educate your friends about common threats and scams.

4. Install a security application such as Defensio™ to protect your account and filter suspicious newsfeeds.

Web 2.0 Protection and Control?

Websense®  is updating the current URL category set. New categories will provide more granular control of the social Web and broaden protection in the area of modern security threats. Social Web controls will allow organizations to control and monitor user behavior on popular Web domains, such as, but not limited to: Facebook, Twitter, YouTube, and LinkedIn.

The Defensio Web service – powered by Websense – takes aim at threats to social media, such as malicious content, comment spam, and other embedded threats. It could protect your personal or corporate Facebook profiles from spam and malicious content. 

ThreatSeeker Network™ scans more than 40 million Web sites for malicious code and scans nearly 10 million emails for unwanted content and malicious code every hour. The phishing Web site used in the scam will be found by ThreatSeeker Network and blocked.

With the popularity of the WordPress blogging platform, security researchers here at Websense® Security Labs ™ are sure to sit up and take note of any reported zero-day threats affecting the platform itself or the plugins used by blog masters.

Recently, we saw a post by Mark Maunder of technology company, Feedjit, where he noticed a compromise occurring due to a WordPress plugin. The danger was this was a zero-day issue affecting a popular image re-sizing tool often used within WordPress.  That was on August 1.

Sure enough, just one week after this initial warning, our ThreatSeeker® Network began to see code injected into WordPress Web sites.  At first we saw the injected domain name hxxp://superpuperdomain.com/ injected at the foot of compromised WordPress blogs.  This code appears to have been delivering advertisements to end users via redirects to search engines.

Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp://superpuperdomain2.com/, which seemingly was a placeholder for more nefarious malicious activity. Websense customers are protected with ACE, our Advanced Classification Engine.

Interestingly, over the weekend, we saw the number of injections leading to the first URL decrease as the use of the second URL ramped up on August 12, as the chart below shows:

This course of events is fairly typical in the life of a zero-day vulnerability. As the issue becomes known, developers rush to fix the vulnerability. In the meantime, malware authors seek to launch attacks on vulnerable websites and deliver variations of attack code to bypass security products.  In this case, we saw peaks of 10,000 WordPress-running Web sites infected with the code.

The research team over at Sucuri Security also noticed the same over the weekend. Their blog is here.

If you are running WordPress on your blog and want to find out more about TimThumb and how to get the latest version, you should take a look at the TimThumb Project page.

Websense Security Labs™ and the Websense ThreatSeeker® Network have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".  You can find the VirusTotal analysis results for this .exe here.

Websense Email Security and Websense Web Security protect against these kinds of blended threats with ACE, our Advanced Classification Engine.

Google is synonymous with the Web - from the search engine through Web-based email to video sharing, they are arguably the market leader. However, this has not been the case with social networking. They were constantly searching for a new way to set up a service or an Internet portal to help people connect with each other, finding new friends or even old ones. But it was not only Google who tried this: Yahoo and Microsoft also had a strong proposition to win this market with little success. Then all of a sudden, a young chap called Mark Zuckerberg created a brand new concept and made social networking very popular, and in 6 years they managed to climb all the way up to 2nd place in the Alexa ranking, overtaking many big names like YouTube, Apple, Yahoo and Microsoft.

Facebook came from nowhere, and even challenged Google for the very top rank in popularity. Zuckerberg, as a fresh university graduate, had no experience in how to set up an enormous system like this, but he still smashed it and today is fighting to take the No.1 place as can be seen on the Alexa report.

It's no surprise therefore that Google is constantly looking for a way to beat Facebook and secure their first position. They already have a popular social network called Orkut. OK, it is only popular in some countries like Brazil or India, but still, it proves their concept, they can do it. Also the software giant have done some interesting projects with Google Wave and Google Buzz. None of them really worked out nor got close enough to steal a market share from Facebook, although both got huge attention from the media as well as from users.

New concepts come and go: Google moved on, and have come up with Google+, which is another brand new concept. Looks like Google will keep trying until they get the perfect recipe for the most delicious cake of social networking. They are probably right in sensing the growing need for something new, and that is proved by the overwhelming interest by millions of Internet users.

However for us, security experts, it is always of keen interest to see if it is going to be more secure than Facebook? Or could it be just a perfect gateway for spammers?

If we take a look at the key differences between Facebook and Google+, we notice that while on Facebook you need to accept a friend request, on Google+ someone can add you on to their Circles without your prior approval. Later on you may block people - however, it worries me a bit as it makes it fairly easy to use Google+ as a source of Spam messages.

To test this theory I have just put a test message in my Stream on my existing Google+ account, and shared it with my company email address which was not previously registered by Google in any way. When I shared my stream post, I received an email from Google+ including the content of the message I wrote.

Malicious invitations and notifications

The demand for a Google+ account is still high. It is partly the fact that the service is still in beta, and it is kind of cool to tell our friends that we already have an account - it is like saying I am more up-to-date with technology than you are. So if someone receives a message saying ‘This is an invitation to Google+’ there is a big chance that the recipient is very happy about the invitation or perhaps out of curiosity will follow the link without checking its validity.

And here we go, this is the old school security theory again: the weakest link in all security system is the human itself. Even if the interest in getting an account drops in time, as Google+ sends notifications if someone adds you to their Circles, it is only a matter of time before we see similar attacks to old-style Facebook ones - scams using change password phishing mails or the someone added you mail.

Dangers of beta stage

It is not all about the malicious invitations, and there have been some of these already. Google+ is still in beta which in itself creates further problems. Phishing Web sites are quite often used by cyber criminals: they steal the layout and the look of banks, game portals, Web email services and social networks and drive users to these fake sites to let victims enter their credentials or their sensitive data such as personal information or banking details. The very same can happen with Google+: after a malicious invitation or a fake notification, a user can end up on a fake Web site and unless they notice something strange on the page it is likely they will give up their data.

But why is this different than any previously seen issue? As Google+ is still in beta, people do not really know what it looks like. And even if they know, as it is in beta it might change at any time without prior notice from the software giant. So it is much easier to mimic a Google+ logon page, steal Google passwords, and use them for further malicious activities like sending spam to all email addresses in the contact list or sharing a stream to the Circles in the Google+ account.

In addition to this, when creating a Google+ account, Google asks us to download and install a component on our computer in order to be able to make video conferences and multi-party chats called Hangouts. This again is an opportunity for the bad guys to gain from drive-by download attacks on people - as it seems to be quite normal to download and install something when joining this social networking site.

Recommended Privacy Settings

The issue of privacy is also part of data security, namely data or information leakage. You may not want to let everybody know about your feelings, for example telling your boss that you are not happy with your job and looking for a new one. Sometimes a post about this kind of thing is harmless or just funny or awkward, but also it can be a way to seek out confidential company data. And that is possibly the biggest challenge today with the use of a social networking site from the company.

Google+ uses a different concept to Facebook. Google is based around 'Circles', groups of people, and we can decide to share only with certain circles and/or individuals, rather than sharing everything with either 'Friends' only, 'Friends of Friends' or 'Everyone'. We still have a similar option for this though with the 'Your circles' which is equivalent of 'Friends' in Facebook as that means we share the post with all of the circles we have. 'Extended circles' is very similar to 'Friends of friends' and 'Public' is equivalent to 'Everyone'.

Overall Google+ gives us a better resolution of sharing options, and that is the key point here: If we do not want to share a news or a status with everyone we have in our circles, we do not have to. For example we may have circles like friends, colleagues and family and may not want to let colleagues and our family know how drunk or silly we were at a party last night. This could be an awesome feature for some, however, there is a little glitch. If one of our friends re-shares it to a different audience, then we can still end up sharing our posts with those we did not want to. Because of this Google implemented the 'Disable Reshare' option which prevents this from happening.

Conclusion

At the moment it is not easy to get a Google+ account, and this has created an understandable excitement and exclusivity for anyone who has one. Malware authors and spammers are already trying to take advantage of this, so please exercise caution if you do get an invitation to try it out for yourself. At this stage we can only hope that Google's security and spam filtering will work well to prevent malicious activities on this new social networking site. Anticipation is growing for when it launches to the wider public. I’m sure the spammers are looking forward to this day too.  Let’s see what happens.