Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(August 2011) Posts

instantshift.com (Alexa ~5000) was briefly compromised

Posted: 31 Aug 2011 02:15 PM | Anonymous | no comments


The site Instantshift.com was compromised on August 28, 2011. It was then quickly fixed. InstantShift is a leading design resources community for Web designers and developers. It is worth noting that the compromise of a Web site like instantshift.com may lead to mass compromises, as many other Web site owners may potentially get compromised by accessing this site for design templates, among other resources. At this point, we have detected other Websites compromised with the same injected code. Websense Security Labs will continue to monitor the malicious injections closely and provide protection against them. Websense customers are protected from Web-based threats by ACE, our Advanced Classification Engine . Compromise Details Exploits are sent via the injected iframe. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today - the Blackhole exploit kit . Any successful exploitation results in the Zeus/Zbot Trojan being installed silently on the user's machine. The malicious contents are currently cleaned up.

Read more > 

Filed under: ,

DigiNotar CA compromise

Posted: 30 Aug 2011 10:53 AM | Patrik Runald | 2 comment(s)


SSL certificates are used to validate the identity of a website to users. Over the weekend, it was found that DigiNotar, a Dutch Certificate Authority, had issued a rogue SSL certificate for *.google.com . Today, this was confirmed by DigiNotar in a press release . According to DigiNotar's own investigation, they found out that they were compromised on July 19, 2011, and several rogue SSL certificates had been issued including the one to *.google.com. All the other ones were revoked, but for some reason, DigiNotar missed revoking the one issued for Google's domain. Why is this important? With the rogue certificate issued by a trusted CA, it's possible to do Man-in-the-Middle attacks and listen in to any traffic going to Google's services, such as Google Mail, Google Docs, Google Plus, and Google Apps, without any visible warnings to users. Websense products If you have SSL Inspection enabled in Websense Web Security Gateway (Anywhere) solutions and have the Certificate Validation Engine enabled , you will already have the revoked certificates downloaded and installed. If you want to follow Microsoft and Firefox and disable trust for DigiNotar's Root CA, we do offer that option as well. Open up the Administration UI for Websense Content Gateway (https://123.123.123.123:8081 by default) Go to Configure -> SSL -> Certificates Scroll down and select DigiNotar Root CA and " Click to change status to Deny "

Read more > 

Filed under:

Transocean oil/gas rig contractor compromised (deepwater.com) - UPDATE: NOW FIXED

Posted: 25 Aug 2011 04:20 AM | Elad Sharf | no comments


Transocean , one of the world's biggest offshore drilling contractors, is currently compromised: its main Web site at deepwater.com is hosting malicious exploit code. Recently, Transocean has been implicated in the Deepwater Horizon oil spill resulting from the explosion of one of its oil rigs in the Gulf of Mexico . UPDATE: Transocean got in touch with us and we can confirm that the malicious code has now been removed. We appreciate the fast response by the Security team at Transocean. Websense customers are protected from Web based threats by ACE, our Advanced Classification Engine . Compromise Details A few pages hosting exploit code have been created on the compromised Web server. Some of these pages are referred to by Iframes through the main page of the site. The pages use the CVE-2011-1255 vulnerability, which affects Microsoft Internet Explorer versions 6 through 8 and was patched on June 14 2011, and also CVE-2010-2884 , a vulnerability in Flash Player that was patched on October 5 2010. Virustotal detection for the latter file is at 15% . You can follow this site category on our AceInsights portal with this link .

Read more > 

Filed under: , ,

Follow Me Not - Microblog SEO Study

Posted: 24 Aug 2011 08:41 AM | Elson Lai | no comments


With the release of Social Web Control, Websense Security Labs ™ looks at the growing trend of how you can optimize your popularity ranking on social Web sites such as Twitter and Sina's Weibo. Marketeers are heavily tuning social Web sites for Search Engine Optimization (SEO) in a similar way to standard Web sites, where SEO is still the primary source of information traffic. In parallel, cyber-criminals also use BlackHat SEO to spread malware. A high social Web ranking is becoming an important tool to receive constant exposure and get messages out to the desired target audiences, hence the race from both personal and business microblog users to boost their recognition. To attract or to be featured on microblog platforms, you need a very large follower base in a very short time. Weibo.com, being one of the largest microblog platforms in China with over 200 million users, attracted a different kind of user. Seeing potentially unlimited business opportunities, many users were spoofing as famous companies and celebrities to publish false messages to the public. Weibo recently enforced true identity verification as identify theft became an increased problem. To counter this, ranking "smoke-screen" services are popping up, leading to the idea to "Shua Fen": purchase followers. The screenshot below shows 2 Weibo accounts with avatars advertising services for "Microblog, get thousands of followers", and "Paid Followers and get verified". These services are actively hooking themselves onto other popular Weibo accounts and there are many ways to obtain them, from the above fake followers to top search engine results such as the example below: For example, you can get 10,000 followers within 10 days by simply paying a fee of 1,300 Chinese Yuan (~USD$200). It is a decent investment given the exposure you may get. This is no strange ground to Twitter as well, as seen by listings on eBay: Similar to Search Engine Optimization, this activity poses risks to users and organizations, and we predict that cyber-criminals could capitalize on these social Web phenomena . Websense® is updating the current URL category set today, and new categories will provide more granular control of the social Web and broaden protection in the area of modern security threats. Social Web controls will allow organizations to control and monitor user behavior on popular Web domains, such as, but not limited to: Facebook, Twitter, YouTube, and LinkedIn.

Read more > 

Video: Malware Hitching a Ride on WordPress

Posted: 22 Aug 2011 05:19 PM | Patrik Runald | no comments


In this week’s Websense Security Labs Video, Chris Astacio discusses a mass injection attack that is compromising a wide swath of WordPress sites through a vulnerability in TimThumb.php, a common module used in many WordPress themes. This widespread attack compromised tens of thousands of domains which led to a site hosting injected malicious code. After the video, you can read an analysis of the exploit in our blog post here . That post features a link to the patched version of TimThumb that users can download to remove this vulnerability.

Read more > 

Filed under:

Bots resurrected - malicious spam on the rise.

Posted: 18 Aug 2011 12:24 PM | Anonymous | no comments


Websense ThreatSeeker® Network has been monitoring an increase in malicious spam activity over the last 28 days, and a recent spike which seems to be spreading quickly and in large amounts begs the suspicion that a spam bot or a bot network is awake. Some of the message subjects that we've seen include, but are not limited to: DELIVERY CONFIRMATION FROM FedEx [Reference Number]: FedEx DELIVERY CONFIRMATION [Reference Number] Your FEDEX id. [Reference Number] Wrong transaction from your credit card in The [Hotel Name] Changelog: [Reference Number] Re:Fw: Intercompany inv. from [Organization Name] Corp From USPS [Reference Number] DHL id. [Reference Number] DHL ATTENTION [Reference Number] Your credit card is blocked Many of the varied subjects seem to be based around major courier service names such as DHL, UPS, and similar, and bear a resemblance to a receipt confirmation or delivery note. Others are recycled subject lines such as the 'credit card blocked' types mentioned in a previous blog . Sample messages with attachment: Websense customers are protected from these threats by ACE, our Advanced Classification Engine .

Read more > 

Filed under: ,

Accelerated Contamination in Social Networks

Posted: 15 Aug 2011 05:00 PM | uwang | no comments


If you follow our blogs or you are an active user of Facebook, you must have noticed that Facebook scams are very popular. A shocking video appears on your friends' walls and a few curious clicks then trick you into filling in a fake survey and spreading the scam message unintentionally - we have covered such cases before with the Death of Amy Winehouse and Walmart gift card offer . People might ask: how does it work? how many people are involved in the campaign? how long does a campaign last? and what can we do to combat these contaminations? Let us show our recent research on the Web 2.0 campaign. Root of Social Network Contamination? Taking Facebook as an example, cyber criminals seed messages such as "Shocking video", "Free Facebook credits", and current hot topics. You may have seen messages on someone's wall similar to this: You may be asked directly to share this post out to all your friends, or it can be done for you in 2 clicks as below... A curious click will lead you to a template site which asks you to click the "Jaa" button twice. "Jaa" means "Share" in Finnish. If you do it, you will share the above message on your wall. Here is the code used to facilitate sharing in the background. After sharing the message, visitors will be redirected to a page to do a survey. My gut feeling tells me that no one is going to get anything out of it except the cyber criminals... Duration of the contamination? Let's take an sample campaign that happened in the middle of July. The title of the campaign is "FATHER gets TOTALLY Embarrassed after entering Daughters Room", and here is the snapshot of the campaign in Facebook. This campaign broke out on July 13th and peaked on July 21st according to our research: we can see in the graph below that there were on average 1600+ visitors online every few seconds on that date. The number then dropped as the URLs were perhaps blocked by the security vendor or the customer was educated by seeing alerts published by security companies. So the campaign lasted about two weeks, and new campaigns will last even less time. People are the new "Worm"? There was a fresh campaign titled "This ls what happens when ex GF forgets to turn her vvebcam off" on Facebook. It started on August 2nd and soon peaked on August 4th. Here is the graph which shows the online visitors every hour on August 4th. The average number of online visitors every few seconds is 1760. If we assume that every visitor spends 2 minutes on the site for completing the survey or some other reason, let's do a rough account: There will be 1,267,200 visitors for this campaign in a day. (24 X 60) / 2 X 1760 = 1,267,200 If one in two visitors shares the message on their wall and completes the survey, there will be 633,600 Facebook users involved in the campaign. 1,267,200 / 2 = 633,600 People click to see the shocking video, but most of them should not want to share it...

Read more > 

Vulnerability in TimThumb WordPress Plugins - The Effects

Posted: 15 Aug 2011 07:45 AM | Carl Leonard | no comments


With the popularity of the WordPress blogging platform the security researchers here in Websense Security Labs are sure to sit up and take note of any reported zero day affecting the platform itself or the plugins used by blog masters.

Recently we saw a post by Mark Maunder of technology company Feedjit where he noticed a compromise occuring due to WordPress plugin - the danger though was this was a zero day issue affecting a popular image re-sizing tool often used within WordPress.  That was on the 1st August .

...

Read more > 

Filed under: ,

The Philippine Bureau of Immigration is Compromised

Posted: 09 Aug 2011 04:25 PM | Mary Grace Timcang | no comments


Websense Security Labs and the Websense ThreatSeeker® Network have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

...

Read more > 

Filed under: , , , ,

Is Google+ safer than Facebook?

Posted: 02 Aug 2011 01:16 PM | Tamas Rudnai | 3 comment(s)


Google is synonymous with the Web - from the search engine through Web-based email to video sharing, they are arguably the market leader. However, this has not been the case with social networking. They were constantly searching for a new way to set up a service or an Internet portal to help people connect with each other, finding new friends or even old ones. But it was not only Google who tried this: Yahoo and Microsoft also had a strong proposition to win this market with little success. Then all of a sudden, a young chap called Mark Zuckerberg created a brand new concept and made social networking very popular, and in 6 years they managed to climb all the way up to 2nd place in the Alexa ranking, overtaking many big names like YouTube, Apple, Yahoo and Microsoft. Facebook came from nowhere, and even challenged Google for the very top rank in popularity. Zuckerberg, as a fresh university graduate, had no experience in how to set up an enormous system like this, but he still smashed it and today is fighting to take the No.1 place as can be seen on the Alexa report. It's no surprise therefore that Google is constantly looking for a way to beat Facebook and secure their first position. They already have a popular social network called Orkut. OK, it is only popular in some countries like Brazil or India, but still, it proves their concept, they can do it. Also the software giant have done some interesting projects with Google Wave and Google Buzz. None of them really worked out nor got close enough to steal a market share from Facebook, although both got huge attention from the media as well as from users. New concepts come and go: Google moved on, and have come up with Google+, which is another brand new concept. Looks like Google will keep trying until they get the perfect recipe for the most delicious cake of social networking. They are probably right in sensing the growing need for something new, and that is proved by the overwhelming interest by millions of Internet users. However for us, security experts, it is always of keen interest to see if it is going to be more secure than Facebook? Or could it be just a perfect gateway for spammers? If we take a look at the key differences between Facebook and Google+, we notice that while on Facebook you need to accept a friend request, on Google+ someone can add you on to their Circles without your prior approval. Later on you may block people - however, it worries me a bit as it makes it fairly easy to use Google+ as a source of Spam messages. To test this theory I have just put a test message in my Stream on my existing Google+ account, and shared it with my company email address which was not previously registered by Google in any way. When I shared my stream post, I received an email from Google+ including the content of the message I wrote. Malicious invitations and notifications The demand for a Google+ account is still high. It is partly the fact that the service is still in beta, and it is...

Read more > 

Filed under: , ,