Recently, Websense sponsored a global survey of 4,640 IT and IT security practitioners about social media and security in their organizations. We asked them about:

• The importance of social media in meeting business goals today.
• Social media policies in their organizations
• The security risks created by employee usage of social media tools

What interested us in the Security Labs was the increase in malware that has been opened up with social media in a business. You can see in the graph below that more than half of the respondents from around the globe suggested that they’ve seen an increase in attacks due to employees’ use of social media in the workplace.

Check out these and other surprising results and a country-by-country breakdown by reading the full report here.

Have you received an email with an “ACH Payment xxxxx Canceled” subject line?  Please don’t open the link in the email, as it will take you to a malicious URL.

Websense® ThreatSeeker® Network has detected that an email campaign broke out on 27th September, 2011. In this campaign,  all the emails had the subject line “ACH Payment xxxxxx Canceled”, where xxxxx is a random number generated by spamers. Every email in this campaign links to the same URL. After clicking the link, victims are led to various malicous URLs, via redirection. Finally, trojan files are downloaded without notifying the user. Websense customers will not be affected by this campaign, as Websense® ThreatSeeker® already detects and blocks this attack.

The previous method of attaching a zip file could be easily detected on the fly in a very short period. However, this time, an embeded forged link is used, as in the example below:

We can see the two URLs are different, and the URL in the example above is a malicious URL. We can use  Websense® ThreatSeeker® to analyze its payload:

Now we can see there is an iframe in its payload -  this will redirect you to another malicious URL. That malicious URL hosts the blackhole exploit kit (one of the most widely used exploit kits). It will download a Zbot file, which has been confirmed by VirusTotal.

As of now, we have received more than 200,000 messages in this campaign. We will continue to monitor this campaign.

Websense® ThreatSeeker® has also detected the following similar URLs:

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

Historically, malware uses IRC to communicate outbound once it has infected a host. But what exactly is malware doing now? In this week’s Websense Security Labs video, researchers Ali Mesdaq and Stephan Chenette guide us through an explanation of malware that communicates using custom encryption. They explain what ports this malware is using, how it is communicating and how Websense does to stop it from infecting corporate networks and stealing valuable data.
 
Follow the latest breaking news on cyber security with the weekly Websense Security Labs Video diaries here.
 
Read more about how to protect your organization from malware that communicates using custom encryption here.

Websense® ThreatSeeker® Network has detected that the Cuevana.tv (hxxp://www.cuevana.tv) Web site was compromised on 25th September, 2011.

Cuevana.tv is a very popular Spanish online TV Web site in South American, especially in Argentina, Uruguay, Mexico, Colombia, and Panama. Cuevana.tv has a very high Alexa ranking ranging from 25-60, depending on the region.

Traffic rank data from. Alexa.com

The screenshot below shows the Cuevana.tv homepage:

A malicious code is injected into this Web page:

Unfortunately, the iframe injection URL hxxp://kanreque.cx.cc/redir_fcgi.pl was already down when we first detected this compromised site.The payload site was unavailable at the time this blog was posted, however this could change any time.  

In addition to the Cuevana.tv Web site, Websense® ThreatSeeker® Network also detected that a large number of other popular Web sites have been infected by these malicious iframes (with the domain name .cx.cc). Based on the analysis of this data, we found that most of these iframes lead to a trojan downloader or other forms of exploit kits.

Below are some infected Web sites as detected by ThreatSeeker:

 Websense customers are protected from Web-based threats by ACE, our Advanced Classification Engine.

At their f8 Developers Conference in San Francisco last week, Facebook announced their recent major makeover and how this is just the beginning. These are the largest changes to Facebook since the early beginnings of the site.

Their newly released features are:

• A redo of their Friends Lists (like Google+ Circles) to make it easier to share with whom you want
• A real-time news ticker (same functionality as RSS feeds)
• The option to subscribe to anyone, whether that person is among your friends or not. (similar to Twitter)
  

Timeline

In a few weeks, Facebook is launching “Timeline,” thereby giving the site an entirely new interface.

Timeline will let you customize your personal life story. It’s based on your account activity and will be organized in reverse chronological order. You decide what you want to include in your story from old postings, pictures, and such. And you can show your favorites in double size if you want. 
 

You will also have the ability to go back in time and fill in the blanks for important milestones that were not posted on Facebook (or that happened before Facebook even existed).

When you start out with Timeline, you'll have the option to immediately publish, or wait until you have edited your story. Just be aware that Facebook will set a deadline for all profiles that you can publish in Timeline.

Real-time media sharing

In the past, you would have clicked the “like” button to show everybody that you like a song. With the new interface on Facebook, you no longer need to do this. We are now talking about “passive sharing,” and by default, much of what you do with Facebook apps and even outside of Facebook with their integrated partners such as Netflix, Internet Games, and Yahoo News will automatically be shared.
Example: You can listen to a song on Spotify and Facebook will know and post this in your Timeline.

Now one issue here is that your friends will know every single song that you listen to on Spotify and every movie you watch on Netflix, and you will know the same about them.
 
In some ways, it resembles Beacon, a Facebook project in which sites like Amazon automatically posted to Facebook when and what a user purchased. This initiative failed in 2007 after protests from the public about the lack of privacy controls.

Possible logout risk

Facebook recommends that you log out of their site before browsing other sites if you are worried about them picking up your online activity. Hacker Nik Cubrilovic claims that this may not be enough. He says when logging out of Facebook, their cookies are not removed but merely altered.

“A number of cookies - including your account number - are still sent along to all requests to facebook.com,” Cubrilovic explains in his blog post. “Even if you are logged out, Facebook still knows and can track every page you visit … The only solution to Facebook not knowing who you are is to delete all Facebook cookies."

Cubrilovic adds that this applies to any site with a Facebook “like” or “share” button or any other widget.

Conclusion

Through the use of Timeline, users will be able to participate in and build a stronger social Web experience by sharing their entire life story and exposing that information to an even wider audience. Real-time media sharing will let users get a look at each other's song and media choices in real time.

We're interested to know what you think of the new Facebook. Please leave comments at the bottom of this blog.

Thank you!
Elisabeth Olsen - Supervisor Websense Labs  

Over the past few years, Websense Security Labs has been monitoring an increasing trend in unwanted email being sent from webmail accounts. Initially these accounts were on hosted freemail providers, but externally facing corporate webmail accounts have recently been targeted. The technique is the same in both attack scenarios: Account passwords are either phished or subjected to a brute force password attack. Once an account is compromised, the attacker can send email messages to contacts and other addresses using the compromised company's reputation to avoid detection by spam filters.

Recently we have detected a disturbing shift in this trend, with email marketing organization web accounts being compromised and used to send spam, which often contains malicious links.

Below is an example of spoofed email originally sent from an email marketing company based in Argentina. In this case, the account belongs to a large electrical retailer who has both online and store-front outlets.

We can validate that this email came from the email marketing company's infrastructure using the Sender Policy Framework (SPF) records published for its domain.

The account was used to send out spoofed email that appears to originate with an international clothing retailer. However, some of the links in the email direct the recipient to a similarly named domain ‘<companydomain>-billings.com’, which was registered on the day of the attack. This site hosts a zip file containing a malicious fake invoice named ‘<companyname>_Order_16YWBoG.exe’. At the time this email campaign started, this file had 0% coverage by the AV community.

The day after the first email messages were sent, the attacker compromised another account on the same Argentinian email marketing company website, this time registering a new domain ‘<companydomain>-support.com’. On the third day, the attacker switched to an email marketing company based in Australia. As before, they registered a new domain, but instead of including this domain ‘<companydomain>-invoice.com’ in the email, they compromised an Australian travel company's website and used it as a redirector. This travel company owned the Australian email marketing company account that was used to send the spoofed email. The additional step was probably taken to avoid basic outbound email filtering by the marketing company.

One thing these marketing companies have in common is that they appear to include their account names in the user part of the email address combined with their own domain. This makes it very easy for an attacker to subscribe to a newsletter and receive account and marketing website details.

As more companies use third-party email marketing organizations to handle their commercial email requirements, are they inadvertently risking their reputations and the repeat business of their loyal customers? We think they could be.

Most email marketing web accounts require basic password authentication. If an account is compromised, the attacker has access not only to an efficient email sending infrastructure and campaign editing tools, but also customer email details too. Even worse, most of the major email marketing companies also integrate with many online CRM services, giving the attacker the additional option to resell an organization's information to its competitors. So to the attacker these marketing companies represent soft and potentially lucrative targets.

So when your email marketing account is created, does it meet your company's password policy? Does your marketing department share this account and leave the password posted on the pin board? Remember: A simple password may be all that is stopping your organization from sending your entire customer base a malicious email.

Earlier this week we detected malicious email messages that appeared to be sent from "Websense Labs" that contain an alert about detected malicious activity.

We have published this blog to let all of our customers know that we would never notify you in this manner and that these messages were not sent by us.

If you ever receive any messages of this type, please delete them. 

"What do I do if my email account has been spamming to the outside? I just got an email warning me that I will be sued!"

Don't worry just yet. When spam cannot lure you, then they will try to scare you! Here is a spam social engineered to trick to you into launching malware.

Websense® ThreatSeeker® Network has detected that an email campaign broke out on 19th September, 2011. In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam.

Websense protects against these kinds of blended threats with ACE, our Advanced Classification Engine.

One example of the spam email:

The spam outbreak uses several alerting subject headings to attract readers' attention. The ZIP file is actually an EXE file disguised as a document after decompression. It's a kind of Trojan.Downloader virus confirmed by VirusTotal. When the trojan triggers, it copies itself to the system path under the Startup folder and deletes itself. Whenever you start the computer, the trojan will execute. This trojan can connect to remote servers and download malicious files.  

Here are some emails we received that have the malicious ZIP file attached:  

This campaign could potentially contain other variants of the trojan as attachments, however we will continue to monitor it!

By now, it has become somewhat of a cliché to mention how cyber-criminals try to exploit the latest hot topics to lure victims to malicious content. The recent hurricane scares, however, provided an example that we found interesting. A few weeks ago, Websense Security Labs™ and the Websense ThreatSeeker® Network came across an email campaign that redirected users to Web pages downloading rogue AV via the Blackhole exploit kit.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

This post examines how various vectors (email and Web) lead to Blackhole exploit kits and rogue AV, all hosted on a single IP address. It also shows how some messages from the same email campaign, as well as similar variants, lead to pharmaceutical sites related to the "Yambo Family" group of Web sites.

EXPLOITED

The malicious mail reads as follows:

As you can see, the text references hurricanes Irene and Katia, names various, random people in the text, addresses the potential victim by his or her email user name, and suggests that the reader check out a link whose domain name looks, at first glance, to be related to meteorology.

In fact, the Web site had nothing to do with the weather, but it did host a malicious page that contained this code:

The metrologyservices.com site was cleaned the next day, and the offending page was removed.

If we check out the redirection target, we see that it shares an IP address, 91.228.133.74, with a host of other domains with names that that look equally suspicious:

But it's not just the names that are suspicious. These domains are all related to Blackhole exploit kit and/or rogue AV, and we've seen them being accessed through various vectors:

• Email campaigns, as shown above and below
• SEO poisoning using compromised WordPress pages -- in fact, searching for page linked in the hurricane email leads to:

http://wordpress.org/support/topic/plugin-add-link-to-facebook-links-are-hijacked-to-softwarepromoru

http://wordpress.org/support/topic/dashboard-virus

In these cases, the htaccess file has been hacked for SEO poisoning, as seen here:

If we look up the whois information for these domains, we find they were registered to one private person: ivan-sushkin[at]yandex[dot]ru.

Looking this up leads us to all sorts of interesting information about domains related to that email address, like last year's attacks against osCommerce sites:

http://blog.unmaskparasites.com/2010/10/14/htaccess-redirect-to-example-rudirindex-php-2/

http://blog.unmaskparasites.com/2010/11/19/update-on-htaccess-redirects-of-oscommerce-sites/

http://blog.unmaskparasites.com/2011/01/18/another-update-on-the-oscommerce-htaccess-hack/

http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

Websense Security Labs'™ principal security researcher, Stephan Chenette, using his Fireshark tool, came across a CSS file on a popular sports fan site that was injected with malicious code also redirecting to the same IP address:

<compromised domain>/modules/mod_activitystream/style.css -> hxxp://protect-secure.ru/culture/index.php

It also alternated to other domains, like hxxp://protect-now.ru/upkeys/index.php, hxxp://yourprivacy.ru/product/index.php.

Here's an example one of our researchers, Armin Buescher, analyzed, using one of our proprietary tools:

 <compromised domain>/ modules/mod_activitystream/style.css (the compromised URL)
checkprivacy.ru / refresh / index.php (redirector)
yanquihkenu.monbe.be / main.php?page=ee87d5979969cea3 (Blackhole exploit kit)

Exploits or payloads hosted on the attack server included:

yanquihkenu.monbe.be / content/worms.jar
yanquihkenu.monbe.be / content/2fdp.php?f=26
yanquihkenu.monbe.be / w.php?f=26&e=4
yanquihkenu.monbe.be / w.php?f=26&e=6
yanquihkenu.monbe.be / GWeather.class

On September 8, detection of the malware payload on VirusTotal was at 5/44:
http://www.virustotal.com/file-scan/report.html?id=56742d301e1b7e62e831d13f6d1cdfd079a78be22c2bf0cbbc3b71eda18338a5-1315505246

A day later, detection climbed up to 18/44:
http://www.virustotal.com/file-scan/report.html?id=56742d301e1b7e62e831d13f6d1cdfd079a78be22c2bf0cbbc3b71eda18338a5-1315567566

 Another SEO poisoning example, this time just searching for the term "automobile" on Google, came up with this result at number 22:

hxxp://www.cheap-online-automobile-insurance.com/

On September 12, this site was redirecting to:

hxxp://privacy-check.ru/uptime/index.php (with the same IP address, of course 91.228.133.74).

The trending topics (email/SEO) are not the only lure the criminals try to use. Here's a later example that looks, at first, like a somewhat common "Secret Shopper" scam, suggesting you could be a Walmart evaluator:

It leads to this:

Blackhole exploit kit:

OK, I think everyone gets the idea. Whether it's topical emails or SEO poisoning, you are going to get served with something unpleasant from "Ivan Sushkin."

 SPAMMED

But wait! There's more!

Let's go back  to the hurricane scares for a minute. There are more of the same type of hurricane emails, sent at the same time, but with different links. These lead to pharmaceutical spam pages, like "US Drugs" (shown below):

And you think we'll leave you with that? No chance!

A few days later, what better topic to exploit than Labor Day. This time, it's with a little adult-themed lure, leading to Canadian Health & Care Mall and US Drugs. Notice how the email body also has random people's names, in an effort to give more credibility to the text:

For further reading about these two "distinguished" pharmaceutical establishments, see these entries in the spamtrackers.eu Wiki:

US Drugs

Canadian Health & Care Mall

Yambo Family

SUMMARY

What we see is that the use of hot topics to attract victims to cyber-criminals' sites is widespread and varied. It can be to exploit their computer, scare them into paying for rogue AV, and/or serve them a spam page (with all the monetary gain to the criminals that comes with the affiliate programs). We can also see how the various vectors are flexible enough to be used for spam or malicious purposes. At the same time, we get an underlying feeling that "the more things change, the more they stay the same." It was quite amusing for us to see how various, unrelated topics from different vectors all led to the same IP address, with domains all registered to the same name. But for a real user, replace the term "amusing" with frustrating, risky, or expensive. There's no guarantee that the victim will "just" get a pharmaceutical spam message, as it is quite common for redirection targets to change between malicious pages hosting exploit kits and more benign spam.

Besides the protection that Websense Email Security and Websense Web Security products offer, we can never emphasize enough how careful users should be when following any link related to current events, even if it seems to come from a known source. Of course, in this case, it's a good idea to block access to this particular IP address, but rest assured that the same gang will have other domains registered to other IP addresses. This is where the real-time protection of ACE, our Advanced Classification Engine, comes into play.

Websense® ThreatSeeker® Network has detected that the Últimas Noticias Web site (ultimasnoticias.com.ve) was compromised on 19th September, 2011. 

Últimas Noticias is the highest-selling daily newspaper in Venezuela. It was founded in Caracas in 1941 after the pro-freedom measures implemented by President Medina Angarita. In 2008 it published 170,000 copies a day (280,000 to 320,000 on Sundays). According to its own market studies, 96.3% of its readers are from "social sectors C, D and E", the lower-income classes, and its supporters call it 'el periódico del pueblo' (the people's newspaper).

Screen short of Últimas Noticias home page:

Malicious script injection in source code:

At the time of publishing this blog, the malicious link was not accessible.

Websense customers are protected from Web-based threats by ACE, our Advanced Classification Engine.