Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone!
Most of us make typing errors once in a while, but what if those errors could cause data leakage? 

Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits.

Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead.  There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable.  Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day.

After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. 

Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.

Websense ThreatSeeker® Network has been tracking an ongoing spam campaign relating to reports of Libyan leader Colonel Gaddafi's death.  We have been monitoring related spam campaigns about Gaddafi for a while now, and the recent rumours of his death as stated here on Reuters seem to have raised the bar a little with an influx of such spam.

The scams, like many others similar to this, bear the usual traits with a request for the victim to help the assailant, and then further going through the motions of trying to make the message convincing by legitimising the content with a news article. 

Below we have a number of examples of the messages we have seen through our feeds.

From the above messages, we can ascertain that a lot of work was put into the detail to lure the unsuspecting victim into believing this.  This also reinforces a point made in the past about the real nature of current spammers, as all forms of current news just become another means of propagating spam.

At the time of writing this blog, the keyword 'Gaddafi' seems to be the highest-ranking trend on Twitter.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

The security industry is buzzing today after Symantec released a whitepaper on a threat known as Duqu. What's interesting about Duqu is that it's heavily based on the Stuxnet source code, a worm that targets industrial control systems (ICS). The Stuxnet source code has never been made available publicly; it's only available to the original attackers. Therefore it's reasonable to assume that Duqu is written by the same people.

Duqu is not designed to attack Programmable Logic Controllers (PLCs) or any type of automation equipment, which was the ultimate purpose of Stuxnet. Instead, it acts as a reconnaissance tool that is designed to steal private information about these systems. With the information it obtains, further targeted attacks similar to Stuxnet can be executed.

One of the DLL drivers used in the Duqu attack is signed with a certificate issued to C-Media Electronics Corporation, a technology company in Taiwan. The certificate was revoked on 14th October, 2011:

While information about the Command & Control servers are still being researched, all known URLs are categorized as security risks (including a Dynamic DNS domain, a new category we released a few weeks ago for this specific purpose). Websense customers are protected against this family of malware and Advanced Persistent Threats  (APT) attacks with ACE, our Advanced Classification Engine.

Symantec curently has the most information available about this threat as they were the ones to first receive the sample. Their whitepaper can be found here.

A Margent attack is a popular mode of inbreak where even an ordinary hacker can take advantage of it to attack Web sites. This week, Websense Security Labs discovered that several Turkish government Web sites were compromised by this kind of attack.

In a Margent attack, the attacker gets control permission of a vulnerable Web site, in this case a site that is hosted on the IP address 67.205.74.10. Once the attacker gains control of the site, they can access the server's file system. The attacker then modified the homepage of the Turkish government's Web site that is also hosted on the same server.

Screenshot of some compromised domains:

Defaced screenshot of a compromised Turkish government domain:

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

Websense ThreatSeeker® Network has detected malicious email messages claiming that the late Apple founder and CEO, Steve Jobs, is still alive.  Websense Email Security and Websense Web Security protect against these blended attacks with ACE, our Advanced Classification Engine.

Some of the email subjects used in this attack include :

• Steve Jobs: Not Dead Yet!
• Steve Jobs Alive!
• Steve Jobs Not Dead

Screenshot 1 : Sample Email Messages

The email messages contain links to compromised web sites that redirect to Blackhole Exploit Kit and install Rogue AV malware.  The malicious file used in this attack is poorly detected by AV engines.

Screenshot 2 : Malicious Redirect

Screenshot 3 : Obfuscated Exploit Code

As always, don't click on links in emails you didn't expect to receive, they tend to be bad news.

Halloween is just around the corner, and, as expected, malware authors have already concocted a brew of early scares: blackhat SEO, fake Adobe Flash notification, and a malicious file download.

We start with the search term "halloween skeleton templates," which brings up a poisoned search result. The link redirects users to what appears to be a fake YouTube site.

The fake YouTube site uses nude images of celebrities like Emma Watson and Paris Hilton as a ploy. These, along with salacious captions, are meant to entice users into playing the apparent video.  When users click any of the links on the page, they are prompted to update Adobe Flash Player.

Users who fall for the trick are prompted to download a malicious file called scandsk.exe, identified by 15/43 VirusTotal engines.

Websense Web Security customers are protected against this attack through our Advanced Classification Engine.

Today, we have some exciting news. Some of you may have already heard about it, because it is big!

Starting today, we have implemented a partnership with Facebook, arguably the largest, most important platform on the globe, to better protect users against malicious links leading to malware-embedded websites and fraud.

A platform as popular as Facebook is naturally a target for attackers. We have been working with Facebook and their security teams for a number of years in order to keep their users safe, but now we have integrated directly into the platform for an unprecedented security combination.

Soon, when a user clicks on a URL that has been posted within Facebook, that link will be sent to Websense for security classification. The Websense® ThreatSeeker® Cloud, an advanced classification and malware identification platform, will then analyze the link in real time. If the destination site is considered unsafe, the user is presented with a warning page that offers the choice to continue at their own risk, return to the previous screen, or get more information on why it was flagged as suspicious.

In this way, we are helping Facebook continue their proactive fight to keep malicious links off of their platform and allow safe use for all of its members.

At Websense, we are all about innovation and changing the security game. We were the first company to promote and enable our customers to embrace safe, productive use of social with our web security gateway, the first to deliver security and anti-spam to protect companies presence within Facebook with Defensio, and now we are assisting in the protection of all users on the platform with our cloud integration.

This is the same technology that already powers our industry-leading TRITON™ solutions, and it now extends that same protection to consumers and other users of Facebook.

For more information, you can view the news release here, or check out the infographic below.