While the United States enjoyed a long Thanksgiving weekend, hackers continued to battle Web security. Fortunately, the automated Websense® ThreatSeeker® Network and staff elsewhere in the world ensured that systems and data stayed safe. 

Websense researchers working over the holidays identified emerging threats hijacking the holiday spirit. Over 40% of 170 popular Thanksgiving-related search terms had malicious links containing script injections in the top search results. These script injections use exploit kits to take advantage of vulnerabilities in plugins such as Flash and Acrobat and install malicious software on the client computer. 

Tracking the holidays on the social Web showed significantly higher volumes of tweets per second on Thanksgiving than Black Friday, with the majority of Black Friday tweets also happening late Thanksgiving evening. We also saw double the number of links shared about Thanksgiving compared to Black Friday.

Clearly, successful hackers understand the subtleties of human behavior just as well as they understand the inner workings of computer systems. 

The DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security. DeepSec IDSC 2011 was held on November 17th and 18th 2011 at the Imperial Riding School, Vienna.

Hermes Li, security researcher at Websense Security Labs™, was speaking on Friday November 18th, the second day of the conference. He talked about an online game trojan framework from China's underground market, the source code of which he has analyzed outside of his main research at Websense. The deep analysis included the trojan's underground market, module components, prediction solution etc.

The slides from Hermes Li's talk An online game trojan framework from the China underground market can be downloaded here.

Websense Security Labs will continue its focus on all threats, and keep innovating on defense technology.

This is the message behind the latest Droid Razr commercials. The initial teaser, launched just prior to the 11/11 release, shows a leather-clad motorcycle rider on a dramatic high-speed chase to capture the latest Droid. This explosive, precision-timed heist is worthy of a Mission Impossible movie scene.

The commercial clearly gives the impression that Droid users live on the edge, shunting danger. This might actually be true in an unintentionally strange way.

At Websense Labs, we study the web-use habits of mobile device users and yes, in fact, this is exactly the profile of an Android user.
While iPhone users are busy listening to music and watching videos, Android users are surfing through some of the most dangerous areas of the web.

You can see from the above graph that Android users are more likely to visit sites with real security risks and sites known to have a high probability of leading to real security risks.  And you can see them surfing through sites on the fringe of criminal activity (Hacking, Illegal or Questionable). Yet to really fit the image in the Droid commercial, the sizeable interest in guns should have been refined into an interest in daggers and exploding ninja stars (however, at Websense we don't have a special category for that).

We study the nature of the mobile apps our customers use and the security risks they pose, and the open nature of Android development has proven that there is more risk. Anybody can take a legitimate Android app and repackage it with malware. The average person will not be able to tell the difference until it's too late. When we study where customers are really getting their apps, once again, you can see that the Android users are living dangerously. While iPhone users almost exclusively get their apps from Apple (with its formal approval process), Android users clearly have no problem downloading apps from a wide spectrum of completely unsanctioned marketplaces. See our 2012 Cyber Security Predictions for more details on the increase in mobile threats.

Too powerful to fall into the wrong hands? Not such a ridiculous question. 

With power comes risk, and if you are not aware of the risk and/or unwilling to take precautions, then that would indeed be "the wrong hands".

Websense® ThreatSeeker® Network detects millions of spam/malicious email campaigns on a daily basis. Such campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails.  Below are the top 5 campaigns that we've seen over the last several days.

Warning: If you see these Subject lines in your mailbox, please don't open an attachment or click on a link. Doing so could be dangerous for the health of your device.

1. ORDERS

• Order N21560 (numbers vary)

This link redirects to .ru/main.php or .com/main.php URL, which serves the Blackhole exploit kit. These emails are targeting users who just purchased an Adobe CS4 license, which is weird, because version 5.5 is already out. The spammers obviously have not done their research and are behind the times.

2.TICKETS

• FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE:)
• Fwd: Your Flight Order N125-9487755 (numbers vary)
  

Users are lured to click on a "CLICK HERE" link, which redirects to another URL serving the Blackhole exploit kit.  I guess these types of emails are targeting specific people: a) who have driven a vehicle in New York and b) who have been cited for a speeding violation recently, and of course c) those who are curious, otherwise why would they click on this link?

3. DELIVERY COMPANIES:

• USPS Invoice copy ID46298 (numbers vary)
• FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
• DHL Express Notification for shipment 90176712199 (numbers vary)

Fake emails pretending to be invoices or tracking emails have been around for several years and usually would have an attachment, such as a Trojan like Zeus or SpyEye. Websense Security Labs™ has written several blogs before about similar cases.  I just want to point out that such emails are still being sent in bulk and are still being used as a vector to infect end users' computers. The reason why these kinds of emails are still so popular is because the attachments are being repacked for every new campaign; therefore, antivirus products struggle to release new signatures for those and are unable to block them, like in this case. The campaign is known, but VT shows only 8/42 results for an attachment. 

4. test

This email suggests that the attachment is a patch for WoW (World of Warcraft). Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients. Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked,  and also spammers use such techniques to validate an email address.

5. Payment/TAX systems:

• FRAUD ALERT for ACH
• Your Wire Transfer
• Wire transfer rejected
• IRS requires new EIN
• IRS Tax report

This type of email appeared in August-September 2011. We wrote an ACH - blog about it. The screenshot of this email was received today though the date still corresponds back to August. The spam-bot seem to think it's still August!

The malicious spam campaigns listed above have the same recurring themes which spammers don't really change. However, major differences include the following: 

• Switching between Attachments and Malicious/Compromised links
• Repacking attachments so they will not be detected by AVs
• Slightly changing the template of the email

Websense Email Security and Websense Web Security solutions protect against this kind of blended threat with ACE, our Advanced Classification Engine.

With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the highlights; the full report can be downloaded here.

1. Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends. Which leads us to prediction #2.

2. The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012.

3. 1,000+ different mobile device attacks coming to a smartphone or tablet near you.

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

4. SSL/TLS will put net traffic into a corporate IT blind spot.

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

5. Containment is the new prevention.

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

6. The London Olympics, U.S. presidential elections, Mayan calendar, and apocalyptic predictions will lead to broad attacks by criminals.

Cybercriminals will continue to take advantage of today’s 24-hour, up-to-the minute news cycle, only now they will infect users where they are less suspicious: sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations.

7. Social engineering and rogue anti-virus will continue to reign.

Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. Except, instead of seeing “You have been infected” pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems.

You can also watch a video of the Websense Security Labs discussing the predictions here:

Last week, some members from the Websense Security Labs™ had a busy week because they attended the Pacsec 2011 and AVAR 2011 conferences.

The Pacsec 2011 conference was held in Tokyo, and addresses the increasing importance of information security in Japan. Many well-known figures in the international security industry got together with leading Japanese researchers to share best practices and technology.

The AVAR 2011 conference was held in Hong Kong, and has a reputation in the Asia Pacific IT industry as being the leading industry conference on anti malware technologies and threats. This conference is not relevant only for virus researchers, but also for corporate IT professionals who have a business and technical need to secure their system, and for those who wish to have a safe and secure computing environment and be protected against Internet threats.

Ulysses Wang and Nick Guo from Websense delivered the presentation "A New Approach to Automated JavaScript De-obfuscation" at Pacsec 2011. They presented the latest research project in Labs (which was about Javascript De-obfuscation), and showed a demo of the de-obfuscate engine with high performance. Good coverage was shown at the conference. Other researchers from different parts of the world also gave excellent presentations.

Xue Yang and Elson Lai from Websense delivered the presentation "Dissection of exploit kits" at AVAR 2011. The team at Websense Security Labs have been tracking exploit kits threats for long time. In this presentation, they showed the analysis statistics of the top 10 exploit kits (based on the Lab research findings), and used some typical exploit kits as examples by highlighting their key features and differences. They also compared the exploit kits with current APT (Advanced Persistent Threat) attacks from several aspects. Furthermore, they dived deep into protection mechanisms that are often used by exploit kits in an attempt to evade detection. They concluded the presentation by giving predictions on what Websense sees as emerging trends in exploit kit development, and gave viable solutions to these developments.

Websense Security Labs™ will continue its focus on all threats, and keep innovating on defense technology. 

About a year ago we predicted what the biggest security risks would be in 2011 and as we're coming up towards the end of the year we wanted to see how accurate these predictions were. We have rated our 2011 predictions on a scale of A-F. Here we go!

1. The Stuxnet sequels are coming

While there wasn’t a Stuxnet sequel in 2011, there was the Stuxnet prequel in Duqu, which was perhaps written by the same group as Stuxnet. So while we weren't entirely correct we weren't too far off either. We’ll see if in 2012 we hear about more predecessors and new models built on the success of Stuxnet. Score: B

2. More blended threats and companies will struggle to stay secure while covering more ground

There were definitely more targeted attacks against organizations in 2011 than ever before. RSA, ShadyRat, NightDragon, Nitro and the list of attacks go on and on. Score: A

3. More corporate breaches will occur over social media channels

Not too many corporate breaches happened over Facebook, Twitter or other social networks during 2011. There were a number of compromises that led to Facebook, Twitter and YouTube accounts being compromised and hacked to display unwanted content but they weren't used to compromise any internal data. There was definitely a big increase in the number of attacks that used social networks to spread. Every day we track several attacks on Facebook. And while we hear of small-scale data loss through social networks everyday (recent survey results suggested that more than 20 percent of companies had confidential material posted to the social web), we are going to give this prediction a score of B-.

4. You down with DLP? Malware exploit kits will add zero-day vulnerabilities faster, increasing their use in drive-by download attacks.

I think this is a definitive yes, as the big giant breaches continued at a record pace in 2011. A number of them used zero-day vulnerabilities to both steal critical IP, corporate and government secrets, and leak to third-party outlets. More surprising, however, was that a number of these didn’t stem from the dreaded “APT” word. Most were social engineered attacks and were crafted to infect companies with Remote Access Tools (RATs), which have been around for years.  As a result I’m seeing more and more people getting serious about DLP projects now. In fact, more than 20 percent of 1,000 IT pros we surveyed said they were going to begin or accelerate a DLP project due to the chaos of 2011. Score: A

5: Is there an app for that? The iPad, iPhone and other smartphones will be prime targets for cybercriminals.

Over the last year, we have seen a drive-by download for jailbreaking iOS software and a number of exploits. Apple may be on to something by requiring developer application review and application sandboxing. While iOS drive-bys have been few and far between—mobile malware and Android attacks in particularly are increasingly becoming more prevalent. This doesn’t mean we won’t see it this year, So if we go by the title of the prediction alone, we did see a mobile drive-by for iOS, so I’ll give it a C. If we include all the bots, Trojans and malware created for the Android system, I’m going to increase this score to an A.

So there you have it, if we were giving a grade point average, we are at a B+ or a A-. Not too bad…

Stay tuned—very soon the Websense Security Labs team will release our top predictions for 2012. Wait til you see what we come up with this year.

During the Republican Presidential Debate on November 9. 2011, Rick Perry’s speech garnered plenty of attention -- but probably not the kind he sought.

Social Media has popularized this YouTube video, with the number of views skyrocketing to 1.7 million in just two days, thereby making it a new member of the Viral Video category as well as a popular search topic. 

Malware and spam attacks are commonly found surrounding popular Internet searches.

Trending searches such as the passing of Amy Winehouse and the Oslo Bombing as well as the rumors of Gaddafi's death, generated spam attacks in a short time span. 

Websense researchers found, based on "Rick Perry"-associated search terms, 206 unique URLs containing malicious and potentially harmful content.

Here are a few of these. 

On another note, here are some interesting statistics on bandwidth and potential productivity loss surrounding Rick Perry's debate performance:

The amount of time spent viewing this video accounts for 1,078 days, or 2.95 years. That is a staggering amount of time, considering it took only two days. 

Streaming media may be a bandwidth concern for companies; the amount of views of this video equals to 167 gigabytes of bandwidth. 

Popularity can quickly become a curse. One minute you are rising in charts on YouTube, the next your name is regrettably associated with malicious content. 

Websense ^® customers are protected from the dangers of these sites by ACE, our Advanced Classification Engine.

Increases in prescription prices and lower insurance benefits have prompted many to look for bargain drugs on the Internet. There are legitimate pharmacies online, but as the highly qualified nurse below suggests, there are obvious dangers. And many dangers that are not so obvious.

Websites that offer illegal drugs, anabolic steroids and prescription drugs “with no prescription needed!” are clearly dodgy, and are classified by Websense under the category “Abused Drugs”.

Products from these sites may be ineffective at best or dangerous at worst. For example, counterfeit tablets of the weight-loss drug, Alli, seized by the U.S. Food and Drug Administration were found to contain twice the recommended dose of another substance that has been associated with heart problems.

Some sites offer a veritable supermarket of illegal drugs, assuring buyers anonymity through the use of Bitcoin, a supposedly untraceable online currency, and other “guarantees.” These protections may not be as effective as users think they are. 

Besides the danger of ingesting unknown substances and falling foul of the law, buyers of online drugs risk other dangers as well. Nicolas Christin, a computer scientist at Carnegie Mellon University, found that 32% of searches for prescription drugs led to URLs that were infected with malicious code. Legitimate university sites and even trusted .gov sites are often hijacked and redirect to illegal online pharmacies.  Malicious links can be uploaded as comments to message boards and forums of legitimate sites, often by spam bots posting to thousands of sites.

In addition, new synthetic drugs such as "bath salts" and "spice" have been flying under the radar of law enforcement. The effects of these drugs are finally bringing them to headlines—and emergency rooms.  Both drugs exist in a legal limbo which has been exploited by Internet sales.

Synthetic canniboids, known as “spice” or “incense,” are touted as a legal alternative to marijuana, but seem to have much more dangerous side effects, possibly due to adulteration with unknown ingredients. The composition of so-called "bath salts" has not yet been conclusively determined, but these synthetic stimulants have nothing to do with floral scents or relaxing bathtub soaks. Sold as "bath salts," "plant food," etc., to skirt drug laws, they are produced by illegal street chemists - with all of the risks that implies.  Reported effects include paranoia, hallucinations, high blood pressure, and violent behavior towards oneself and others.

When Duqu, which most believed to be written by the same group that wrote Stuxnet, was originally uncovered, the infection vector was still unknown; how did the machines get compromised in the first place? That changed when the Hungarian research lab, CrySys, announced that it had found the dropper which was a Word file that used a new 0-day vulnerability in how Windows parses TrueType fonts. 

Microsoft has confirmed that there is indeed a vulnerability in TrueType Font parsing. An attacker could use this vulnerability to run arbitrary code in kernel mode. Vulnerabilities that allow the attacker to run code directly in kernel mode are very rare, and the attacker could, for example, create new user accounts with full access rights. More information is available from Microsoft in Security Advisory 2639658.

Microsoft has also released a Fix-It tool that will temporarily mitigate any attack using this vulnerability.

Websense, as an active member of the Microsoft MAPP program, has worked with Microsoft to develop protection for our customers. Our security solution will block as "Malicious Web Sites" any attempts to download a file containing an exploit that uses this vulnerability:

Block message when trying to download a file exploiting CVE-2011-3402

Websense will continue to work closely with Microsoft and the security community to monitor this prevalent  threat.