Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(June 2012) Posts

Dissecting Cleartrip.com website compromise: Malicious ad tactics uncovered

Posted: 29 Jun 2012 12:01 PM | Elad Sharf | 10 comment(s)

The Websense ® ThreatSeeker ® Network discovered on June 27, 2012, that one of the most popular travel websites in India, cleartrip.com, was compromised and served malicious code. The website was informed of this breach and no longer serves malicious code. In this blog, we'd like to share our insights about this attack and focus on the tactics that we observed being used. We managed to spot this attack iteration before it became fully active, before malicious files were uploaded to the exploit kits that cleartrip.com was redirected to, and before all the malicious redirection nodes that cleartrip.com led to were active. The tactics that the cyber criminals used show what goes into making a legitimate website's infection less obvious and more difficult for security products to detect. These tactics included the following: Targeting a website's local ad system and masquerading as legitimate ads Manually intervening on a compromised website and preparing multiple domains to ensure redundancy Obfuscating available malicious toolkit redirectors to circumvent detection Using advanced traffic direction system components and masquerading as a legitimate website to remain covert Using exploit kits that serve Java-based exploits only The next image summarizes the infection redirection chain leading to the exploit website as it started from cleartrip: In this section, we'll take a closer look at the tactics we listed above: Tactic 1: Targeting the local ad system and masquerading as part of the legitimate ad chain The attackers seemed to focus on cleartrip.com's local ad system. Having that specific component compromised allowed them to serve malicious code through ads maintained by the website itself. The ad system on cleartrip is a third-party component plugin developed by Openx . Targeting third-party plugins is a very common tactic used to compromise legitimate websites. In this instance, it looks like the attackers gained control of the website's ad system since malicious code was restricted and served from that area only. Other cases of abuse of Openx components through exploitation and serving malicious content are documented throughout the Web. "Malvertizing" is another form of loading malicious code with advertisements. This is when third-party advertisers have their ads or their infrastructure compromised and then having their ads injected and loaded with malicious code. However, in the cleartrip attack, the local ads were served by cleartrip.com itself and not by a third party. By gaining unauthorized access to the Openx advertising component on the website, the attackers succeeded in sabotaging and injecting ads with malicious code. Malicious code loaded by ads is harder to detect because loaded ads usually reside at deeper path levels of the website and the malicious code blends well with the rest of the ad content. In contrast, most compromises we see in the labs tend to have injected code on the main page of a website or through pages that are loaded by the main page of a website. When we checked the IP address of the website of one of the malicious redirectors in this attack, euro-cool.in, we saw that it was hosted on IP address A host report on that IP revealed more websites that have the same purpose and that are part of the attackers' malicious infrastructure (image 2). Some of the websites' names contain "openx," which leads us to surmise that the individual or group behind this attack is purposefully targeting websites that have the Openx plugin. It's evident that the attackers were trying to blend in with legitimate ad traffic and appear to be a legitimate part of the ad chain. If you look at the detailed redirection flow in the set of images below and specifically at steps number 3 and 4, you'll clearly see keywords like "advertisement" and URL patterns that are used by legitimate ad providers, such as this on the malicious redirection stage: /banners.cgi?advert_id=1&banner_id=1&chid=341aa8fca26bcff7830499c1c5f8e359 Tactic 1 summary: By targeting a local website's ad serving component and injecting code into legitimate ads served locally by a website, attackers can more easily evade detection and remain undiscovered. Image 1: The Openx advertising plugin login page Image 2: Websites hosted on (euro-cool.in) Image 3: Detailed redirection flow of the attack Tactic 2: Manually intervening on a compromised website and preparing multiple malicious domains to ensure redundancy The redirection chain we illustrated above led to an active exploit website, however the malware binaries that were downloaded after the successful exploitation were just stubs and didn't do anything malicious at all. It appears that the attackers didn't get a chance to upload their desired malicious files to the exploit website. In addition, the redirection chain illustrated above didn't use the illustrated websites exclusively. For example, in other locations on cleartrip.com, infected ads led to the malicious redirector euro-mary.in, which had the same purpose of euro-cool.in and was served in the same structure as euro-cool.in. But euro-mary.in was a "dead" redirect and didn't redirect to an exploit website. hxxp://euro-mary.in/banners.cgi?advert_id=1&banner_id=1&chid=341aa8fca26bcff7830499c1c5f8e359 euro-mary.in was registered on 2012-06-26 , and we believe that it was registered specifically for this attack but was, fortunately, detected before it became fully active. euro-cool.in was also registered on the same date, 2012-06-26 . The domains were registered by an individual called Roman Inozemtsev which is probably a fake name. Here are more details: Admin Name:Roman Inozemtsev Admin Organization:N/A Admin Street1:R-N TBILISSKIY, UL. TRUDOVAYa D.18 Admin Street2: Admin Street3: Admin City:Tbilisskaya Admin State/Province:Tbilisskiy r-n Admin Postal Code...


Filed under: , , , , ,

Faster, Higher, Stronger—Olympic Security Risks

Posted: 20 Jun 2012 06:07 PM | Elisabeth Olsen | no comments

The 2012 Summer Olympic Games in London, England (July 27 to August 12) will mark the third time the city has hosted this event. When previous London Olympics were held in 1908 and 1948, cyberattacks weren't even the stuff of science fiction. This time around, they are a real concern. Hackers are already taking advantage of the huge explosion in search engine requests, ticket sales, online streaming, and social media postings that will occur as a result of this 17-day sports event. The 2008 Beijing Olympics were the target of about 12 million cybersecurity incidents per day . In February, we blogged about Olympic ticket scams associated with the 2012 London games, but that was only the beginning. Ticket scams are a major security concern due to the money involved; four years ago, tickets to the Beijing Opening Ceremony were sold on the black market for $26,000 each. The U.K. government is preparing for all kinds of attacks, from actual terrorism to computer threats. Cabinet Office minister Francis Maude said, "We have rightly been preparing for some time--a dedicated unit will help guard the London Olympics against cyberattacks. We are determined to have a safe and secure Games." He added that an essential element of security is keeping updated on emerging threats: "Our responses have to be fast and flexible. What works one day is unlikely to work a matter of months or even weeks later." The event has been called "the first social Olympics," and organizers anticipate social media will be more important than ever, which means online security is more of a concern than ever. Records will be broken not only on the track and in pools, but also in internet traffic. Ofcom, the U.K. telecom regulator, anticipates the wireless spectrum demand to double in London during the games. Websense® will help administrators control bandwidth consumption by using our Advanced Classification Engine™ (ACE) to classify streaming media and internet video from the Olympics into the Special Events category. Games organizers have set up an Olympic Athletes' Hub to encourage connection among competitors and fans, but at the same time, have imposed some very strict limits on how they can use social media. We first heard back in January from a friend who is one of the 70,000 Games Makers volunteers that she and her colleagues were warned their social media use might compromise the reputation and security of the event. Ticket purchasers are also being told that they may not "license, broadcast or publish video and/or sound recordings, including on social networking websites and the internet more generally, and may not exploit images, video and/or sound recordings for commercial purposes under any circumstances, whether on the internet or otherwise, or make them available to third parties for commercial purposes." Whether any of this will or even can be enforced remains to be seen. The official IOC guidelines apply (in theory) only to "participants and other accredited persons," but there is a great deal of confusion and concern about what can and can't be shared, and by whom. U.K. legal consultant Rachel Boothroyd provides a useful overview , guidelines , and summary primarily for social media professionals. Anyone can be targeted by email scams abusing the "London 2012" name, claiming the recipient has won tickets or a large amount of money from a nonexistent "Olympics lottery." The recipient is given a claim number and told to contact a claim agent—and of course, advised to keep the information confidential until the prize is claimed, to avoid spreading the word about the scam. As we have seen in many previous email scams, victims are told they have to make some kind of payment to claim their prize. An official lottery will pay you right away and will not require payment to release your winnings. Email scams often give themselves away through poor use of English, misspellings, U.K. phone numbers starting with 070, and personal email accounts like Gmail or Hotmail accounts. Common sense may keep you safe in most situations, but hackers and spammers are quickly coming up with new ideas on how to attract and take advantage of new victims. Websense is protecting our customers from scams and other security problems by ACE, our Advanced Classification Engine .


Filed under: , ,

Drawing the line on government censorship

Posted: 18 Jun 2012 05:13 PM | RM | no comments

Governments all over the world attempt to restrict what their citizens can see and do online. French NGO Reporters Without Borders compiles annual lists of countries classified as "Enemies of the Internet" and "Under Surveillance". These classifications represent various means of restricting the free flow of information, ranging from blocking access, to arresting dissident bloggers, and worse.


Google is often asked to censor search results or remove YouTube videos, and of course such requests can be perfectly legitimate in the case of defamation, hate speech, and pornography. Google lists removal requests from government agencies and courts in its Transparency Report, and indicates if the material was removed and why (for example, YouTube videos promoting terrorism violate the site's Community Guidelines). In other cases, access to material is restricted in certain countries to comply with local legislation.



Filed under: ,

Believe it or not—even MORE internet porn

Posted: 12 Jun 2012 05:19 PM | RM | no comments


In December of 2011, we blogged about the approval of the .xxx TLD (top-level domain) and discussed issues related to how these sites are categorized and how legitimate companies could avoid having their reputation damaged through an .xxx registration.


Under the banner "The Evolution of Online Responsibility," ICM Registry, the company behind .xxx, is now trying to establish .sex, .porn, and .adult to expand its online offerings. A company spokesman says it is prepared to battle for other sex-related TLDs in order to protect its turf, citing the firm's security and trademark protection practices, as well as its zero-tolerance policy toward child sex abuse.



Filed under:

Spoofed Xanga malicious emails, similar to Craigslist campaign

Posted: 07 Jun 2012 07:43 PM | Ran Mosessco | no comments

Hot on the trail of yesterday's spoofed Craigslist malicious emails comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal. Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine . Let’s look at a sample. Subject: New Weblog comment on your post! As we can see, the "Click here to reply" link goes to this URL: hxxp://www.1000sovetov.kiev.ua/wp-content/themes/esp/wp-local.htm The target site contains obfuscated JavaScript that redirects to URLs like: hxxp://pushkidamki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c Those are the sites that host the exploit kit. Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base. A little peek behind the curtain here shows how the Websense® Security Labs™ ThreatSeeker™ Network categorizes the URLs in real time, similar to the way our products do real-time categorization for customers: More detailed analysis of the URL behavior can be found here . To summarize, the number of emails and varying themes suggest this is not targeted against specific users (Xanga today, Craigslist yesterday), but rather a more typical attempt to cast a broad net. We will be on the lookout for more developments; we anticipate other variants will surface soon.


Filed under: , ,

Malicious URLs in Fake Craigslist Emails

Posted: 06 Jun 2012 07:06 PM | Ran Mosessco | no comments

Today, Websense® Security Labs™ ThreatSeeker™ Network has seen a barrage of malicious emails pretending to be automated notifications from Craigslist. These emails instruct the recipient to click a link to complete a Craigslist request. The URLs in these emails redirect the user to malicious web sites hosting Blackhole Exploit Kit . So far we have seen over 150,000 of these emails in our Cloud Email Security portal. Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine . The emails have subject lines like: POST/EDIT/DELETE : "Models for fine" (systems / network) POST/EDIT/DELETE : "Studio4PaintWorkCatskills" (education) POST/EDIT/DELETE : "Show Your Art" (cars+trucks) The malicious emails are similar in appearance to legitimate Craigslist automated email notifications, including a legitimate looking sender address and name: Here we can see the headers and SMTP transaction, showing Craigslist sender address and mail server: Clicking on the link takes the victim to a compromised WordPress page containing obfuscated Java Script: After deobfuscation, we can see an iFrame redirection to a malicious web site: The malicious website tries to exploit the victim's computer using vulnerabilities such as: CVE-2010-0188 CVE-2010-1885 More details can be found here . The original links in the emails were detected by ACE in real-time using our Real-Time Security Scanner. In addition, we have increased the proactive detection of similar campaigns to our email security customers.


Filed under:

Reports of 6.4 Million Stolen LinkedIn Passwords

Posted: 06 Jun 2012 03:44 PM | Carl Leonard | 1 comment(s)

LinkedIn is investigating reports that approximately 6.4 million user passwords have been posted on the Web. While the breach is still unconfirmed by LinkedIn (as of the time that we wrote this blog), they have acknowledged on their Twitter feed that their investigations have begun.

If you're a LinkedIn user, Websense® Security Labs recommends that you change your password immediately to help prevent your password from falling into the wrong hands.


After retrieving the password files that are being distributed on forums in the .ru TLD space, it appears that the passwords are hashed. However, based on samples seen by us, it is easy to translate them into clear text. Our initial investigations reveal that a password of "linkedin" features heavily.

It is uncertain how the hackers retrieved the stolen passwords; however, the passwords that users are finding in the hashed files do appear to be real.



Filed under: , , ,