The Websense® ThreatSeeker® Network discovered on June 27, 2012, that one of the most popular travel websites in India, cleartrip.com, was compromised and served malicious code. The website was informed of this breach and no longer serves malicious code.

In this blog, we'd like to share our insights about this attack and focus on the tactics that we observed being used. We managed to spot this attack iteration before it became fully active, before malicious files were uploaded to the exploit kits that cleartrip.com was redirected to, and before all the malicious redirection nodes that cleartrip.com led to were active. 

The tactics that the cyber criminals used show what goes into making a legitimate website's infection less obvious and more difficult for security products to detect. These tactics included the following:  

• Targeting a website's local ad system and masquerading as legitimate ads 
• Manually intervening on a compromised website and preparing multiple domains to ensure redundancy  
• Obfuscating available malicious toolkit redirectors to circumvent detection
• Using advanced traffic direction system components and masquerading as a legitimate website to remain covert 
• Using exploit kits that serve Java-based exploits only

The next image summarizes the infection redirection chain leading to the exploit website as it started from cleartrip: 

In this section, we'll take a closer look at the tactics we listed above: 

Tactic 1: Targeting the local ad system and masquerading as part of the legitimate ad chain

The attackers seemed to focus on cleartrip.com's local ad system. Having that specific component compromised allowed them to serve malicious code through ads maintained by the website itself. The ad system on cleartrip is a third-party component plugin developed by Openx. Targeting third-party plugins is a very common tactic used to compromise legitimate websites. In this instance, it looks like the attackers gained control of the website's ad system since malicious code was restricted and served from that area only. Other cases of abuse of Openx components through exploitation and serving malicious content are documented throughout the Web. 

"Malvertizing" is another form of loading malicious code with advertisements. This is when third-party advertisers have their ads or their infrastructure compromised and then having their ads injected and loaded with malicious code. However, in the cleartrip attack, the local ads were served by cleartrip.com itself and not by a third party. By gaining unauthorized access to the Openx advertising component on the website, the attackers succeeded in sabotaging and injecting ads with malicious code. Malicious code loaded by ads is harder to detect because loaded ads usually reside at deeper path levels of the website and the malicious code blends well with the rest of the ad content. In contrast, most compromises we see in the labs tend to have injected code on the main page of a website or through pages that are loaded by the main page of a website.  

When we checked the IP address of the website of one of the malicious redirectors in this attack, euro-cool.in, we saw that it was hosted on IP address 85.17.122.245. A host report on that IP revealed more websites that have the same purpose and that are part of the attackers' malicious infrastructure (image 2). Some of the websites' names contain "openx," which leads us to surmise that the individual or group behind this attack is purposefully targeting websites that have the Openx plugin.

It's evident that the attackers were trying to blend in with legitimate ad traffic and appear to be a legitimate part of the ad chain. If you look at the detailed redirection flow in the set of images below and specifically at steps number 3 and 4, you'll clearly see keywords like "advertisement" and URL patterns that are used by legitimate ad providers, such as this on the malicious redirection stage: /banners.cgi?advert_id=1&banner_id=1&chid=341aa8fca26bcff7830499c1c5f8e359 

Tactic 1 summary: By targeting a local website's ad serving component and injecting code into legitimate ads served locally by a website, attackers can more easily evade detection and remain undiscovered.

Image 1: The Openx advertising plugin login page 

Image 2: Websites hosted on  85.17.122.245 (euro-cool.in)

Image 3: Detailed redirection flow of the attack

Tactic 2: Manually intervening on a compromised website and preparing multiple malicious domains to ensure redundancy  

The redirection chain we illustrated above led to an active exploit website, however the malware binaries that were downloaded after the successful exploitation were just stubs and didn't do anything malicious at all. It appears that the attackers didn't get a chance to upload their desired malicious files to the exploit website. In addition, the redirection chain illustrated above didn't use the illustrated websites exclusively. For example, in other locations on cleartrip.com, infected ads led to the malicious redirector euro-mary.in, which had the same purpose of euro-cool.in and was served in the same structure as euro-cool.in. But euro-mary.in was a "dead" redirect and didn't redirect to an exploit website.

hxxp://euro-mary.in/banners.cgi?advert_id=1&banner_id=1&chid=341aa8fca26bcff7830499c1c5f8e359

Admin Name:Roman Inozemtsev
Admin Organization:N/A
Admin Street1:R-N TBILISSKIY, UL. TRUDOVAYa D.18
Admin Street2:
Admin Street3:
Admin City:Tbilisskaya
Admin State/Province:Tbilisskiy r-n
Admin Postal Code:352361
Admin Country:RU
Admin Phone:+7.9060585279
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email: rework11@mail.ru

From the tactics that we have observed so far, we believe that the attackers were intervening and setting up an infrastructure necessary for exploitation manually, and that it's being done with redundancy in mind. The attacker, in this case, was a bit careless and had one of the malicious redirectors, euro-cool.in, on its way to carrying out the exploitation. However, as we mentioned, although the exploits were active, the downloaded malware was a stub and not malicious. The image below reveals how the malware stubs were downloaded to the Windows temporary files folder after the exploit succeeded (image 4). 

Tactic 2 summary:  Manually intervening on a compromised website and preparing multiple domains to ensure redundancy are ways to prolong the duration of an attack by serving several exploitation chains.

Image 4: Dropped stub files by the exploit kit

Tactic 3: Obfuscating available malicious tool-kit redirectors to circumvent detection

The code that the attackers injected into legitimate ads on cleartrip.com was obfuscated (marked as 1 and marked in red on the exploitation chain image). Once the code was de-obfuscated, it unveiled a known redirector tool-kit code that is used and available in the underground for the same purposes of acting as a redirection point to exploit websites. The de-obfuscated code shows "decision-making" code, which means it includes code that detects the browser's version of the browsing user. In this case, if the user's browser is Internet Explorer or Firefox, only then will the user be sent to the next level of the exploitation chain. The code also assigns a cookie to the user's browser, so it can be identified at the next redirection levels. 

Obfuscating code is a very common tactic to hide injected malicious code on legitimate websites. It can effectively hinder efforts to detect malicious code since it applies the same concept as compressing and encrypting code for malicious files with packers and crypters in order to evade known malicious code detection. Scanning the obfuscated code of the redirector toolkit yields a lower number of results from antivirus vendors than scanning the clear text code of the redirector toolkit.

Tactic 3 summary: Another way to avoid detection is obfuscating available malicious tool-kit redirectors, such as by using reliable underground tool-kits that are reliable and proven to work while hiding their activity with layers of obfuscation.

Tactic 4: Using advanced Traffic Direction System (TDS) components and masquerading as legitimate websites to remain covert

The redirector on stage 2 of the attack (euro-cool.in and euro-mary.in) does not redirect directly to the exploit website, but to a Traffic Direction System on sciencedailyreview.com (marked as 3 in the exploitation chain). This system picks and chooses whether to exploit the computer. The purpose of a TDS is to scrutinize all the possible details that can be derived from the visiting user's IP address and the visiting user's browser. For example, this method is a handy way to avoid known IP ranges of security companies and IP ranges that reside in certain geographic locations that might not be of interest for the attacker to infect.

In this case, the TDS system resides on sciencedailyreview.com. This website mimics and contains some code from the legitimate website, www.sciencedaily.com, a website about science. The malicious TDS in our case has two faces: if the visiting browser fulfills certain conditions, then it will be redirected to the exploit website, but if it doesn't, then it will be redirected to a false and copied representation of a legitimate website with content taken from the legitimate website www.sciencedaily.com. This fake, malicious website is even indexed through Google and serves legitimate content if visited through Google searches and has more than 34,000 cached pages by Google (see Image 5). 

The malicious side of sciencedailyreview.com redirects to the exploit website, but first, it checks exactly what Java version is installed on the user's machine (marked as 3 in the exploitation chain). The Java version information is essential because then a decision can be made about whether the user's installed Java version is vulnerable and based on that decision, redirects to the exploit website and serves the right Java exploit to the user's machine.

 sciencedailyreview.com was registered on 2012-05-03, and its registration details are anonymous.

Tactic 4 summary:  Using advanced Traffic Direction System (TDS) components and masquerading as legitimate websites to remain covert help evade detection and prolong the lifespan of malicious websites.

Image 5: sciencedailyreview.com masquerades as a legitimate website and is cached by Google search engine

Tactic 5: Using exploit kits that serve Java-based exploits only

The exploit website (marked as 5 in the exploitation chain) serves Java-based exploits only. Java has been one of the most popular exploited components on user machines in the past year. In general, exploit kits target several components by holding several exploits for local installed components like the local browser, Adobe Acrobat Reader, Adobe Flash Player, Java, and more. Using several exploits can prove "noisy" and can result in detection of the exploit site. Tactically targeting one component for exploitation is more effective than targeting a few components since doing so is a more focused, and hence "quieter" approach that reduces the chances of the kit being discovered. Java is a good choice since usually exploits for that platform are reliable and can serve several platforms (e.g., the Java framework is also installed on Mac computers). In addition, Java is an interpreted programming language, which means, with relatively little effort, attackers can use it to obfuscate malicious code with cheap obfuscator kits that can be bought in the Black Hat underground market. 

In our case, the exploit kit on the exploit server appeared to be the "Neosploit" exploit pack, and the exploit that was served targeted the Java vulnerability described in CVE-2012-0507. This infamous exploit was used in the Flashback mass attacks and also used in the compromise of Amnesty International UK and the compromise of the Institute for National Security Studies (Israel).

Tactic 5 summary: Using exploit kits that serve Java-based exploits is an effective way to evade detection

Image 6: Neosploit exploit kit - this version serves only Java based exploits

In this blog, we took a look at several tactics that cyber criminals employ when they compromise a legitimate website for malicious purposes. Please let us know if you have any additional insights regarding this specific incident and also, please drop us a line if you'd like to share some insights about similar compromises that you have encountered.

The 2012 Summer Olympic Games in London, England (July 27 to August 12) will mark the third time the city has hosted this event. When previous London Olympics were held in 1908 and 1948, cyberattacks weren't even the stuff of science fiction. This time around, they are a real concern. Hackers are already taking advantage of the huge explosion in search engine requests, ticket sales, online streaming, and social media postings that will occur as a result of this 17-day sports event. 

The 2008 Beijing Olympics were the target of about 12 million cybersecurity incidents per day. In February, we blogged about Olympic ticket scams associated with the 2012 London games, but that was only the beginning. Ticket scams are a major security concern due to the money involved; four years ago, tickets to the Beijing Opening Ceremony were sold on the black market for $26,000 each.

The U.K. government is preparing for all kinds of attacks, from actual terrorism to computer threats. Cabinet Office minister Francis Maude said, "We have rightly been preparing for some time--a dedicated unit will help guard the London Olympics against cyberattacks. We are determined to have a safe and secure Games." He added that an essential element of security is keeping updated on emerging threats: "Our responses have to be fast and flexible. What works one day is unlikely to work a matter of months or even weeks later."

The event has been called "the first social Olympics," and organizers anticipate social media will be more important than ever, which means online security is more of a concern than ever. Records will be broken not only on the track and in pools, but also in internet traffic. Ofcom, the U.K. telecom regulator, anticipates the wireless spectrum demand to double in London during the games.  Websense® will help administrators control bandwidth consumption by using our Advanced Classification Engine™ (ACE) to classify streaming media and internet video from the Olympics into the Special Events category.

Games organizers have set up an Olympic Athletes' Hub to encourage connection among competitors and fans, but at the same time, have imposed some very strict limits on how they can use social media. We first heard back in January from a friend who is one of the 70,000 Games Makers volunteers that she and her colleagues were warned their social media use might compromise the reputation and security of the event.

Ticket purchasers are also being told that they may not "license, broadcast or publish video and/or sound recordings, including on social networking websites and the internet more generally, and may not exploit images, video and/or sound recordings for commercial purposes under any circumstances, whether on the internet or otherwise, or make them available to third parties for commercial purposes."

Whether any of this will or even can be enforced remains to be seen. The official IOC guidelines apply (in theory) only to "participants and other accredited persons," but there is a great deal of confusion and concern about what can and can't be shared, and by whom.  U.K. legal consultant Rachel Boothroyd provides a useful overview, guidelines, and summary primarily for social media professionals.

Anyone can be targeted by email scams abusing the "London 2012" name, claiming the recipient has won tickets or a large amount of money from a nonexistent "Olympics lottery." The recipient is given a claim number and told to contact a claim agent—and of course, advised to keep the information confidential until the prize is claimed, to avoid spreading the word about the scam. As we have seen in many previous email scams, victims are told they have to make some kind of payment to claim their prize. An official lottery will pay you right away and will not require payment to release your winnings. Email scams often give themselves away through poor use of English, misspellings, U.K. phone numbers starting with 070, and personal email accounts like Gmail or Hotmail accounts. 

Common sense may keep you safe in most situations, but hackers and spammers are quickly coming up with new ideas on how to attract and take advantage of new victims. 

Websense is protecting our customers from scams and other security problems by ACE, our Advanced Classification Engine.  

Governments all over the world attempt to restrict what their citizens can see and do online. French NGO Reporters Without Borders compiles annual lists of countries classified as "Enemies of the Internet" and "Under Surveillance". These classifications represent various means of restricting the free flow of information, ranging from blocking access to arresting dissident bloggers, and worse.

Google is often asked to censor search results or remove YouTube videos, and of course such requests can be perfectly legitimate in the case of defamation, hate speech, and pornography. Google lists removal requests from government agencies and courts in its Transparency Report, and indicates if the material was removed and why (for example, YouTube videos promoting terrorism violate the site's Community Guidelines). In other cases, access to material is restricted in certain countries to comply with local legislation.

Making such decisions is extremely difficult. As any traveler visiting other countries discovers, what is objectionable "around here" may be perfectly acceptable "over there," and vice-versa. 

Broad censorship of the Internet by governments and restriction of citizen access run counter to Websense Policy on Government-Imposed Censorship. Websense is a member of the Global Network Initiative, a consortium of information and communications technology companies, civil society organizations, and investors and academics whose goal it is to protect and advance the rights to privacy and freedom of expression. Executive Vice President and CFO Mike Newman recently participated in the inaugural Learning Forum in Washington, D.C., where he was a panelist for sessions on "Digital Freedoms in International Law: Practical Steps to Protect Human Rights Online" and "Policy Engagement on Business and Human Rights in the ICT Sector".

Websense, Inc. does not engage in any arrangement with foreign governments (or government-imposed arrangements) that could be viewed as oppressive of rights.

In December of 2011, we blogged about the approval of the .xxx TLD (top-level domain) and discussed issues related to how these sites are categorized and how legitimate companies could avoid having their reputation damaged through an .xxx registration.

Under the banner "The Evolution of Online Responsibility," ICM Registry, the company behind .xxx, is now trying to establish .sex, .porn, and .adult to expand its online offerings. A company spokesman says it is prepared to battle for other sex-related TLDs in order to protect its turf, citing the firm's security and trademark protection practices, as well as its zero-tolerance policy toward child sex abuse.

The company's position is that .xxx is "designed specifically for the global adult entertainment industry as a trusted brand, globally recognized and extolling responsible and safe behavior," because "the website operators is [sic] operating under self regulatory, published guidelines and policies." In addition, they argue that using TLDs exclusively for "adult entertainment" - including the three proposed new TLDs - helps ensure that users who don't wish to see such material can avoid it.

This is part of a major expansion in TLDs. Despite a number of glitches in the process, ICANN has reportedly received more than 1,900 proposals for new domain names and will reveal the list in a press conference on June 13.

It's important to note that online pornography will not be limited ONLY to these TLDs. 

Today, you can keep up with the ICANN announcement by following the ICANN Reveal Day.

Websense is following the evolution of TLDs in order to ensure coverage for our customers, and our security solutions are protecting them with ACE, our Advanced Classification Engine. 

Hot on the trail of yesterday's spoofed Craigslist malicious emails comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

Let’s look at a sample.

Subject: New Weblog comment on your post!

As we can see, the "Click here to reply" link goes to this URL:

hxxp://www.1000sovetov.kiev.ua/wp-content/themes/esp/wp-local.htm

The target site contains obfuscated JavaScript that redirects to URLs like:

hxxp://pushkidamki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Those are the sites that host the exploit kit.

Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base.

A little peek behind the curtain here shows how the Websense® Security Labs™ ThreatSeeker™ Network categorizes the URLs in real time, similar to the way our products do real-time categorization for customers:

More detailed analysis of the URL behavior can be found here.

To summarize, the number of emails and varying themes suggest this is not targeted against specific users (Xanga today, Craigslist yesterday), but rather a more typical attempt to cast a broad net. We will be on the lookout for more developments; we anticipate other variants will surface soon.

Today, Websense® Security Labs™ ThreatSeeker™ Network has seen a barrage of malicious emails pretending to be automated notifications from Craigslist. These emails instruct the recipient to click a link to complete a Craigslist request. The URLs in these emails redirect the user to malicious web sites hosting Blackhole Exploit Kit. So far we have seen over 150,000 of these emails in our Cloud Email Security portal. Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

The emails have subject lines like:

POST/EDIT/DELETE : "Models for fine" (systems / network)

POST/EDIT/DELETE : "Studio4PaintWorkCatskills" (education)

POST/EDIT/DELETE : "Show Your Art" (cars+trucks)

The malicious emails are similar in appearance to legitimate Craigslist automated email notifications, including a legitimate looking sender address and name:

 Here we can see the headers and SMTP transaction, showing Craigslist sender address and mail server:

Clicking on the link takes the victim to a compromised WordPress page containing obfuscated Java Script:

After deobfuscation, we can see an iFrame redirection to a malicious web site:

The malicious website tries to exploit the victim's computer using vulnerabilities such as:

CVE-2010-0188

CVE-2010-1885

More details can be found  here.

The original links in the emails were detected by ACE in real-time using our Real-Time Security Scanner. In addition, we have increased the proactive detection of similar campaigns to our email security customers.

LinkedIn is investigating reports that approximately 6.4 million user passwords have been posted on the Web. While the breach is still unconfirmed by LinkedIn (as of the time that we wrote this blog), they have acknowledged on their Twitter feed that their investigations have begun.

If you're a LinkedIn user, Websense® Security Labs™ recommends that you change your password immediately to help prevent your password from falling into the wrong hands.

After retrieving the password files that are being distributed on forums in the .ru TLD space, it appears that the passwords are hashed. However, based on samples seen by us, it has not been computationally difficult to translate them into clear text. Our initial investigations reveal that a password of "linkedin" features heavily.

It is uncertain how the hackers retrieved the stolen passwords; however, the passwords that users are finding in the hashed files do appear to be real.  We have identified the locations of several such password files and have classified those locations as Hacking.

So you may be asking how this list of stolen passwords can be used by a hacker?

The most potentially damaging combination would be using the corresponding username in conjunction with the stolen password. With this combination, you can imagine how a hacker may access an individual's LinkedIn account.

Once access to LinkedIn is obtained, or any social network for that matter, it could be possible to send direct messages to contacts within the network or to potentially auto-post on related social networks, thus harming the reputation of the individual or the business they may represent.

Now that hackers have a long list of potential passwords used, brute force attacks could become easier to conduct as a result of having this intelligence.

Even if these reports remain unconfirmed, it is definitely a good time to adopt sound practices around password security to help protect against malicious activity.

We in the Security Labs would like to offer the following recommendations:

• Change your password regularly.
• Ensure your password is suitably complex both in content and length; using a combination of numeric and alphabetic characters is a wise idea, as is mixing upper and lowercase characters with punctuation marks. Longer passwords are preferable.
• Do not use the same password across multiple services.
• If the website you are connecting to has the option of using the HTTPS protocol, as opposed to HTTP, make use of that.