Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(July 2012) Posts

You may be Surprise too receive this letterfrom me. . .

Posted: 18 Jul 2012 06:22 PM | RM | no comments


You've almost certainly received an email similar to the one below.

 

Despite being well-known and transparent, the Nigerian email scam (also known as the 419 scam, a reference to the article of the Nigerian Criminal Code that such activities violate) retains its place on the list of top ten internet/email scams for 2012, and still results in millions of dollars of financial loss--and sometimes worse--for its victims. We've already blogged about a particularly amusing example caught in one of our honeypots, and a variant that adds phishing to the risks.

...

Read more > 

Filed under:

Braaaaaaaaaaaiiiiiiiiiiiiiins!

Posted: 16 Jul 2012 06:23 PM | RM | 1 comment(s)


Here in Websense's own backyard, the 2012 San Diego Comic-Con has just folded up its superhero cape after four days of workshops, film screenings, panel discussions, and collectible exhibits. Beginning in 1970 with a one-day event and 145 attendees, Comic-Con now caps attendance at about 130,000 and brings in about $162.8 million to our local economy. Judging by some of the costumed attendees we spotted downtown over the weekend (at least we hope that's what they were), zombies are an increasingly popular theme. As we observed the undead shuffling around near the Convention Center in search of human brains, we couldn't help but reflect on some obvious parallels between the zombie apocalypse and the security threats we face down every day here at Websense. Night of the Living Bots! Compromised hosts as digital zombies! Think about it: Zombies eat brains; in the security world, “brains” are confidential/proprietary data, customer data, and secrets. Zombies take over their hosts, so do bot networks. Zombies attack in hordes, just like huge scale SPAM and DoS attacks. Coincidence? We think not. Fortunately, the world has been dealing with the zombie threat long enough to have established some Best Practices from the movie "Zombieland" to help survive an attack. These also have parallels in the security arena. Rule No. 1: Cardio. "Zombies lead a very active lifestyle. So should you." The fitter you are, the better your chances of outrunning the undead. Websense pumps it up with up-to-the-millisecond proactive classification in real-time, keeping you a step ahead of security threats--always the safest place to be. Rule No. 2: The Double Tap. " Just because the zombie is down is no reason not to finish it off." The Websense double tap is to classify and block both outbound malicious traffic and outbound proprietary data. Threats are down and OUT. Rule No. 3: Beware of Bathrooms. " Zombies smell when you are at your most vulnerable." Websense classifies and blocks cesspool websites based on poor web reputations, keeping you, your systems and your data clean and minty fresh. Rule No. 4: Avoid Strip Clubs. "Hang out in sleazy places, and bad things are likely to happen." Websense goes there so you don't have to, hanging out where malware does in order to classify objectionable content before it finds you. Rule No. 5: The Buddy System. " Why don’t zombies attack each other? Possibly a herd instinct keeps them safe and you should do the same." The ThreatSeeker network has your back. Beyond the established and internationally-recognized canon of zombie fighting rules, we've added a few new wrinkles. Bona fide professional zombie hunters Columbus, Tallahassee, Wichita, and Little Rock are available through Websense CSI to help you determine if you are under a zombie attack, and more important, to help you fight back and survive. ThreatScope, our very own version of...

Read more > 

Filed under:

New spear of Black Hole exploit kit targets Java Vulnerability CVE-2012-1723

Posted: 15 Jul 2012 01:00 PM | uwang | no comments


In early July, an update has been issued to the Blackhole exploit kit targeting Java vulnerability CVE-2012-1723 . The vulnerability could evade the JRE ( Java Runtime Environment ) sandbox and load additional Java classes in order to perform malicious actions. Details about the vulnerability are here . A lot of the websites used with this attack, at the moment, that are detected by the Websense® ThreatSeeker® Network are newly registered websites. Websense customers are protected from this threat with our Advanced Classification Engine - ACE that employs multiple methods to detect exploit kits generically and specifically in real time. Looking at the past three years, the Java platform has been one of the most popular one targeted by attackers. Java was designed to be portable, meaning it works on virtually all computer operating systems like Windows, Mac, and Linux. We still remember the Mac OS malware Flashback that infected over 600,000 Apple computers worldwide in April 2012 using Java vulnerability CVE-2012-0507. Even now, we still see a lot of exploit kits that use CVE-2012-0507. Here are the Java platform vulnerabilities used in the wild since 2010: CVE-2010-0094 CVE-2010-0094 CVE-2010-0840 CVE-2010-0842 CVE-2010-0844 CVE-2010-3552 CVE-2010-0886 CVE-2010-4452 CVE-2011-3521 CVE-2011-3554 CVE-2012-0507 CVE-2012-1723 Although Oracle released a patch in June for the latest vulnerability, cyber criminals are targeting machines that have not yet updated their platforms. We recommend to update the Java platform, if you have one installed, as soon as possible. Also, consider disabling the Java Plugin in your Web browser to reduce the risk if you are not using it a lot.

Read more > 

Filed under: , ,

Raising DNSchanger Malware Awareness

Posted: 05 Jul 2012 08:42 PM | Mary Grace Timcang | no comments


The cyber trenches are awash today with news of DNSchanger malware. This is to elevate previous efforts to alert the public about the possibility that they could lose their internet services this coming Monday, July 9. DNSchanger malware takes control of a user's DNS, which cyber criminals use to direct unsuspecting users to fraudulent sites or simply to interfere with a user's online activities. Inarguably, these infected servers are going to be taken down, spelling trouble for thousands of users who will lose their internet connections. The Trojan changes the DNS settings to IP addresses in the following IP ranges: 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 According to reports, the problem surfaced when an online advertising scam, operated by international hackers, took control of approximately 570,000 computers worldwide. The FBI estimates more than half of these machines are still infected; 60,000 or more are believed to be in the United States. Infected machines have their antivirus software disabled while users experience slowness when surfing the Web. Several ISPs and companies including Google , Facebook and Comcast , have released notifications to their customers about this event.The FBI got involved as well and has set up a website, http://www.dcwg.org , for consumers to check their DNS. More information on DNSchanger malware is available here . Here's a screenshot of a machine infected by the DNSchanger malware: Checking this DNS IP in http://www.dcwg.org confirms it's rogue: We may also see malware, spam, or scam campaigns associated with news about the DNSchanger malware. As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSchanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website. Websense ® security solutions protect against all known variants of the Trojan.

Read more > 

Filed under: , ,

The official website of GoPro is compromised to serve malicious code

Posted: 04 Jul 2012 05:24 PM | Elad Sharf | 2 comment(s)


The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code.  We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them.


Websense customers are protected from this threat with ACE our Advanced Classification Engine.


Websense customers are protected from this threat with ACE our Advanced Classification Engine.

...

Read more > 

Filed under: , ,