Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(October 2012) Posts

What Happens if a PPC Company Website is Compromised to Serve jRat?

Posted: 18 Oct 2012 03:23 PM | Anonymous |


Thanks to the ThreatSeeker Network, we have discovered another interesting case of malicious web injection. This one tries to install a Java-based back door on visitors' systems. Its target is the pay-per-click company PocketCents, which has recently been targeted by two additional attacks. This company's business makes it a really interesting target for this type of attack. Given the intensive tracking they advertise in their mission statement, it seems likely that the attackers could be interested in customer information and user accounts. How better to get that information than with a backdoor installed on each visitor machine? 





Breaking News: The Malicious USA Presidential Spam Campaign has Started

Posted: 10 Oct 2012 03:45 PM | Anonymous |


The Websense® ThreatSeeker® Network has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US.  Specifically, we have detected thousands of emails with this kind of content:



As noted recently,  we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. 




Phishing for Apple IDs

Posted: 08 Oct 2012 03:27 PM | Anonymous | no comments

The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. An Apple ID allows you to buy new apps, make a customer workshop reservation at an Apple Retail Store, or buy music and multimedia content from the iTunes Store. You...


When Less is More: The Growing Impact of Low-Volume Email Attacks

Posted: 05 Oct 2012 01:00 AM | Ran Mosessco | no comments

Here at Websense® Security Labs, we often blog about big malicious campaigns and how our products protect our customers from them. But what about smaller campaigns that are no less dangerous? 


Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim's defenses.


Last week, the Websense ThreatSeeker® Network intercepted one such campaign. This small-volume, malicious campaign targeted businesses with legitimate-looking email that refer to items like purchase orders, quotes, and supply information. All of these email had attachments that install variants of the popular Zeus malware on the victim's computer.


Websense Cloud Email Security quarantined these email as containing a potential virus before most of the malicious attachments were detected by antivirus (AV) engines. ACE, our Advanced Classification Engine, provides the extra layers of protection that help Websense Cloud Email Security protect customers against a wide array of threats.



Hook, line and sinker: the dangers of Location-Based Services

Posted: 04 Oct 2012 09:41 AM | RM | no comments

Any new technology involves potential risks as well as potential benefits. Location-Based Services (LBS) are a case in point. Mobile apps using geolocation information are increasingly popular, offering people new ways to connect with nearby friends or find people with shared interests. Advertisers can...


Unsolicited Secret Admirers Via Email

Posted: 02 Oct 2012 08:47 AM | Carl Leonard | no comments

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.


The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".




Wagamama site compromised, but noodles are still good

Posted: 01 Oct 2012 09:09 AM | Anonymous | no comments

The Websense ThreatSeeker Network has detected that the Web site hxxp://goeast(dot)wagamama(dot)com, which belongs to Wagamama (a Japanese and sushi restaurant chain), has been compromised and injected with malicious code, also known as a RunForestRun attack.

RunForestRun attack exploits vulnerability in Parallels Plesk to obtain user account credentials, then compromised accounts are used to modify JavaScript files.  As shown below, modification consists of obfuscated script.  When this script is run, it deobfuscates to an iframe with pseudo-random generated URLs(in this case based on date and time).  The resulting malicious URL will lead the user to a well-known and widely used tool in an underground community - Blackhole Exploit Kit.

Websense customers are protected from this threat with ACE, our Advanced Classification Engine.


Read more >