Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(November 2012) Posts

Personalized Letters From "Scamta" Claus

Posted: 30 Nov 2012 09:21 AM | Carl Leonard | no comments

With Christmas fast approaching, the Websense® ThreatSeeker™ network, replete with festive sleigh bells and twinkling lights, has detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus. Whilst Santa, along with his ever loyal team of elves, reindeer and of course Mrs Claus, are no doubt working their way through the mountain of letters and wish lists from the world’s good little boys and girls, some bad little boys and girls are looking to capitalize on his backlog of correspondence by claiming to offer alternative services thus ensuring that your ‘little ones’ receive personalized responses.




Forex Website Targeted: Did Cybercrooks Find the Weakest Link in Online Money Management Services?

Posted: 28 Nov 2012 02:29 AM | Anonymous | no comments


The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.


The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.


Websense customers are protected from these and other threats by  ACE, our Advanced Classification Engine.






Black Friday/Cyber Monday Survival Guide

Posted: 23 Nov 2012 01:00 AM | Carl Leonard | no comments

Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.



The Strange Case of the inte1sat Domain Name

Posted: 20 Nov 2012 01:33 AM | Anonymous | no comments


Thanks to the Websense® ThreatSeekerTM Network, Websense Security Labs recently detected an unusual domain name that we have analyzed. The domain name, "inte1sat", substitutes the number "1" for the lower case letter "l", an example of "leet" substitution that surfaced in the 1980s and is still used today. (Leet is a method of constructing words by substituting numbers for letters.)


The first step in our investigation was to look into the content of the URL: hxxp://www.inte1sat.com:





As so often happens, the content revealed what appeared to be another Java exploit attempt. We decided to set aside content analysis for the moment and investigate instead the domain name spelled in its normal alpha-English form: "Intelsat.com". Googling Intelsat.com we learned that it is a company involved in satellite technologies and satellite-enabled services (including IP trunking, telecommunications, and more).




Websense 2013 Security Predictions

Posted: 14 Nov 2012 02:17 PM | Chris Astacio | no comments

From mass Wordpress compromises to a spear-phishing attack on the White House, there is no doubt cybercriminals gained confidence and momentum in 2012. Websense® Security Labs™ looked at recent security and attack trends to come up with hypotheses of the anticipated evolution of threats in...


Long Live the Injection, and how it Affects YOU!

Posted: 09 Nov 2012 02:40 AM | Anonymous | no comments

Cyber criminals are trying to find ways to increase the life cycle of injections in Web sites. Usually, when an attacker gains control of a site, the life span of the injected code to that site depends on how fast the Web site administrator notices malicious content added to their Web pages.


One of the tactics that cyber criminals now employ to increase the life span of injected code is to install rogue modules on to compromised Web servers. These modules hide themselves and the presence of an injection from system and Web site administrators, security researchers, and criminal competitors.


Image 1: The red arrow below shows the difference between the life span of typical malicious injected code and code injected by a rogue Apache module:




Iranian Firefighters' Website Compromised to Serve VertexNet RAT

Posted: 01 Nov 2012 03:00 AM | Anonymous | no comments


Thanks to the Websense® ThreatSeeker™ Network, we have detected that an Iranian website has been compromised to serve a Remote Administration Tool (RAT) called VertexNet. This website does not have a high Alexa rank, but is one of a few cases which has caught our attention. The targeted website (reachable at the URL: hxxp://www.sarifire.ir) seems to be a portal documenting the activities of firefighters in the city of Sari, located in northern Iran. Given Iran's high profile in recent news stories, we decided to analyze this case. At this time, the website still seems to be injected, as shown below:





Read more >