Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(January 2013) Posts

The CVE-2012-4792 and the Spear-Phishing Rotary Domains (Part 1)

Posted: 31 Jan 2013 01:20 AM | Anonymous | no comments


Thanks to our ThreatSeeker® technology, it has been possible to detect a domain which we believe is involved in a spear phishing campaign against the users of a Rotary Club online service.  The Rotary Club (also called Rotary International) is an organization that provides humanitarian services, encourages high ethical standards in all vocations, and promotes charity actions. Since the Rotary Club is a worldwide organization, each country has a number of  local "clubs" for each region and they have also established an online service called  "Rotary eClub".  


Specifically, we discovered another attempt to exploit the Internet Explorer vulnerability CVE-2012-4792, which was discovered in a "water holing" attack against the USA Council of the Foreign Relations Web site (http://www.cfr.org). The results of our analysis were in accordance with those reported in this blog: apparently another worldwide campaign against several organizations which have in some way attracted the interest of the attackers due to the specific audiences for their sites. In this first part of the analysis, we will report our investigation into the obfuscated code and the exploit code detected. In the second part, we will present the analysis of the unusual mechanism implemented in the shellcode that runs the malware which is installed if the exploit is successful. We will also look at some details of the malware behavior and expose some details behind the involved domains and the infrastructure of this attack.  


The suspicious domain in our analysis is "rotary-eclubtw.com", which has apparently been registered to target the Taiwanese users of the Rotary eClub service as shown in the following screenshot:






Can't Sleep? Let's Count a Typosquat Hive

Posted: 30 Jan 2013 07:27 AM | Carl Leonard | no comments

The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?




Upon further analysis we discovered a connection between those hosts:


  1. Most of them are hosted on the same IP address,
  2. They lead to scam survey websites and spam websites.
  3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.


The Hunt for Red October

Posted: 21 Jan 2013 04:30 PM | RM | no comments

“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level...


New Java Zero Day Used In Exploit Kits

Posted: 10 Jan 2013 10:47 AM | Chris Astacio | no comments

Websense Security Labs™ is following reports that a new Java zero day vulnerability ( CVE-2013-0422 ) is being exploited in the wild by exploit kits. Early this morning, a researcher who goes by the handle Kafeine disclosed that he has started seeing exploits of a new Java vulnerability appearing...


Fraudulent e-Commerce Websites Exploit the Post-New Year’s Day Sales Drive

Posted: 09 Jan 2013 04:33 AM | Anonymous | no comments

As we welcome the New Year, we must be aware that the bad guys will use every opportunity to exploit events of a positive and negative nature. Yes, even the recent disastrous weather experienced on the east coast of the United States was exploited to try and obtain valuable information that could be used for identity and monetary theft from grief-stricken or worried families and friends.


The New Year and its first month brings with it the familiar drive of businesses trying to clear stock, slashing prices to entice us to part with our money and to snap up a bargain in the process. Our desire for a great bargain is something not unknown to the bad guys – they are very aware that we might just be tempted to go for that seemingly ‘too good to be true’ bargain. The associated costs to fraudulent Web sites are minimal compared to the numbers game the bad guys play; they cast a wide net and you may be the catch of the day.



Happy New Year and Unhappy New IE Zero-Day! (CVE-2012-4792)

Posted: 02 Jan 2013 06:28 AM | Carl Leonard | no comments

Firstly, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.


The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publically available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.



Read more >