Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Compromise tagged in these posts

Cyber criminals expand use of CVE-2014-0322 before Patch Tuesday

Posted: 10 Mar 2014 01:54 PM | Elad Sharf | no comments

In advance of the Internet Explorer zero-day referenced by the CVE-2014-0322 patch that will commence on patch Tuesday the March 11, we thought it would be helpful to look at how this exploit was utilized in the lure stage, since this may unveil some of the tactics used by crimeware and targeted attack...


Filed under: , , , ,

'GWload' - The 'Social Engineering' Based Mass Injection Making Its Rounds

Posted: 28 Oct 2013 07:30 PM | Elad Sharf | no comments

Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified that a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites. This campaign is an evolution and expansion of an existing injection campaign...


Filed under: , , ,

Honeyclient Evasion Techniques, Bible.org Case

Posted: 25 Feb 2013 03:55 AM | Elad Sharf | 1 comment(s)

Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org . It appears that the offending code has now been removed from the bible.org website. At first glance, this seemed to be...


Filed under: ,

NBC.com Compromised

Posted: 22 Feb 2013 01:05 AM | Patrik Runald | no comments

Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page: This...


Filed under:

2013 Threat Report: More Than Scary Stats and Chilling Charts

Posted: 13 Feb 2013 08:30 AM | Carl Leonard | no comments

The 2013 Threat Report from the Websense® Security Labs™ is now available.


The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.


Creating the report began with the ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.




Filed under: , , , , , , , , , , , , , ,

Forex Website Targeted: Did Cybercrooks Find the Weakest Link in Online Money Management Services?

Posted: 28 Nov 2012 02:29 AM | Anonymous | no comments


The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.


The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.


Websense customers are protected from these and other threats by  ACE, our Advanced Classification Engine.






Filed under: , ,

Iranian Firefighters' Website Compromised to Serve VertexNet RAT

Posted: 01 Nov 2012 03:00 AM | Anonymous | no comments


Thanks to the Websense® ThreatSeeker™ Network, we have detected that an Iranian website has been compromised to serve a Remote Administration Tool (RAT) called VertexNet. This website does not have a high Alexa rank, but is one of a few cases which has caught our attention. The targeted website (reachable at the URL: hxxp://www.sarifire.ir) seems to be a portal documenting the activities of firefighters in the city of Sari, located in northern Iran. Given Iran's high profile in recent news stories, we decided to analyze this case. At this time, the website still seems to be injected, as shown below:






Filed under: ,