Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Compromise

Cyber criminals expand use of CVE-2014-0322 before Patch Tuesday

Posted: 10 Mar 2014 01:54 PM | Elad Sharf


In advance of the Internet Explorer zero-day referenced by the CVE-2014-0322 patch that will commence on patch Tuesday the March 11, we thought it would be helpful to look at how this exploit was utilized in the lure stage, since this may unveil some of the tactics used by crimeware and targeted attack...

Read more > 

Filed under: , , , ,

no comments

'GWload' - The 'Social Engineering' Based Mass Injection Making Its Rounds

Posted: 28 Oct 2013 07:30 PM | Elad Sharf


Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified that a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites. This campaign is an evolution and expansion of an existing injection campaign...

Read more > 

Filed under: , , ,

no comments

Honeyclient Evasion Techniques, Bible.org Case

Posted: 25 Feb 2013 03:55 AM | Elad Sharf


Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org . It appears that the offending code has now been removed from the bible.org website. At first glance, this seemed to be...

Read more > 

Filed under: ,

1 comment(s)

NBC.com Compromised

Posted: 22 Feb 2013 01:05 AM | Patrik Runald


Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page: This...

Read more > 

Filed under:

no comments

2013 Threat Report: More Than Scary Stats and Chilling Charts

Posted: 13 Feb 2013 08:30 AM | Carl Leonard


The 2013 Threat Report from the Websense® Security Labs™ is now available.

 

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

 

Creating the report began with the ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.

 

...

Read more > 

Filed under: , , , , , , , , , , , , , ,

no comments

Forex Website Targeted: Did Cybercrooks Find the Weakest Link in Online Money Management Services?

Posted: 28 Nov 2012 02:29 AM | Gianluca Giuliani


 

The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.

 

The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.

 

Websense customers are protected from these and other threats by  ACE, our Advanced Classification Engine.

 

 

 

...

Read more > 

Filed under: , ,

no comments

Iranian Firefighters' Website Compromised to Serve VertexNet RAT

Posted: 01 Nov 2012 03:00 AM | Gianluca Giuliani


 

Thanks to the Websense® ThreatSeeker™ Network, we have detected that an Iranian website has been compromised to serve a Remote Administration Tool (RAT) called VertexNet. This website does not have a high Alexa rank, but is one of a few cases which has caught our attention. The targeted website (reachable at the URL: hxxp://www.sarifire.ir) seems to be a portal documenting the activities of firefighters in the city of Sari, located in northern Iran. Given Iran's high profile in recent news stories, we decided to analyze this case. At this time, the website still seems to be injected, as shown below:

 

 

 

...

Read more > 

Filed under: ,

no comments

Wagamama site compromised, but noodles are still good

Posted: 01 Oct 2012 09:09 AM | Artem Gololobov


The Websense ThreatSeeker Network has detected that the Web site hxxp://goeast(dot)wagamama(dot)com, which belongs to Wagamama (a Japanese and sushi restaurant chain), has been compromised and injected with malicious code, also known as a RunForestRun attack.

RunForestRun attack exploits vulnerability in Parallels Plesk to obtain user account credentials, then compromised accounts are used to modify JavaScript files.  As shown below, modification consists of obfuscated script.  When this script is run, it deobfuscates to an iframe with pseudo-random generated URLs(in this case based on date and time).  The resulting malicious URL will lead the user to a well-known and widely used tool in an underground community - Blackhole Exploit Kit.

Websense customers are protected from this threat with ACE, our Advanced Classification Engine.

...

Read more > 

Filed under: ,

no comments

Nepalese government websites compromised to serve Zegost RAT

Posted: 08 Aug 2012 10:36 AM | Gianluca Giuliani


 

The Websense® ThreatSeeker® Network has detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed "Zegost" on the systems of visitors to these websites.

 

This vulnerability (CVE-2012-0507) was also used in the Amnesty International UK website compromise and in the INSS website compromise that we reported a few months back. It's interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn't necessarily indicate a link between all the compromises, we found further common characteristics between the compromises of the Amnesty UK website and the Nepalese government website by analyzing the backdoor C&C points when we noticed that they connected to the same domain in China. 

 

...

Read more > 

Filed under: , , , , ,

no comments

The official website of GoPro is compromised to serve malicious code

Posted: 04 Jul 2012 05:24 PM | Elad Sharf


The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code.  We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them.


Websense customers are protected from this threat with ACE our Advanced Classification Engine.


Websense customers are protected from this threat with ACE our Advanced Classification Engine.

...

Read more > 

Filed under: , ,

2 comment(s)