The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

Whilst no correlation between the two events can be drawn at this time, Twitter users should be on guard for signs of their own account being abused or compromised, as well for abnormal signs or unusual behavior (or perhaps in many cases, more unusual than normal) from those that they follow. Specifically, users should be cautious, as always, when following any links received from direct messages or Tweets particularly if the page you've been directed to is asking for your credentials or personal information.

Given the recent compromise, Websense Security Labs suggest that you regularly check your online accounts for signs of compromise and, as if anyone needs an excuse to do so, regularly update your suitably complex (and most definitely not your pet/team/town or dictionary word) password as well as reviewing the permissions granted to third-party applications that have access to your accounts (Twitter: How to Connect and Revoke Third-Party Applications). Should you have been unlucky enough to fall victim to this recent compromise, you'll have hopefully received a notification from Twitter that suggests these actions along with some general tips for account security:

Thankfully there are also suggestions, given this recent article on The Guardian’s Web site, that Twitter may be looking to implement two-factor authentication in the future as they are currently advertising a Product Security Software Engineer role in which the successful candidate would have the opportunity to work  with “user-facing security features, such as multifactor authentication”. The implementation of two-factor authentication would be a welcome addition to Twitter’s service which, based on figures released in 2012, has an estimated 500 million users, of which 200 million are estimated to be ‘active’.

The recent compromise is reported to impact 250,000 users, a mere 0.0005% of total users or 0.00125% of active users, and therefore may seem a somewhat small drop in the Twitter ocean. It is not unsurprising, therefore, that attackers are continuing to target Twitter users by dumping a barrel load of phish into this metaphorical ocean.

This recent phishing campaign, given the samples analyzed by Websense Security Labs so far in this incident, is using lures likely to elicit a click when received from a friend or associate, such as Did you see this pic of you? lol followed by a shortened URL.

Interestingly for us, and hopefully you, the use of Bitly’s URL shortening service allows us to append the URL with a plus ‘+’ and then view statistics for the shortened URL:

Whilst the click rate for the above example is low, we’ve seen numerous unique Bitly shortened URLs related to just one account, and would expect the perpetrators behind this campaign to rapidly cycle these in order to avoid detection and to increase the chances of catching more victims.

From all of the Bitly URLs analyzed, the statistics indicate that the victims are not confined to any one geographical area and that users are following the links. With regard to the small percentage of non-Twitter referrers, these could be Tweets or Direct Messages accessed via other applications or  indicative that the campaign is not limited to Twitter itself.

Once followed, the shortened URLs lead to what appears to be an intermediate and changing subdomain on hecro(.)ru which in turn redirects to active phishing sites hosted on a variety of typosquat-style domains:

The phishing URL in the above example, Tivtter(.)com (ACEInsight Report) appears at a glance to be legitimate and therefore is likely to dupe some unsuspecting victims into believing that they need to 're-login' to their expired Twitter session. The URL in this example also appears to cycle through an alphabetic sequence of folders containing the phishing page, perhaps in order to gather some statistics or to split the campaign in some way, as we've seen active examples from /a/verify/ upwards (/n/verify/ at the time of writing). Once the letter has cycled onto the next, any attempt to access the phishing page will be met with a standard  '404 - Page not found' error.

Should you fill in your account credentials, they'll be snaffled by those behind this nefarious scheme and you'll be presented with a fake '404' page not found error before being whisked back to the official Twitter Web site as if nothing happened:

As well as the URL above, we're also seeing other variations on the same Twitter typo theme including iftwtter(.)com (ACEInsight Report) and iwltter(.)com (ACEInsight Report).

Reassuringly, Bitly are flagging many of the shortened URLs as ‘potentially problematic’ although it is likely that for every one flagged another is sure to emerge.

Whilst Websense customers are protected from phishing and other threats by ACE, our Advanced Classification Engine, please do ensure that you check your personal accounts as well as sharing some basic security tips with your friends and family!

The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. An Apple ID allows you to buy new apps, make a customer workshop reservation at an Apple Retail Store, or buy music and multimedia content from the iTunes Store. You can also buy applications for Mac OS X as well as mobile apps for iOS devices like the iPad and iPhone. All these fine services can also be accessed by unauthorized users if they can obtain your credentials. The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID:

The email itself does not display a nice "Apple" look and feel. However, the URL for "reactivating" the Apple ID account (hxxxxxp://apps.apple.com-account-cancel.shellbells.com.au/?/cgi-bin/WebObjects/MyAppleId.woa/) takes a user to a page that looks very much like the Apple style, as shown below:

As sometimes happens, the hosts that hold the phishing domains have an "open directory" (probably due to a configuration issue), which makes it possible to navigate the structure of the path (server side) used to deploy the phishing email, as shown here:

The URL is traced to IP address 116.0.23.225, where we have detected other phishing domains and hosts:

We have quarantined or rejected hundreds of these types of phishing email messages, which can potentially lead to Identity theft:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

Any new technology involves potential risks as well as potential benefits. Location-Based Services (LBS) are a case in point. Mobile apps using geolocation information are increasingly popular, offering people new ways to connect with nearby friends or find people with shared interests. Advertisers can tempt nearby customers with coupons and discounts, targeting people around the corner, and therefore more likely to stop in than those on the other side of world.

Many sites use visitors' IP addresses to do a geolocation lookup in order to serve local content and ads. These can range from perfectly legitimate local headlines to the all-too-familiar "Local girls in [your city here] want to meet you tonight!" Using a new, mobile twist on an old threat, LBS can also help phishing and other scammers find likely victims. As we noted in a previous post, scammers--like legitimate businesses--try to optimize their operations to avoid wasting time and resources on unproductive activities. LBS can help them do this in several ways.

Websense researchers have found many cases of LBS-based phishing attacks. Here we illustrate an example from MoMo, a Chinese LBS social networking app. To the right is a screenshot showing a message allegedly from a pretty girl just 124.78 km away from you. 

Along with an attractive picture, she says, “Hello! I just got here and want to meet people around. It’s a pleasure if we can be friends. Here is my blog site [URL deleted]. You can see my pictures and know me more from there first.”

The link leads to a phishing page that tries to steal the username and password of your account at QQ.com, a major Chinese portal that ranks 9th overall in the Alexa Internet ranking. The links could just as easily be spam or drive-by-downloads.

Why might this approach be more productive from the spammer's perspective than traditional email spam? First, a "local" contact may seem more trustworthy, encouraging you to lower your guard. Second, the attractive profile pics are very tempting bait. And finally, browsers on mobile devices can't show the full URL, so the part that victims see often looks legit.

This is just the latest wrinkle in concerns over LBS-based apps. Last year, a British security firm found that mobile check-ins via Facebook, Twitter, and other social media, are extensively used by burglars to target empty homes to rob. The average home robbery takes only ten minutes, which means you can easily be cleaned out while you're enjoying coffee at your favorite Starbucks (after announcing to the immediate world that you're there).

But it's not enough to simply keep quiet about where you are because some apps make the announcement for you.  Geotagging on cameras and phones, for example, automatically embeds GPS data into photos.

LBS can be a particular concern with children. On the one hand, geolocation can offer parents peace of mind, knowing their youngsters can be found quickly if they wander off. On the other hand, predators can easily target potential victims by inducing naive kids to reveal personal data, or just by using automated geolocation information. Kids and teens often share photos taken with their mobile phones, and anyone with some basic technical skills and an EXIF interpreter can extract embedded data to determine exactly where the photo was taken. Even if the phone's GPS is turned off, some apps include GPS-enabling permissions.

Websense will continue to monitor developments in this area to protect our customers, their data, and systems from new and evolving security threats.

Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers.  These fake emails state that the recipient has successfully created a Blackberry ID.  The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.

The malicious email itself is a copy and paste of a legitimate email from Blackberry.  And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it.  17/36 AV engines identify the malware in VirusTotal.

ThreatScope analysis, which is a part of the Websense CSI service, reports that running the attachment drops other executable files and modifies the system registry to automatically start these malware programs when the system starts. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

As announced by our Security Predictions for 2012, the imminent start of the Olympic Games 2012 is a good worldwide event for phishing authors as well as malicious bots. They will most likely begin utilizing this vector to spread their attempts at masquerading as legitimate sites, organizations, or services to trick users into divulging information. Websense® Security Labs^TM and the Websense ThreatSeeker® Network have detected and tracked a significant number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information.

The phishing theme used in the following example is the well-known "National Lottery"-type scam, where the targeted users are tricked into believing they are winners of some sort of local lottery. We detected email like the one below:

Once the user opens the Microsoft Word document,  the sender informs the user that he or she is the lucky "winner" of £200,00.00 GBP, and then requests that the user provide personal information, such as full name, address, nationality, occupation, and mobile number to help process the claim. 

Although this email attachment is not malicious, it is clear that the sender has some other questionable activity in mind by asking for and collecting personal information. This could range from email spam using the victim's email address and mobile phone number to other rogue promotional messages that could potentially have web links leading to malicious websites. Threats like these Olympics scams are also known as advanced-fee fraud in which victims are asked to contact a claims agent. They may then be asked to pay "processing fees" to receive their money, which never happens. Here's another example that confirms this hypothesis:

This is also a good way to collect, with social engineering techniques, mobile phone numbers and to start other kinds of fraudulent activities like asking for details about mobile banking accounts.Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone!
Most of us make typing errors once in a while, but what if those errors could cause data leakage? 

Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits.

Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead.  There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable.  Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day.

After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. 

Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.

Websense® ThreatSeeker® Network has been tracking a large number of messages masquerading as legitimate messages from the Electronic Payment Association NACHA.

The messages bear legitimate traits, as the display name and routing details seem to confirm.  Further analysis of the message and attachments prove these to be malicious in intent.  The examples below show what these messages look like, and an unsuspecting member or patron of the service might just fall for this.

The example below is a variant that we have been aware of, and have been tracking for a while now.  The use of a double extension on a file name as well as the exact format of the message, including the Subject, attests to the reuse of the campaign.

Example of a variant noticed earlier:

 Digging a little deeper for the header Information, we find this:

Although this might seem to have come from NACHA, the routing details suggest otherwise as they do not originate from the publicly-known MX records for the organization.

At the time of analysis, VirusTotal results still had not hit 50%, and a mixed bag of detection shows that not all the major AV engines have detected this either.  Websense Email Security and Websense Web Security protect against these kinds of blended threats with ACE, our Advanced Classification Engine.

Websense Security Labs™ and the Websense ThreatSeeker® Network have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".  You can find the VirusTotal analysis results for this .exe here.

Websense Email Security and Websense Web Security protect against these kinds of blended threats with ACE, our Advanced Classification Engine.

Websense ThreatSeeker® Network has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders. 

The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more.  The format seems old, with the content and attached file properties being the distinctive factor.  With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked.

Sample of email message.

A similar message opened with a text editor below shows the content has not changed that much during the campaign less the wording within the message body and header information with regards to sender address or connecting IP's which are listed in this blog post..  

A noticeable repeating pattern, besides the salutation and some generic content such as ” Dear User|Client|Sir|Madam”, “WARNING|ATTENTION|URGENT”, is the attached file name.  This example file format is a .bat file, which indicates it is a DOS executable batch file.  Additionally, the file name format we have seen has always used the following format:

 "id", "[5-7 digits]" and the file extention.

Further analysis into the file reveals this is also a Windows executable that contains a PE tag within the header information, as highlighted in the picture below.

Interestingly, the file properties also suggest to the untrained eye that this appears to have been originated from VMware.  This ties in to the entire trickery of the author and also the re-use of the tactic and resources.

Although this appears to have originated from VMware, the attached file is actually not signed, as shown in the screen shot below (courtesy of VirusTotal).

The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine).

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.