Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Phishing

Ongoing Targeted Attacks Continue to Plague Healthcare

Posted: 12 Sep 2014 09:00 AM | AToro


Websense® ThreatSeeker® Intelligence Cloud has detected a phishing campaign that targets the Healthcare sector--especially hospitals--phishing for Outlook credentials. This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector (for example, the CHS breach), along with a trend of phishing for corporate Outlook credentials. Gaining access to corporate Outlook credentials allows attackers to get a foothold in the victim's organization. This foothold allows them to search for other high-value targets, and then send internal, legitimate-seeming emails to extract additional information and get access to strategic infrastructure or data. It also allows attackers to leverage good reputation the compromised accounts might have to attack its contacts at other organizations. Healthcare organizations, and hospitals in particular, have a wealth of patient records that are very valuable to cyber criminals, as discussed here . Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages: Stage 2 (Lure) - ACE has detection for the email lure. Stage 3 (Redirect) - ACE has detection for the link inside the email lure, and for the ultimate destination of the phishing site. The Lure Email The phishing email seen below, with the title "Your Mailbox account closure." is sent to users, enticing them to click on a link. The campaign is highly targeted. ThreatSeeker telemetry shows Websense Cloud Email Security blocked a few hundred of these messages, all targeting a US healthcare organizations, between 9/12/2014, 6:19:34 AM PDT and 9/12/2014, 7:13:10 AM PDT. Reviewing the email path, it appears that compromised accounts were used to send this campaign. This suggests that the actors behind the campaign try to spread laterally from one infected organization to another, taking advantage of the reputation of affected organizations. It is especially interesting since the compromised account is also a healthcare provider, which is likely to already have a good reputation in the victim's email protection systems. This helps to bypass any reputation-based defense. The Phishing Page If the user follows the link he or she are led to webauthlineoutlweb.url.ph where they are presented with a legitimate-looking Outlook login page, which is used to steal credentials. A high-level look on the top 5 threats hosted on subdomains of "URL.PH" suggest it is becoming more popular in the last few months. Looking into the threats served by websites with the "URL.PH" top-level domain (TLD), we can see a diverse set of threats including Zeus and Citadel, as well as other types: Websense® Security Labs™ will continue to monitor this campaign, and will update the blog as new information is gathered. Contributors: Abel Toro, Ran Mosessco, Elad Sharf

Read more > 

Filed under: ,

no comments

New Phishing Research: 5 Most Dangerous Email Subjects, Top 10 Hosting Countries

Posted: 11 Dec 2013 09:03 AM | Elisabeth Olsen


With cloud infrastructure easily scalable and rented botnets coming on the cheap, the cost of conducting massive phishing campaigns continues to decline for cybercriminals. Even if the return rate is small or the campaign is poorly executed, phishing can result in serious money for criminals. Phishing will never simply go away—meaning ongoing headaches for security professionals.

...

Read more > 

Filed under: , , ,

no comments

2013 Threat Report: More Than Scary Stats and Chilling Charts

Posted: 13 Feb 2013 08:30 AM | Carl Leonard


The 2013 Threat Report from the Websense® Security Labs™ is now available.

 

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

 

Creating the report began with the ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.

 

...

Read more > 

Filed under: , , , , , , , , , , , , , ,

no comments

Battered Twitter, Phish but no Chips! [Updated]

Posted: 05 Feb 2013 04:47 PM | Carl Leonard


Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

...

Read more > 

Filed under: , ,

no comments

Phishing for Apple IDs

Posted: 08 Oct 2012 03:27 PM | Gianluca Giuliani


The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. An Apple ID allows you to buy new apps, make a customer workshop reservation at an Apple Retail Store, or buy music and multimedia content from the iTunes Store. You can also buy applications for Mac OS X as well as mobile apps for iOS devices like the iPad and iPhone. A ll these fine services can also be accessed by unauthorized users if they can obtain your credentials. The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID: The email itself does not display a nice "Apple" look and feel. However, the URL for "reactivating" the Apple ID account (hxxxxxp://apps.apple.com-account-cancel.shellbells.com.au/?/cgi-bin/WebObjects/MyAppleId.woa/) takes a user to a page that looks very much like the Apple style, as shown below: As sometimes happens, the hosts that hold the phishing domains have an "open directory" (probably due to a configuration issue), which makes it possible to navigate the structure of the path (server side) used to deploy the phishing email, as shown here: The URL is traced to IP address 116.0.23.225, where we have detected other phishing domains and hosts: We have quarantined or rejected hundreds of these types of phishing email messages, which can potentially lead to Identity theft: Websense customers are protected from this and other threats by Websense ACE ( Advanced Classification Engine ).

Read more > 

Filed under: ,

no comments

Hook, line and sinker: the dangers of Location-Based Services

Posted: 04 Oct 2012 09:41 AM | RM


Any new technology involves potential risks as well as potential benefits. Location-Based Services (LBS) are a case in point. Mobile apps using geolocation information are increasingly popular, offering people new ways to connect with nearby friends or find people with shared interests. Advertisers can tempt nearby customers with coupons and discounts, targeting people around the corner, and therefore more likely to stop in than those on the other side of world. Many sites use visitors' IP addresses to do a geolocation lookup in order to serve local content and ads. These can range from perfectly legitimate local headlines to the all-too-familiar "Local girls in [your city here] want to meet you tonight!" Using a new, mobile twist on an old threat, LBS can also help phishing and other scammers find likely victims. As we noted in a previous post , scammers--like legitimate businesses--try to optimize their operations to avoid wasting time and resources on unproductive activities. LBS can help them do this in several ways. Websense researchers have found many cases of LBS-based phishing attacks. Here we illustrate an example from MoMo, a Chinese LBS social networking app. To the right is a screenshot showing a message allegedly from a pretty girl just 124.78 km away from you. Along with an attractive picture, she says, “Hello! I just got here and want to meet people around. It’s a pleasure if we can be friends. Here is my blog site [URL deleted]. You can see my pictures and know me more from there first.” The link leads to a phishing page that tries to steal the username and password of your account at QQ.com, a major Chinese portal that ranks 9th overall in the Alexa Internet ranking. The links could just as easily be spam or drive-by-downloads. Why might this approach be more productive from the spammer's perspective than traditional email spam? First, a "local" contact may seem more trustworthy, encouraging you to lower your guard. Second, the attractive profile pics are very tempting bait. And finally, browsers on mobile devices can't show the full URL, so the part that victims see often looks legit. This is just the latest wrinkle in concerns over LBS-based apps. Last year, a British security firm found that mobile check-ins via Facebook, Twitter, and other social media, are extensively used by burglars to target empty homes to rob. The average home robbery takes only ten minutes, which means you can easily be cleaned out while you're enjoying coffee at your favorite Starbucks (after announcing to the immediate world that you're there). But it's not enough to simply keep quiet about where you are because some apps make the announcement for you. Geotagging on cameras and phones, for example, automatically embeds GPS data into photos. LBS can be a particular concern with children. On the one hand, geolocation can offer parents peace of mind, knowing their youngsters can be found quickly...

Read more > 

Filed under: ,

no comments

Benefits of your Blackberry ID in this attached malware

Posted: 22 Aug 2012 10:39 PM | Mary Grace Timcang


Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware. The malicious email itself is a copy and paste of a legitimate email from Blackberry. And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it. 17/36 AV engines identify the malware in VirusTotal. ThreatScope analysis, which is a part of the Websense CSI service, reports that running the attachment drops other executable files and modifies the system registry to automatically start these malware programs when the system starts. Websense customers are protected from these threats by ACE, our Advanced Classification Engine .

Read more > 

Filed under: , , ,

no comments

Who is already an Olympic Games 2012 winner?

Posted: 01 Mar 2012 03:05 AM | Gianluca Giuliani


As announced by our Security Predictions for 2012, the imminent start of the Olympic Games 2012 is a good worldwide event for phishing authors as well as malicious bots. They will most likely begin utilizing this vector to spread their attempts at masquerading as legitimate sites, organizations, or services to trick users into divulging information. Websense® Security LabsTM and the Websense ThreatSeeker® Network have detected and tracked a significant number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information.

...

Read more > 

Filed under: ,

no comments

Typosquatting

Posted: 24 Oct 2011 08:42 PM | Anonymous


Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone! Most of us make typing errors once in a while, but what if those errors could cause data leakage? Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits. Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead. There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable. Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day. After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.

Read more > 

Filed under: , , ,

no comments

Fraudulent messages from Electronic Payments Association NACHA

Posted: 06 Sep 2011 03:23 AM | Anonymous


Websense® ThreatSeeker® Network has been tracking a large number of messages masquerading as legitimate messages from the Electronic Payment Association NACHA . The messages bear legitimate traits, as the display name and routing details seem to confirm. Further analysis of the message and attachments prove these to be malicious in intent. The examples below show what these messages look like, and an unsuspecting member or patron of the service might just fall for this. The example below is a variant that we have been aware of, and have been tracking for a while now. The use of a double extension on a file name as well as the exact format of the message, including the Subject, attests to the reuse of the campaign. Example of a variant noticed earlier: Digging a little deeper for the header Information, we find this: Although this might seem to have come from NACHA, the routing details suggest otherwise as they do not originate from the publicly-known MX records for the organization. At the time of analysis, VirusTotal results still had not hit 50%, and a mixed bag of detection shows that not all the major AV engines have detected this either. Websense Email Security and Websense Web Security protect against these kinds of blended threats with ACE, our Advanced Classification Engine .

Read more > 

Filed under: , ,

no comments