The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?

Upon further analysis we discovered a connection between those hosts:

1. Most of them are hosted on the same IP address, 208.73.210.128.
2. They lead to scam survey websites and spam websites.
3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.

Let us take one of the example hosts to further illustrate how a victim can be taken from a typosquat in the hive to a scam site.  For example, typing in hxxp://youtibe.com/ redirects the user to a scam site hxxp://socialsurvey.chattycatty.com/. 

Multiple requests to the same host result in different landing pages including scam surveys, form filling, and spam sites. In one example (see the screenshots below) users are lured and redirected to a "Youtube" themed website to complete a survey which claims that upon completion, they will have the opportunity to receive one of the listed gifts:

After completing the "survey", the user is offered the option to sign up for a paid and automatically renewed monthly subscription service with an additional enticing gift at a low price. The user is then asked to enter their credit card details. The catch is in the "terms and conditions" section where evidently it's claimed that that the gift is accountable by a 3rd party and that no subscription refunds are allowed.

Fortunately Websense protects its users against such threats with Websense ACE (Advanced Classification Engine). If you have seen other typosquats, let us know in the comments.

Author: Samana Haider

Last week we wrote a blog about a Facebook scam that appeared to spread rather aggresively. We decided to nickname the scam "Jacked Frost." The Websense® ThreatSeeker® network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

Here is the link to our blog that describes this in more detail. The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid.org.

 Websense customers are protected against this threat with Websense ACE (Advanced Classification Engine). 

A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:

Screenshot of the scam's main page:

How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:

From time to time the Websense® ThreatSeeker® Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 

With the holiday shopping season here, it appears that cybercrooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands such as Walmart, Asda, Visa, Best Buy, Apple and others. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were used as part of the cybercriminals' scam infrastructure. Read on for details.

The scam varies in appearance, is geolocation aware, and serves content based on the location of the victim. Potential victims are enticed with videos and free shopping vouchers. Here are some examples of how it might look in a Facebook news feed:

The scam in a Facebook news feed 

What happens when a scam post is clicked?

When a scam link is clicked in the news feed, the victim is redirected to a fake Facebook page that hosts a fake video that pretends to show the "Fail Blog Daily Video." A clickjacking technique is employed on the page so that when the victim clicks on the video's play button, it results in one of two outcomes:

1. A browser popup is launched and the victim is asked to "Like" a certain scam post. This is done to propagate the scam further because liking it causes it to appear on the victim's news feed.
(Click here to see what it looks like; a new browser window will open.)

2. The victim is redirected to fake video page that uses the CPA advertising method to "unlock" what is supposedly a YouTube video.
(Click here to see what it looks like; a new browser window will open.)

This isn't the end, though. The page also has a timeout mechanism.  If the victim doesn't play the video they are greeted with a "Merry Christmas!" message and are redirected to a fake Facebook page offering some fake free vouchers.  In the following example, some fake Asda vouchers are offered:

 Christmas-themed congratulation:

The scam is geolocation aware:

Here is a scam page offering some free vouchers from Asda.  This particular page is desgined for UK-based visitors:

This scam page offers vouchers and rewards from Walmart, Best Buy and Visa.  This particular page is desgined for US-based visitors:

This scam page offers vouchers and rewards from Walmart and American Express.  This particular page is designed for US-based visitors:

As mentioned, the scam comes in many variations and piggybacks on the reputation of many well-known brands. Let's have a look at the example from above that piggybacks on Asda. The fake voucher page for Asda takes the victim through the scam step by step. First, in order to get the free voucher the victim has to share the voucher in their Facebook profile. Second, the victim must publish the comment "Thanks Asda!" to support the scam. Lastly, the user must click the Like button, which is a scam link.  

After the victim completes the steps, their Facebook news feed includes the fake voucher scam and they are redirected to a legitimate website at new.activeyou.co.uk that gives out prizes and supports an affiliate program. The way this works is that any user coming to the site --  thanks to a certain affiliate -- and who participates, earns the affiliate some money; there is no free voucher after all. The affiliate here obviously engages in illegal methods to advertise and generate traffic to a website that earns them money.  The affiliate ID is seen in the next image, marked in red in the URL where it states affid.

No free vouchers after all:

The scam infrastructure and intelligence: accounts on Afraid.org as doorways

Websense's partnership with Facebook alerts us and invites us to assist Facebook in mitigating such scams using Websense ACE. We released this blog because we saw a spike in our data feeds and a rather large number of different URLs that are used for scam purposes that have a relation to each other. We think that Facebook is doing a good job of cleaning up and removing posts related to this scam.

We spotted more than 3,000 unique URLs used for this scam on Facebook.  The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.

The scam peak as seen by the ThreatSeeker Network. This plots the number of new hosts seen hosting the scam vs. the number of active hosts using this scam.

One of the most interesting findings is that most of the scam hosts used in the attack use the DNS servers of the free service at freedns.afraid.org. Essentially we found that all the name-server records used by websites involved in the attack use Afraid.org DNS server and point to ns1.afraid.org (see illustration below)

freedns.afraid.org is a free service that offers domain owners free DNS services. For example, a domain owner can use the DNS servers of freedns.afraid.org and have them point to their website's IP address. freedns.afraid.org also allows users to manage those free DNS services via an account. It allows account holders to add various subdomains to their main domain and optionally point those new websites to different IP addresses. For example, if John Doe owns johndoe.com on IP address x.x.x.x, he can go to freedns.afraid.org, create an account, and use their DNS servers to point to their website IP address at x.x.x.x. On top of that, John can easily add DNS records to subdomains of his main website (johndoe.com) via his account at freedns.afraid.org. At his option, John can have those subdomains (that essentially represent different web sites) point to different IP addresses. So, for example, John can use his DNS account with freedns.afraid.org to have johnsfriend.johndoe.com point to y.y.y.y.

Scam host example and its DNS record:  91037997396662norryyoutubecomplay10pegahihypupegahihypu.opbco.web74.net

In this attack, accounts/hosts on freedns.afraid.org have been used to serve scams URLs by pointing subdomains of legitimate hosts to the attackers' infrastructure. If we examine some of the scam hosts involved in the attack, we can see that they point to a different IP address than the one used at the host level. Websites at the host level vary in purpose and appear to be legitimate. We verified that this pattern is consistent with all of the approximately 3000 instances that we found involved in the attack. In the next example, we present an example scam URL that is used for the scam that is hosted on an IP address that cybercriminals are using to host the scam (213.152.170.193), while the host is hosted on a different IP address that hosts a legitimate website (65.96.116.101), in this case a personal cooking blog. Looking at other websites hosted on the offending 213.152.170.193 reveals more scam websites:

urbancooking.net appears to be a personal blog about cooking:

Exploring other websites hosted on the offending 213.152.170.193 reveals more scam websites:

 Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam websites:

208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252

We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong. We're going to keep an eye on events related to this attack and keep you in the loop.

Also, we would also like to take this opportunity to wish you a merry and cybersafe holiday season.

With Christmas fast approaching, the Websense® ThreatSeeker® Network, replete with festive sleigh bells and twinkling lights, has detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus. While Santa, along with his ever-loyal team of elves, his reindeer, and, of course, Mrs. Claus, are no doubt working their way through the mountain of letters and wish lists from the world’s good little boys and girls, some bad little boys and girls are looking to capitalize on his backlog of correspondence. They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa.

As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of Internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer.

These methods were discussed in our Black Friday / Cyber Monday Survival Guide, and merely serve to line the scammer's pockets with affiliate referral cash. They also let the scammer harvest your personal data for further use.  While our customers are protected from this and other threats by Websense ACE (Advanced Classification Engine), it would be wise to share details of this campaign with friends and family members that might be more likely to be taken with the idea--especially when Rudolph's(?) "winning prize" carrot is dangled.

Messages of this nature that we are currently detecting and blocking appear to be somewhat consistent. Their techniques include:

• Hiding blocks of text or keywords in the HTML source in an attempt to appear legitimate to automated processes In this example, the font color is set to white (#ffffff) in order to make it invisible to the person reading the email:
  
  
  In this case, the text is taken from the Wikipedia article on Larry Hagman. 
• Some of the messages we’ve seen recently deliver the main message as an image loaded from a website. This serves two purposes: first, to make it difficult for automated processes to read the message, and second, the image request confirms that your email address is active, potentially leading to more spam:
  
  
  These men can’t both be Santa Claus!
   
  
• Enticing subject lines to catch your attention and elicit a response:
  • Personal Letter From Santa For Your Child
  • (A) Letter From Santa For Your Child
  • Santa Claus Letters
  • A personal letter from Santa for your little ones
  • Custom Santa Letters 

Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page:



Simple browser detection and IP geolocation techniques are used to appear convincing


Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately, and your money is much better off in their pocket than in a scammer's!

Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.

Of course, retailers and consumers are not alone in their preparations for the shopping period and here at Websense® Security Labs™, the Websense ThreatSeeker® Network continues to detect and protect customers from numerous malicious campaigns that look to exploit bargain hunters and shoppers throughout this period.

Malicious campaigns detected and blocked thus far, predominately play upon Black Friday themes to spam-promote scam websites offering loans, fake degrees and such like. We also see scams that entice victims to complete survey scams in order to harvest personal information.

In addition to wearing appropriate clothing and footwear as well as remembering to drink sufficient amounts of water, Security Labs presents our Black Friday/Cyber Monday Survival Guide:

#1 "If it looks too good to be true..."
Large retailers may offer knock-down prices and fantastic first-come-first-served deals however, think twice before clicking on that email link or completing that purchase on that 'new' website you've just found.

Fake websites are created by scammers to entice buyers using terminology such as 'wholesale prices' or 'liquidated stock'. Combine this with a Black Friday or Cyber Monday deal and you could be convinced that you've just secured the latest gadget at a fraction of the retail price. In reality, you're handing over your payment details to a scammer who will at best only charge you for the fictitious goods.

Apple products for less than half the retail price... Really?

These scams are unfortunately not limited to dedicated scam websites and individual fictitious products infiltrate well-known online retailers and auction sites. Successfully purchasing bargains through third-party sellers via a retailers 'marketplace' or an online auction is common practice, however, apply rule #1 and consider rule #2.

Remember: If it looks too good to be true... it probably is"

#2 "It takes many good deeds to build a good reputation..."
Many interactions in our everyday lives rely on reputation and our online interactions should be no different. Just because an email claims to be from a particular retailer or organization it doesn't mean that it is. Many online retailers have spent a great deal of time and effort building their reputation and are unlikely to dilute their brand by sending emails from free webmail accounts or creating websites on obscure URLs.

If you have suspicions regarding an email or link don't follow it. Go directly to the organization's website before logging-in or making a purchase and don't be afraid to contact an organization to verify the validity of something you've received. 

Suspicious URLs can also be checked using our ACEInsight Site Analysis tool, a free service powered by the Websense TRITON™ architecture that will perform a real-time security and content classification check.

If you're submitting any personal information online; many retailers will use additional security features such as HTTPS and Extended Validation Certificates (EV) and these are evident by a padlock icon and organization name appearing on the address bar in green. These steps indicate that additional verification steps have been taken and confirm that authenticity of the website you're visiting, if you're making an online purchase or submitting personal or financial information these measures also help to secure your data in transit and protect it from prying eyes (man-in-the-middle attacks).

Reputation confirmed by an Extended Validation Certificate

If you're considering a purchase from a marketplace seller or online auction remember to review ratings or feedback and confirm that they are reputable. Additionally, avoid using payment methods outside of the marketplace or auction site as these are common scam traits - not only are you likely to fall outside of any payment protection schemes, many scammers will encourage you to use money transfer methods that are difficult to track and recover.

Remember: "It takes many good deeds to build a good reputation, and only one bad one to lose it." - Benjamin Franklin


#3 "Loose lips..."
It's possible that not even your closest friend knows your date of birth (for those of us above a certain age), your mother's maiden name or indeed the name of your first goldfish let alone your PIN, card verification code and credit-card number! Given this, think carefully before surrendering this information and be suspicious of any email, website or social network post that requests personal and/or financial information... you may find that your details are being used to fund someone else's shopping-spree!

Phishing campaigns, as shown in our recent Insights Blog, are most popular on Mondays and Fridays which just so happens to tie-in with this weekend's busy shopping period. Financial organizations and retailers are highly unlikely to ask you to 'Verify your account' or 'Unlock your account' and then have you submit all of your personal details again. If in doubt, visit the organizations website directly or contact them via alternate means to confirm their request.

If you're submitting any personal information online, confirm the reputation (rule #2) of the organization. Will they be protecting your data and using it for its intended purpose? Or is this a ruse to gather personal information for further spam/scam campaigns or even identity theft?

Remember: "Loose lips sink ships!"

#4 "There's no such thing as a free lunch..."

As often the case when invited to lunch with family members, we may pay a small price for lunch by fixing that printer problem or removing malware from the abused family PC... a small price compared to the time and effort required to put the meal in front of you. In the case of scammers, the free lunch or more to the point 'free gift card' or 'free hugely popular consumer electronic device'  is offered in return for the simply filling in an online survey or completing a qualifying purchase in order to secure that vastly more expensive item.

Commonly these scams utilize emails and social network posts claiming to be from popular brands informing you that 'You have received a gift card from us' or 'Giveaway'. The links of course, if not leading you to malicious websites that could potentially compromise your machine, lead you through a series of sites to harvest your personal information and/or entice you into purchasing memberships, ebooks and other items all in order to secure that great freebie.  Once harvested, your data at best could be passed to marketing organizations to further target you, or at worst for identity fraud.

Free iPad?

Free giftcard?

Ask yourself the question, would the brand really give away high-value gift-cards and goods in return for a completed survey? Whilst prize draws and money-off coupons are common rewards, consider our other survival guide tips before answering the question.

Remember: "There's no such thing as a free lunch... somebody has to pay"


#5 "Attachment is the great fabricator of illusions..."

Here in Security Labs, we've seen, blogged about, and protected customers from countless malicious email campaigns which misuse popular brand identities to entice trusting consumers to open malicious attachments which then lead to the compromise of their machines. Whilst no specific examples of Black Friday / Cyber Monday malicious emails are being detected at the time of writing, this attack vector could easily be exploited to take advantage of those of us waiting for an all-important email laden with shopping bargains.

However enticing, interesting or compelling an email attachment looks - don't open it unless you are sure of its source.

Attached order confirmations or coupons may appear to be legitimate, particularly when you're placing a number of orders online. Confirm that these are related to transactions that you've made and consider the behavior. Is it normal for this particular retailer to send you the order confirmation as an attachment rather than within the actual email?

Remember: "Attachment is the great fabricator of illusions; reality can be attained only by someone who is detached." - Simone Weil

#6: "The hair is real..."

Those of you camping outside stores awaiting the bargain stampede are sure to be using mobile devices to stay up-to-date with the latest offers and news... but how do you keep on top of numerous retailers and offers? A quick search on any mobile application store or marketplace is sure to reveal any one of a number of apps that will take care of this task for you, aggregating numerous news feeds, offers and store deals into one handy app. The question is, can you trust it? As seen with the launch of many high-profile mobile games and applications, attackers exploit mobile users by publishing fake applications which may give you a little more than you've bargained for... perhaps premium-rate SMS ,or just harvesting personal data from your smartphone.

Before installing any application, be sure to check the permissions that it's requesting . Does a simple offer app really need the ability to modify or delete items on your smartphone's storage card? How about it integrating with your phone book? If in doubt, don't install it. And, of course, check the reviews to confirm that the app's reputation is trustworthy.

Remember: "The hair is real; it's the head that's fake." - Steve Allen

#7: "I alone cannot change the world..."

In the sense of community and coming together, please do leave a comment and share anything suspicious you encounter this weekend. Whilst we've prepared this survival guide, albeit in a light-hearted fashion, for Black Friday and Cyber Monday, these threats and our guidelines are relevant throughout the year. Enjoy your shopping and stay safe. And by all means drop us a line if you find any real 'highly desirable consumer electronic gadgets' at a knock-down prices!

Remember: "I alone cannot change the world, but I can cast a stone across the waters to create many ripples." - Mother Teresa

Now is tourist season when lots of people are using online services to book hotels or flights. The Websense® ThreatSeeker® Network has detected spammers who are using fake booking.com email addresses to send hotel reservation confirmations with malware to unsuspecting users.

Here's what the spam email looks like:

The sample email consists of a fake confirmation letter from "booking.com," which includes random arrival and departure dates and some other information. Attached to it is a .zip file:

Decompressing the .zip file exposes a malicious executable file, Hotel-Electronic-Reservation.exe. If users click on the file to run it, malware is installed. The Websense ThreatScope Analysis Report  shows the specific behavior of this malware:

When running, the malware tries to connect to the internet to download other malware files.

It also drop files into special folders and runs them automatically:

Websense customers are protected proactively against this compromise by ACE, our Advanced Classification Engine. Our real-time analytics also proactively identify several variants of this threat, and with the ThreatSeeker Network, we receive feedback in our email solutions that blocks messages containing these URLs and malicious files. 

First it was the Cheesecake Factory; now, it’s Timeline. Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook, scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline.

These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss.

Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd. 

So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline.  But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important. 

Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it. 

As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE  (Advanced Classification Engine) protects our customers from such scams.