The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.

Of course, retailers and consumers are not alone in their preparations for the shopping period and here at Websense® Security Labs™, the Websense ThreatSeeker® Network continues to detect and protect customers from numerous malicious campaigns that look to exploit bargain hunters and shoppers throughout this period.

Malicious campaigns detected and blocked thus far, predominately play upon Black Friday themes to spam-promote scam websites offering loans, fake degrees and such like. We also see scams that entice victims to complete survey scams in order to harvest personal information.

In addition to wearing appropriate clothing and footwear as well as remembering to drink sufficient amounts of water, Security Labs presents our Black Friday/Cyber Monday Survival Guide:

#1 "If it looks too good to be true..."
Large retailers may offer knock-down prices and fantastic first-come-first-served deals however, think twice before clicking on that email link or completing that purchase on that 'new' website you've just found.

Fake websites are created by scammers to entice buyers using terminology such as 'wholesale prices' or 'liquidated stock'. Combine this with a Black Friday or Cyber Monday deal and you could be convinced that you've just secured the latest gadget at a fraction of the retail price. In reality, you're handing over your payment details to a scammer who will at best only charge you for the fictitious goods.

Apple products for less than half the retail price... Really?

These scams are unfortunately not limited to dedicated scam websites and individual fictitious products infiltrate well-known online retailers and auction sites. Successfully purchasing bargains through third-party sellers via a retailers 'marketplace' or an online auction is common practice, however, apply rule #1 and consider rule #2.

Remember: If it looks too good to be true... it probably is"

#2 "It takes many good deeds to build a good reputation..."
Many interactions in our everyday lives rely on reputation and our online interactions should be no different. Just because an email claims to be from a particular retailer or organization it doesn't mean that it is. Many online retailers have spent a great deal of time and effort building their reputation and are unlikely to dilute their brand by sending emails from free webmail accounts or creating websites on obscure URLs.

If you have suspicions regarding an email or link don't follow it. Go directly to the organization's website before logging-in or making a purchase and don't be afraid to contact an organization to verify the validity of something you've received. 

Suspicious URLs can also be checked using our ACEInsight Site Analysis tool, a free service powered by the Websense TRITON™ architecture that will perform a real-time security and content classification check.

If you're submitting any personal information online; many retailers will use additional security features such as HTTPS and Extended Validation Certificates (EV) and these are evident by a padlock icon and organization name appearing on the address bar in green. These steps indicate that additional verification steps have been taken and confirm that authenticity of the website you're visiting, if you're making an online purchase or submitting personal or financial information these measures also help to secure your data in transit and protect it from prying eyes (man-in-the-middle attacks).

Reputation confirmed by an Extended Validation Certificate

If you're considering a purchase from a marketplace seller or online auction remember to review ratings or feedback and confirm that they are reputable. Additionally, avoid using payment methods outside of the marketplace or auction site as these are common scam traits - not only are you likely to fall outside of any payment protection schemes, many scammers will encourage you to use money transfer methods that are difficult to track and recover.

Remember: "It takes many good deeds to build a good reputation, and only one bad one to lose it." - Benjamin Franklin


#3 "Loose lips..."
It's possible that not even your closest friend knows your date of birth (for those of us above a certain age), your mother's maiden name or indeed the name of your first goldfish let alone your PIN, card verification code and credit-card number! Given this, think carefully before surrendering this information and be suspicious of any email, website or social network post that requests personal and/or financial information... you may find that your details are being used to fund someone else's shopping-spree!

Phishing campaigns, as shown in our recent Insights Blog, are most popular on Mondays and Fridays which just so happens to tie-in with this weekend's busy shopping period. Financial organizations and retailers are highly unlikely to ask you to 'Verify your account' or 'Unlock your account' and then have you submit all of your personal details again. If in doubt, visit the organizations website directly or contact them via alternate means to confirm their request.

If you're submitting any personal information online, confirm the reputation (rule #2) of the organization. Will they be protecting your data and using it for its intended purpose? Or is this a ruse to gather personal information for further spam/scam campaigns or even identity theft?

Remember: "Loose lips sink ships!"

#4 "There's no such thing as a free lunch..."

As often the case when invited to lunch with family members, we may pay a small price for lunch by fixing that printer problem or removing malware from the abused family PC... a small price compared to the time and effort required to put the meal in front of you. In the case of scammers, the free lunch or more to the point 'free gift card' or 'free hugely popular consumer electronic device'  is offered in return for the simply filling in an online survey or completing a qualifying purchase in order to secure that vastly more expensive item.

Commonly these scams utilize emails and social network posts claiming to be from popular brands informing you that 'You have received a gift card from us' or 'Giveaway'. The links of course, if not leading you to malicious websites that could potentially compromise your machine, lead you through a series of sites to harvest your personal information and/or entice you into purchasing memberships, ebooks and other items all in order to secure that great freebie.  Once harvested, your data at best could be passed to marketing organizations to further target you, or at worst for identity fraud.

Free iPad?

Free giftcard?

Ask yourself the question, would the brand really give away high-value gift-cards and goods in return for a completed survey? Whilst prize draws and money-off coupons are common rewards, consider our other survival guide tips before answering the question.

Remember: "There's no such thing as a free lunch... somebody has to pay"


#5 "Attachment is the great fabricator of illusions..."

Here in Security Labs, we've seen, blogged about, and protected customers from countless malicious email campaigns which misuse popular brand identities to entice trusting consumers to open malicious attachments which then lead to the compromise of their machines. Whilst no specific examples of Black Friday / Cyber Monday malicious emails are being detected at the time of writing, this attack vector could easily be exploited to take advantage of those of us waiting for an all-important email laden with shopping bargains.

However enticing, interesting or compelling an email attachment looks - don't open it unless you are sure of its source.

Attached order confirmations or coupons may appear to be legitimate, particularly when you're placing a number of orders online. Confirm that these are related to transactions that you've made and consider the behavior. Is it normal for this particular retailer to send you the order confirmation as an attachment rather than within the actual email?

Remember: "Attachment is the great fabricator of illusions; reality can be attained only by someone who is detached." - Simone Weil

#6: "The hair is real..."

Those of you camping outside stores awaiting the bargain stampede are sure to be using mobile devices to stay up-to-date with the latest offers and news... but how do you keep on top of numerous retailers and offers? A quick search on any mobile application store or marketplace is sure to reveal any one of a number of apps that will take care of this task for you, aggregating numerous news feeds, offers and store deals into one handy app. The question is, can you trust it? As seen with the launch of many high-profile mobile games and applications, attackers exploit mobile users by publishing fake applications which may give you a little more than you've bargained for... perhaps premium-rate SMS ,or just harvesting personal data from your smartphone.

Before installing any application, be sure to check the permissions that it's requesting . Does a simple offer app really need the ability to modify or delete items on your smartphone's storage card? How about it integrating with your phone book? If in doubt, don't install it. And, of course, check the reviews to confirm that the app's reputation is trustworthy.

Remember: "The hair is real; it's the head that's fake." - Steve Allen

#7: "I alone cannot change the world..."

In the sense of community and coming together, please do leave a comment and share anything suspicious you encounter this weekend. Whilst we've prepared this survival guide, albeit in a light-hearted fashion, for Black Friday and Cyber Monday, these threats and our guidelines are relevant throughout the year. Enjoy your shopping and stay safe. And by all means drop us a line if you find any real 'highly desirable consumer electronic gadgets' at a knock-down prices!

Remember: "I alone cannot change the world, but I can cast a stone across the waters to create many ripples." - Mother Teresa

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!

419 scams have become lame and not a lot of people are falling for them these days. So the scammers have to change their tactics if they want to stay in business.The scam we describe in this blog is quite interesting because it is combines a typical 419 scam with a phishing attack. After the initial communication with the scammer, the victim receives a phishing email claiming to be from PayPal indicating that the scammer "PayPaled" the money to the victim. Here is the long story.

One of my friends posted an ad on craigslist to sell his HP laptop. Dr. Robinson (a scammer and a physician from Utah) wanted to buy the laptop as a birthday gift for his son David -- who is BTW doing human development research in Nigeria. Dr. Robinson offered to send the payment via PayPal and asked that the laptop be shipped to his son in Nigeria.

From: Donald Robinson [donaldrobinson1001@gmail.com]
Sent: Thursday, August 05, 2010 6:07 AM
To: xxx
Subject: Re: HP   Laptop - $280

Hello,
 I am very grateful to hear back from you.I am a Medical Doctor residing in Utah.The (HP Laptop) is for my son's birthday present,due to his brilliant performance,he was currently transferred from US to West Africa with his team on a research on Human development under world Health Organization. I'll be paying you through paypal.I will forward my son's residential address to you for shipping as soon as the payment reaches you.send me your paypal email so that i will do the payment.
 NB: I will be paying you $400 for both the cost price and shipping fee.Please get back to me so that i will proceed with the payment.
Best Regards,
Dr. Robinson.

I created a fake email account and sent Dr. Robinson the following note

Dear Dr Robinson,

Please send me your son's address and I will ship the laptop as soon as I receive the payment through paypal. My paypal email is xxx@gmail.com.
Thank you for your interest.

Regards,

Couple of hours later I received a phishing email claiming to be from PayPal indicating that I got a new fund from Dr. Robinson. Dr. Robinson was very generous and sent me $400 not $280 as was posted in the craigslist ad. The social engineering part in the email was interesting:

"This PayPal payment has been deducted from the buyer's account and has been "APPROVED"but will not be credited to your account until the shipment reference/tracking number is sent to us for shipment verification and this is done to secure both the buyer and the seller against any fraudulent activities. Below are the necessary information requested before your account will be credited. Send tracking number to  us or email us through  paypalaccountserviceinfo@ovi.com and our customer service care will attend to you. As soon as you send us the shipment's tracking number   the money will be credited to your account and this is done for security purposes and the safety of the buyer and the seller."

Couple of minutes later, I received another phishing email claiming to be from PayPal telling me that PayPal is waiting for my shipment tracking number. Also, they assured me that the order has been confirmed and that I can ship the order now to the buyer, but I have to do so within 48 hours. I googled that transaction ID "8UG760668M701084Y" and found three posts [1,2,3] talking about similar scams.

Couple of minutes later, Dr. Robinson emailed me and told me that he has sent me the money via PayPal. He asked that I ship the laptop first thing in the morning via USPS first class express mail in an insured package. The interesting thing about this address is that all the three posts above share the same city and state in Nigeria "Uwani, Enugu, Nigeria". I looked up the city in google maps, but did not find anything eye-catching, except Enugu prison that was in the neighborhood!

David Robinson: I wish you a very happy birthday and I with you success in your research on human development in Nigeria, but you are not receiving a laptop for your birthday. Brad can send you one if he likes :)

(Acknowledgment: T and R)

Websense® Security Labs™ ThreatSeeker™ Network was busy last weekend, and detected 3 spam campaigns with millions of emails.

Confirm Twitter password, and Twitter security model setup

As variants of the Reset Your Twitter Password spam we blogged last week, these continued the attack and increased it in scale from 55,000 to 170,000. We have seen quite a few different subjects, including the 2 below which are the most frequently seen.

Facebook account deactivated, or invited by somebody famous?

Over 144,000 of this kind of spam email have been caught by our Hosted Email Security system. When a user visits the fake Facebook link offered in the email, their system is compromised by the Eleonore Exploit Kit and eventually is turned into a bot.

Outlook Setup Notification

At the time this post was written, over 106,000 instances of this campaign have been caught in our system, and the number is still increasing.

The statistics below show that spam increased by 15,700 daily on average during the weekend, compared to work days. It seems that some spammers didn't take a break last weekend.

Websense Messaging and Websense Web Security customers are protected against these attacks.

Security for the Social Web

After months of hard work, it is my extreme pleasure to introduce Defensio 2.0 - the first and only complete security suite for the social web.

A number of new features now make Defensio the most advanced spam and malicious content detection service for the web. These features include:

• Spyware, malware, phishing and other types of malicious content detection
• URL blocking by category
• Profanity detection and filtering
• Script and executable blocking
• Enhanced statistics
• Asynchronous API (faster and non-blocking filtering)

Thanks to Websense's Threat Seeker Network, Defensio can now detect and block much more than just spam, offering you the absolute best protection for your website.

Screencast

We prepared a screencast where you can see of the new Defensio 2.0 features.

Wordpress

The Wordpress plugin has been updated to leverage the new features we are introducing today. Upgrade today!

Pixelpost

Thanks to Dennis Mooibroek, Pixelpost now also supports Defensio 2.0. You can download the latest version of the Pixelpost plugin on our website.

Facebook Protection

A few months ago, we started noticing that a lot of spam, profanity, malware and malicious content was making it onto personal and corporate Facebook pages. We knew we had to do something about it. Our response to this growing problem is the first ever Facebook security suite. This is also launching today!

Once Defensio for Facebook is installed, we will constantly monitor your page for possibly unwanted content. Should we find something suspicious, we will alert you. This Facebook application works with any kinds of pages, including personal and corporate profiles, group pages and fan pages.

To install Defensio for Facebook, simply create an account at http://defensio.com/signup. If you already have a Defensio account, log in, then in the control panel, click "My API keys", then "Protect another web property".

Other platforms

More platforms will support 2.0 very soon. Defensio 1.x remains available and software using our old API will keep working as usual.

New Developer API

We love our developers, and we made sure not to leave them out in the cold. Defensio 2.0 ships with a brand new and improved asynchronous RESTful API! The new API features:

• Asynchronous (or synchronous) for fast, non-blocking calls to Defensio
• Optional web hook for asynchronous calls
• Entirely RESTful
• More generic wording, making it less targeted towards blogs and easier to use in a wider range of web applications
• New actions for profanity filtering and enhanced statistics
• Content classification (spam, malicious, innocent)

See the API 2.0 documentation for more details.

We're also releasing many 2.0-ready developer libraries for PHP, Ruby, Python and Perl. This should make your life easier when upgrading your application to Defensio 2.0. You can find them in the "downloads" section of our website.

Conclusion

I hope you're as excited as we are about the second coming of Defensio. Let us know what you think!