The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

The Websense® ThreatSeeker® Network has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US.  Specifically, we have detected thousands of emails with this kind of content:

As noted recently, we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:

The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.

The links found in the spam emails usually has this kind of content:

The purpose of this flow as usual is to install a malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:


PDF - MD5: 69e51d3794250e3f1478404a72c7a309 

JAR file - MD5: 03373056bb050c65c41196d3f2d68077

about.exe - MD5: 9223b428b28c7b8033edbb588968eaea 


More information on the behavior and activities of about.exe can be found in our Websense ThreatScope™ report:
http://aceinsight.websense.com/fileanalysisreport.aspx?rid=CD22C58FDA3E49FBBF1D41BD575ACAD3

Each URL shown above contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code. So far, we have detected thousands of emails blocked by our Cloud Email Security technology:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

Here at Websense® Security Labs™, we often blog about big malicious campaigns and how our products protect our customers from them. But what about smaller campaigns that are no less dangerous? 

Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim's defenses.

Last week, the Websense ThreatSeeker® Network intercepted one such campaign. This small-volume, malicious campaign targeted businesses with legitimate-looking email that refer to items like purchase orders, quotes, and supply information. All of these email had attachments that install variants of the popular Zeus malware on the victim's computer.

Websense Cloud Email Security quarantined these emails as containing a potential virus before most of the malicious attachments were detected by antivirus (AV) engines. Websense ACE (Advanced Classification Engine) provides the extra layers of protection that help Cloud Email Security protect customers against a wide array of threats. 

In many cases, AV signatures are behind the latest threats. But although ACE uses AV as one of its analytics, we found this example where AV was not detecting the threat. Other techniques such as using network behavior (volume vs. time) and reputation are very effective against big campaigns, but would not work in this case, since the volume was low. The content of these email messages looks benign most of the time, so traditional anti-spam rules would not work well either. This is where additional protection is needed. ACE can provide that protection and quarantine such suspicious messages by looking more deeply at their content and features, like the types of attachments, message attributes, web links in each message, and telltale patterns in the content body. 

The period of time between ACE detection and AV detection can potentially prevent a security breach at the most crucial time, averting having to "play catch-up." 

Let's take a closer look at the email that were intercepted.

The variant that was most common on September 27, 2012, had subject lines such as:

RE: NEW ORDER

RE: ATTACHED PO

Notice the email body looks quite benign:

There were other examples. See later in the text.

The most "popular" attachment was a file named "scan.rar," which carried the executable "scan.exe."

Here's a Websense ThreatScope™ analysis of this file, showing the malicious behavior:

http://aceinsight.websense.com/FileAnalysisReport.aspx?rid=65EA634D5A96460CB3489AAD8A840364

Compare this to the VirusTotal report at the time that Cloud Email Security detected the threat. Only 2 out of 43 vendors detected this file as malicious:

http://www.virustotal.com/file/2373c8cb97ba5bd2a9bd5451de02f872c4444c1689b8d4021a7fd3945835da7b/analysis/1348767164/

Of course, AV signatures eventually catch up, so the situation improved to 15/43 a few days later.

Cloud Email Security customers were protected regardless:

Based on the nature of the attachments and a few other key attributes in the messages, ACE determined that these email carried a potential virus and had them quarantined.

Some of the other variants were:

Subject: RE:quotation

Attachment: po.rar

Subject: Urgent Order.

Attachment: payment.zip

Subject: supply info

Attachment: payment.zip

Subject: New PI

Attachment: quote.exe

Subject: Order

Attachment: product details.zip

Subject: Please attend to my order

Attachment: quotation.zip

All of these were quarantined by Cloud Email Security based on the attributes of the message and the attachment.

Click on the file names below for ThreatScope reports that provide an analysis of some of the files contained in the various attachments:

list.exe

Not in VirusTotal at the moment.

Quote.exe

Was not in VirusTotal. After uploading the file, these were their results.

Notice the fake "quotation" PDF that opens with these files:

payment.exe

Not in VirusTotal at the moment.

PO.exe

Not in VirusTotal at the moment.

Quotation_pdf.exe

Here is the VirusTotal report for the above file.

Samples.scr

Was not in VirusTotal. After uploading the file, these were their results.

Finally, here are some additional screenshots of other email variants (these look a little more suspicious than the first example shown above):

Please let us know your thoughts. Are you more concerned about the low-volume attacks or the broad far-reaching high-volume attacks? Send in your comments using the box below.

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

Since Blackhole Exploit Kit 2.0 was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email.

Websense® ThreatSeeker® Network has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit. Some of the themes were new to us and some familiar.

One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com. Like other malicious social engineering campaigns, these email campaigns try to lure victims to click links that ultimately lead to pages hosting Blackhole Exploit Kit. A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version.

ADP is one the largest names in payroll services, so it's no surprise that a spoofed ADP notification email is used as a lure.

Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":

Let's follow one of the possible redirection paths:

hxxp://allbarswireless.com/HXwcDdQ/index.html
hxxp://ash-polynesie.com/AjVSXvus/js.js
hxxp://108.60.141.7/tfvsfios6kebvras.php?r=dwtd6xxjpq8tkatb
hxxp://108.60.141.7/links/differently-trace.php

Please refer to our previous blog post to learn more about the landing page.

Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message."

 Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":

The redirection chain here is similar:

hxxp://www.tryakbar.com/tLbM3r/index.html
hxxp://sportmania.so/JP3q2538/js.js
hxxp://173.255.221.74/tfvsfios6kebvras.php?r=rs3mwhukafbiamcm

The landing page shows similar content to the previous example. See here.

Another scheme thanks the user for signing up for a premium service.

Subject lines include "Thank you for activating paid services":

Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:

hxxp://www.svstk.ru/templates/beez/check.php
hxxp://bode-sales.net/main.php?page=3c23940fb7350489

And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended.

Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"

Here again, simple redirection leads to typical "/main.php?page=" type URLs.

hxxp://kahvikuppi.org/achsec.html
hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7

Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability.

Websense® ThreatSeeker® Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.

This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The email may contain a subject like this:

[Symantec] - Your e-mail account may be blocked.

The "from" address varies and may appear as:

scanner@symantec.com

scanonline@f-secure.com

symantec@verisign.com

scan@sophos.com

symantec@sophos.com

virscan@secureroot.com

noreply@verisign.com

Here's a sample:

Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.

Clicking the suggested link takes the victim to:

hxxp://www.protectedssl.net/removal/SymantecRemoval&2012&09.data=SwizzorC.php

Which prompts the user to download a file with the promising name "RemovalTool" from this location:

hxxp://www.protectedssl.net/RemovalTool.exe

You can see an AceInsight report for the first URL here:

 http://aceinsight.websense.com/report.aspx?g=18D3325A54C64DBA9B7ACC7702DF4748

ThreatScope analysis, which is a part of the Websense CSI service, identifies the file RemovalTool.exe as malicious due to its behavior:

1. HTTP traffic to server hosting malicious content

2. Drops executable file(s)

3. HTTP traffic to uncategorized server

4. Writes to the filesystem in a directory of the user profile often used by malware

The full ThreatScope report can be seen here.

At the time of this writing, only 3/42 AV vendors on Virustotal identified the file as malicious:

How does Websense protect against this threat?

Websense Email Security products block these messages as spam using a combination of network traffic, reputation, and spam rules.

For Websense Web Security products, the real-time analytics in Web Security Gateway, Web Security Gateway Anywhere, and Cloud Web Security block the landing URL, providing further protection.

Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers.  These fake emails state that the recipient has successfully created a Blackberry ID.  The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.

The malicious email itself is a copy and paste of a legitimate email from Blackberry.  And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it.  17/36 AV engines identify the malware in VirusTotal.

ThreatScope analysis, which is a part of the Websense CSI service, reports that running the attachment drops other executable files and modifies the system registry to automatically start these malware programs when the system starts. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Now is tourist season when lots of people are using online services to book hotels or flights. The Websense® ThreatSeeker® Network has detected spammers who are using fake booking.com email addresses to send hotel reservation confirmations with malware to unsuspecting users.

Here's what the spam email looks like:

The sample email consists of a fake confirmation letter from "booking.com," which includes random arrival and departure dates and some other information. Attached to it is a .zip file:

Decompressing the .zip file exposes a malicious executable file, Hotel-Electronic-Reservation.exe. If users click on the file to run it, malware is installed. The Websense ThreatScope Analysis Report  shows the specific behavior of this malware:

When running, the malware tries to connect to the internet to download other malware files.

It also drop files into special folders and runs them automatically:

Websense customers are protected proactively against this compromise by ACE, our Advanced Classification Engine. Our real-time analytics also proactively identify several variants of this threat, and with the ThreatSeeker Network, we receive feedback in our email solutions that blocks messages containing these URLs and malicious files. 

Websense® ThreatSeeker® Network detects millions of spam/malicious email campaigns on a daily basis. Such campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails.  Below are the top 5 campaigns that we've seen over the last several days.

Warning: If you see these Subject lines in your mailbox, please don't open an attachment or click on a link. Doing so could be dangerous for the health of your device.

1. ORDERS

• Order N21560 (numbers vary)

This link redirects to .ru/main.php or .com/main.php URL, which serves the Blackhole exploit kit. These emails are targeting users who just purchased an Adobe CS4 license, which is weird, because version 5.5 is already out. The spammers obviously have not done their research and are behind the times.

2.TICKETS

• FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE:)
• Fwd: Your Flight Order N125-9487755 (numbers vary)
  

Users are lured to click on a "CLICK HERE" link, which redirects to another URL serving the Blackhole exploit kit.  I guess these types of emails are targeting specific people: a) who have driven a vehicle in New York and b) who have been cited for a speeding violation recently, and of course c) those who are curious, otherwise why would they click on this link?

3. DELIVERY COMPANIES:

• USPS Invoice copy ID46298 (numbers vary)
• FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
• DHL Express Notification for shipment 90176712199 (numbers vary)

Fake emails pretending to be invoices or tracking emails have been around for several years and usually would have an attachment, such as a Trojan like Zeus or SpyEye. Websense Security Labs™ has written several blogs before about similar cases.  I just want to point out that such emails are still being sent in bulk and are still being used as a vector to infect end users' computers. The reason why these kinds of emails are still so popular is because the attachments are being repacked for every new campaign; therefore, antivirus products struggle to release new signatures for those and are unable to block them, like in this case. The campaign is known, but VT shows only 8/42 results for an attachment. 

4. test

This email suggests that the attachment is a patch for WoW (World of Warcraft). Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients. Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked,  and also spammers use such techniques to validate an email address.

5. Payment/TAX systems:

• FRAUD ALERT for ACH
• Your Wire Transfer
• Wire transfer rejected
• IRS requires new EIN
• IRS Tax report

This type of email appeared in August-September 2011. We wrote an ACH - blog about it. The screenshot of this email was received today though the date still corresponds back to August. The spam-bot seem to think it's still August!

The malicious spam campaigns listed above have the same recurring themes which spammers don't really change. However, major differences include the following: 

• Switching between Attachments and Malicious/Compromised links
• Repacking attachments so they will not be detected by AVs
• Slightly changing the template of the email

Websense Email Security and Websense Web Security solutions protect against this kind of blended threat with ACE, our Advanced Classification Engine.

Over the past few years, Websense Security Labs has been monitoring an increasing trend in unwanted email being sent from webmail accounts. Initially these accounts were on hosted freemail providers, but externally facing corporate webmail accounts have recently been targeted. The technique is the same in both attack scenarios: Account passwords are either phished or subjected to a brute force password attack. Once an account is compromised, the attacker can send email messages to contacts and other addresses using the compromised company's reputation to avoid detection by spam filters.

Recently we have detected a disturbing shift in this trend, with email marketing organization web accounts being compromised and used to send spam, which often contains malicious links.

Below is an example of spoofed email originally sent from an email marketing company based in Argentina. In this case, the account belongs to a large electrical retailer who has both online and store-front outlets.

We can validate that this email came from the email marketing company's infrastructure using the Sender Policy Framework (SPF) records published for its domain.

The account was used to send out spoofed email that appears to originate with an international clothing retailer. However, some of the links in the email direct the recipient to a similarly named domain ‘<companydomain>-billings.com’, which was registered on the day of the attack. This site hosts a zip file containing a malicious fake invoice named ‘<companyname>_Order_16YWBoG.exe’. At the time this email campaign started, this file had 0% coverage by the AV community.

The day after the first email messages were sent, the attacker compromised another account on the same Argentinian email marketing company website, this time registering a new domain ‘<companydomain>-support.com’. On the third day, the attacker switched to an email marketing company based in Australia. As before, they registered a new domain, but instead of including this domain ‘<companydomain>-invoice.com’ in the email, they compromised an Australian travel company's website and used it as a redirector. This travel company owned the Australian email marketing company account that was used to send the spoofed email. The additional step was probably taken to avoid basic outbound email filtering by the marketing company.

One thing these marketing companies have in common is that they appear to include their account names in the user part of the email address combined with their own domain. This makes it very easy for an attacker to subscribe to a newsletter and receive account and marketing website details.

As more companies use third-party email marketing organizations to handle their commercial email requirements, are they inadvertently risking their reputations and the repeat business of their loyal customers? We think they could be.

Most email marketing web accounts require basic password authentication. If an account is compromised, the attacker has access not only to an efficient email sending infrastructure and campaign editing tools, but also customer email details too. Even worse, most of the major email marketing companies also integrate with many online CRM services, giving the attacker the additional option to resell an organization's information to its competitors. So to the attacker these marketing companies represent soft and potentially lucrative targets.

So when your email marketing account is created, does it meet your company's password policy? Does your marketing department share this account and leave the password posted on the pin board? Remember: A simple password may be all that is stopping your organization from sending your entire customer base a malicious email.