The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

With Christmas fast approaching, the Websense® ThreatSeeker® Network, replete with festive sleigh bells and twinkling lights, has detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus. While Santa, along with his ever-loyal team of elves, his reindeer, and, of course, Mrs. Claus, are no doubt working their way through the mountain of letters and wish lists from the world’s good little boys and girls, some bad little boys and girls are looking to capitalize on his backlog of correspondence. They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa.

As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of Internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer.

These methods were discussed in our Black Friday / Cyber Monday Survival Guide, and merely serve to line the scammer's pockets with affiliate referral cash. They also let the scammer harvest your personal data for further use.  While our customers are protected from this and other threats by Websense ACE (Advanced Classification Engine), it would be wise to share details of this campaign with friends and family members that might be more likely to be taken with the idea--especially when Rudolph's(?) "winning prize" carrot is dangled.

Messages of this nature that we are currently detecting and blocking appear to be somewhat consistent. Their techniques include:

• Hiding blocks of text or keywords in the HTML source in an attempt to appear legitimate to automated processes In this example, the font color is set to white (#ffffff) in order to make it invisible to the person reading the email:
  
  
  In this case, the text is taken from the Wikipedia article on Larry Hagman. 
• Some of the messages we’ve seen recently deliver the main message as an image loaded from a website. This serves two purposes: first, to make it difficult for automated processes to read the message, and second, the image request confirms that your email address is active, potentially leading to more spam:
  
  
  These men can’t both be Santa Claus!
   
  
• Enticing subject lines to catch your attention and elicit a response:
  • Personal Letter From Santa For Your Child
  • (A) Letter From Santa For Your Child
  • Santa Claus Letters
  • A personal letter from Santa for your little ones
  • Custom Santa Letters 

Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page:



Simple browser detection and IP geolocation techniques are used to appear convincing


Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately, and your money is much better off in their pocket than in a scammer's!

Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.

Of course, retailers and consumers are not alone in their preparations for the shopping period and here at Websense® Security Labs™, the Websense ThreatSeeker® Network continues to detect and protect customers from numerous malicious campaigns that look to exploit bargain hunters and shoppers throughout this period.

Malicious campaigns detected and blocked thus far, predominately play upon Black Friday themes to spam-promote scam websites offering loans, fake degrees and such like. We also see scams that entice victims to complete survey scams in order to harvest personal information.

In addition to wearing appropriate clothing and footwear as well as remembering to drink sufficient amounts of water, Security Labs presents our Black Friday/Cyber Monday Survival Guide:

#1 "If it looks too good to be true..."
Large retailers may offer knock-down prices and fantastic first-come-first-served deals however, think twice before clicking on that email link or completing that purchase on that 'new' website you've just found.

Fake websites are created by scammers to entice buyers using terminology such as 'wholesale prices' or 'liquidated stock'. Combine this with a Black Friday or Cyber Monday deal and you could be convinced that you've just secured the latest gadget at a fraction of the retail price. In reality, you're handing over your payment details to a scammer who will at best only charge you for the fictitious goods.

Apple products for less than half the retail price... Really?

These scams are unfortunately not limited to dedicated scam websites and individual fictitious products infiltrate well-known online retailers and auction sites. Successfully purchasing bargains through third-party sellers via a retailers 'marketplace' or an online auction is common practice, however, apply rule #1 and consider rule #2.

Remember: If it looks too good to be true... it probably is"

#2 "It takes many good deeds to build a good reputation..."
Many interactions in our everyday lives rely on reputation and our online interactions should be no different. Just because an email claims to be from a particular retailer or organization it doesn't mean that it is. Many online retailers have spent a great deal of time and effort building their reputation and are unlikely to dilute their brand by sending emails from free webmail accounts or creating websites on obscure URLs.

If you have suspicions regarding an email or link don't follow it. Go directly to the organization's website before logging-in or making a purchase and don't be afraid to contact an organization to verify the validity of something you've received. 

Suspicious URLs can also be checked using our ACEInsight Site Analysis tool, a free service powered by the Websense TRITON™ architecture that will perform a real-time security and content classification check.

If you're submitting any personal information online; many retailers will use additional security features such as HTTPS and Extended Validation Certificates (EV) and these are evident by a padlock icon and organization name appearing on the address bar in green. These steps indicate that additional verification steps have been taken and confirm that authenticity of the website you're visiting, if you're making an online purchase or submitting personal or financial information these measures also help to secure your data in transit and protect it from prying eyes (man-in-the-middle attacks).

Reputation confirmed by an Extended Validation Certificate

If you're considering a purchase from a marketplace seller or online auction remember to review ratings or feedback and confirm that they are reputable. Additionally, avoid using payment methods outside of the marketplace or auction site as these are common scam traits - not only are you likely to fall outside of any payment protection schemes, many scammers will encourage you to use money transfer methods that are difficult to track and recover.

Remember: "It takes many good deeds to build a good reputation, and only one bad one to lose it." - Benjamin Franklin


#3 "Loose lips..."
It's possible that not even your closest friend knows your date of birth (for those of us above a certain age), your mother's maiden name or indeed the name of your first goldfish let alone your PIN, card verification code and credit-card number! Given this, think carefully before surrendering this information and be suspicious of any email, website or social network post that requests personal and/or financial information... you may find that your details are being used to fund someone else's shopping-spree!

Phishing campaigns, as shown in our recent Insights Blog, are most popular on Mondays and Fridays which just so happens to tie-in with this weekend's busy shopping period. Financial organizations and retailers are highly unlikely to ask you to 'Verify your account' or 'Unlock your account' and then have you submit all of your personal details again. If in doubt, visit the organizations website directly or contact them via alternate means to confirm their request.

If you're submitting any personal information online, confirm the reputation (rule #2) of the organization. Will they be protecting your data and using it for its intended purpose? Or is this a ruse to gather personal information for further spam/scam campaigns or even identity theft?

Remember: "Loose lips sink ships!"

#4 "There's no such thing as a free lunch..."

As often the case when invited to lunch with family members, we may pay a small price for lunch by fixing that printer problem or removing malware from the abused family PC... a small price compared to the time and effort required to put the meal in front of you. In the case of scammers, the free lunch or more to the point 'free gift card' or 'free hugely popular consumer electronic device'  is offered in return for the simply filling in an online survey or completing a qualifying purchase in order to secure that vastly more expensive item.

Commonly these scams utilize emails and social network posts claiming to be from popular brands informing you that 'You have received a gift card from us' or 'Giveaway'. The links of course, if not leading you to malicious websites that could potentially compromise your machine, lead you through a series of sites to harvest your personal information and/or entice you into purchasing memberships, ebooks and other items all in order to secure that great freebie.  Once harvested, your data at best could be passed to marketing organizations to further target you, or at worst for identity fraud.

Free iPad?

Free giftcard?

Ask yourself the question, would the brand really give away high-value gift-cards and goods in return for a completed survey? Whilst prize draws and money-off coupons are common rewards, consider our other survival guide tips before answering the question.

Remember: "There's no such thing as a free lunch... somebody has to pay"


#5 "Attachment is the great fabricator of illusions..."

Here in Security Labs, we've seen, blogged about, and protected customers from countless malicious email campaigns which misuse popular brand identities to entice trusting consumers to open malicious attachments which then lead to the compromise of their machines. Whilst no specific examples of Black Friday / Cyber Monday malicious emails are being detected at the time of writing, this attack vector could easily be exploited to take advantage of those of us waiting for an all-important email laden with shopping bargains.

However enticing, interesting or compelling an email attachment looks - don't open it unless you are sure of its source.

Attached order confirmations or coupons may appear to be legitimate, particularly when you're placing a number of orders online. Confirm that these are related to transactions that you've made and consider the behavior. Is it normal for this particular retailer to send you the order confirmation as an attachment rather than within the actual email?

Remember: "Attachment is the great fabricator of illusions; reality can be attained only by someone who is detached." - Simone Weil

#6: "The hair is real..."

Those of you camping outside stores awaiting the bargain stampede are sure to be using mobile devices to stay up-to-date with the latest offers and news... but how do you keep on top of numerous retailers and offers? A quick search on any mobile application store or marketplace is sure to reveal any one of a number of apps that will take care of this task for you, aggregating numerous news feeds, offers and store deals into one handy app. The question is, can you trust it? As seen with the launch of many high-profile mobile games and applications, attackers exploit mobile users by publishing fake applications which may give you a little more than you've bargained for... perhaps premium-rate SMS ,or just harvesting personal data from your smartphone.

Before installing any application, be sure to check the permissions that it's requesting . Does a simple offer app really need the ability to modify or delete items on your smartphone's storage card? How about it integrating with your phone book? If in doubt, don't install it. And, of course, check the reviews to confirm that the app's reputation is trustworthy.

Remember: "The hair is real; it's the head that's fake." - Steve Allen

#7: "I alone cannot change the world..."

In the sense of community and coming together, please do leave a comment and share anything suspicious you encounter this weekend. Whilst we've prepared this survival guide, albeit in a light-hearted fashion, for Black Friday and Cyber Monday, these threats and our guidelines are relevant throughout the year. Enjoy your shopping and stay safe. And by all means drop us a line if you find any real 'highly desirable consumer electronic gadgets' at a knock-down prices!

Remember: "I alone cannot change the world, but I can cast a stone across the waters to create many ripples." - Mother Teresa

The Websense® ThreatSeeker® Network has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US.  Specifically, we have detected thousands of emails with this kind of content:

As noted recently, we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:

The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.

The links found in the spam emails usually has this kind of content:

The purpose of this flow as usual is to install a malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:


PDF - MD5: 69e51d3794250e3f1478404a72c7a309 

JAR file - MD5: 03373056bb050c65c41196d3f2d68077

about.exe - MD5: 9223b428b28c7b8033edbb588968eaea 


More information on the behavior and activities of about.exe can be found in our Websense ThreatScope™ report:
http://aceinsight.websense.com/fileanalysisreport.aspx?rid=CD22C58FDA3E49FBBF1D41BD575ACAD3

Each URL shown above contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code. So far, we have detected thousands of emails blocked by our Cloud Email Security technology:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. An Apple ID allows you to buy new apps, make a customer workshop reservation at an Apple Retail Store, or buy music and multimedia content from the iTunes Store. You can also buy applications for Mac OS X as well as mobile apps for iOS devices like the iPad and iPhone. All these fine services can also be accessed by unauthorized users if they can obtain your credentials. The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID:

The email itself does not display a nice "Apple" look and feel. However, the URL for "reactivating" the Apple ID account (hxxxxxp://apps.apple.com-account-cancel.shellbells.com.au/?/cgi-bin/WebObjects/MyAppleId.woa/) takes a user to a page that looks very much like the Apple style, as shown below:

As sometimes happens, the hosts that hold the phishing domains have an "open directory" (probably due to a configuration issue), which makes it possible to navigate the structure of the path (server side) used to deploy the phishing email, as shown here:

The URL is traced to IP address 116.0.23.225, where we have detected other phishing domains and hosts:

We have quarantined or rejected hundreds of these types of phishing email messages, which can potentially lead to Identity theft:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

Here at Websense® Security Labs™, we often blog about big malicious campaigns and how our products protect our customers from them. But what about smaller campaigns that are no less dangerous? 

Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim's defenses.

Last week, the Websense ThreatSeeker® Network intercepted one such campaign. This small-volume, malicious campaign targeted businesses with legitimate-looking email that refer to items like purchase orders, quotes, and supply information. All of these email had attachments that install variants of the popular Zeus malware on the victim's computer.

Websense Cloud Email Security quarantined these emails as containing a potential virus before most of the malicious attachments were detected by antivirus (AV) engines. Websense ACE (Advanced Classification Engine) provides the extra layers of protection that help Cloud Email Security protect customers against a wide array of threats. 

In many cases, AV signatures are behind the latest threats. But although ACE uses AV as one of its analytics, we found this example where AV was not detecting the threat. Other techniques such as using network behavior (volume vs. time) and reputation are very effective against big campaigns, but would not work in this case, since the volume was low. The content of these email messages looks benign most of the time, so traditional anti-spam rules would not work well either. This is where additional protection is needed. ACE can provide that protection and quarantine such suspicious messages by looking more deeply at their content and features, like the types of attachments, message attributes, web links in each message, and telltale patterns in the content body. 

The period of time between ACE detection and AV detection can potentially prevent a security breach at the most crucial time, averting having to "play catch-up." 

Let's take a closer look at the email that were intercepted.

The variant that was most common on September 27, 2012, had subject lines such as:

RE: NEW ORDER

RE: ATTACHED PO

Notice the email body looks quite benign:

There were other examples. See later in the text.

The most "popular" attachment was a file named "scan.rar," which carried the executable "scan.exe."

Here's a Websense ThreatScope™ analysis of this file, showing the malicious behavior:

http://aceinsight.websense.com/FileAnalysisReport.aspx?rid=65EA634D5A96460CB3489AAD8A840364

Compare this to the VirusTotal report at the time that Cloud Email Security detected the threat. Only 2 out of 43 vendors detected this file as malicious:

http://www.virustotal.com/file/2373c8cb97ba5bd2a9bd5451de02f872c4444c1689b8d4021a7fd3945835da7b/analysis/1348767164/

Of course, AV signatures eventually catch up, so the situation improved to 15/43 a few days later.

Cloud Email Security customers were protected regardless:

Based on the nature of the attachments and a few other key attributes in the messages, ACE determined that these email carried a potential virus and had them quarantined.

Some of the other variants were:

Subject: RE:quotation

Attachment: po.rar

Subject: Urgent Order.

Attachment: payment.zip

Subject: supply info

Attachment: payment.zip

Subject: New PI

Attachment: quote.exe

Subject: Order

Attachment: product details.zip

Subject: Please attend to my order

Attachment: quotation.zip

All of these were quarantined by Cloud Email Security based on the attributes of the message and the attachment.

Click on the file names below for ThreatScope reports that provide an analysis of some of the files contained in the various attachments:

list.exe

Not in VirusTotal at the moment.

Quote.exe

Was not in VirusTotal. After uploading the file, these were their results.

Notice the fake "quotation" PDF that opens with these files:

payment.exe

Not in VirusTotal at the moment.

PO.exe

Not in VirusTotal at the moment.

Quotation_pdf.exe

Here is the VirusTotal report for the above file.

Samples.scr

Was not in VirusTotal. After uploading the file, these were their results.

Finally, here are some additional screenshots of other email variants (these look a little more suspicious than the first example shown above):

Please let us know your thoughts. Are you more concerned about the low-volume attacks or the broad far-reaching high-volume attacks? Send in your comments using the box below.

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

Since Blackhole Exploit Kit 2.0 was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email.

Websense® ThreatSeeker® Network has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit. Some of the themes were new to us and some familiar.

One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com. Like other malicious social engineering campaigns, these email campaigns try to lure victims to click links that ultimately lead to pages hosting Blackhole Exploit Kit. A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version.

ADP is one the largest names in payroll services, so it's no surprise that a spoofed ADP notification email is used as a lure.

Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":

Let's follow one of the possible redirection paths:

hxxp://allbarswireless.com/HXwcDdQ/index.html
hxxp://ash-polynesie.com/AjVSXvus/js.js
hxxp://108.60.141.7/tfvsfios6kebvras.php?r=dwtd6xxjpq8tkatb
hxxp://108.60.141.7/links/differently-trace.php

Please refer to our previous blog post to learn more about the landing page.

Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message."

 Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":

The redirection chain here is similar:

hxxp://www.tryakbar.com/tLbM3r/index.html
hxxp://sportmania.so/JP3q2538/js.js
hxxp://173.255.221.74/tfvsfios6kebvras.php?r=rs3mwhukafbiamcm

The landing page shows similar content to the previous example. See here.

Another scheme thanks the user for signing up for a premium service.

Subject lines include "Thank you for activating paid services":

Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:

hxxp://www.svstk.ru/templates/beez/check.php
hxxp://bode-sales.net/main.php?page=3c23940fb7350489

And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended.

Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"

Here again, simple redirection leads to typical "/main.php?page=" type URLs.

hxxp://kahvikuppi.org/achsec.html
hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7

Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability.

Websense® ThreatSeeker® Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.

This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The email may contain a subject like this:

[Symantec] - Your e-mail account may be blocked.

The "from" address varies and may appear as:

scanner@symantec.com

scanonline@f-secure.com

symantec@verisign.com

scan@sophos.com

symantec@sophos.com

virscan@secureroot.com

noreply@verisign.com

Here's a sample:

Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.

Clicking the suggested link takes the victim to:

hxxp://www.protectedssl.net/removal/SymantecRemoval&2012&09.data=SwizzorC.php

Which prompts the user to download a file with the promising name "RemovalTool" from this location:

hxxp://www.protectedssl.net/RemovalTool.exe

You can see an AceInsight report for the first URL here:

 http://aceinsight.websense.com/report.aspx?g=18D3325A54C64DBA9B7ACC7702DF4748

ThreatScope analysis, which is a part of the Websense CSI service, identifies the file RemovalTool.exe as malicious due to its behavior:

1. HTTP traffic to server hosting malicious content

2. Drops executable file(s)

3. HTTP traffic to uncategorized server

4. Writes to the filesystem in a directory of the user profile often used by malware

The full ThreatScope report can be seen here.

At the time of this writing, only 3/42 AV vendors on Virustotal identified the file as malicious:

How does Websense protect against this threat?

Websense Email Security products block these messages as spam using a combination of network traffic, reputation, and spam rules.

For Websense Web Security products, the real-time analytics in Web Security Gateway, Web Security Gateway Anywhere, and Cloud Web Security block the landing URL, providing further protection.

Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers.  These fake emails state that the recipient has successfully created a Blackberry ID.  The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.

The malicious email itself is a copy and paste of a legitimate email from Blackberry.  And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it.  17/36 AV engines identify the malware in VirusTotal.

ThreatScope analysis, which is a part of the Websense CSI service, reports that running the attachment drops other executable files and modifies the system registry to automatically start these malware programs when the system starts. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.