How many clicks does it take to get to the malicious code of an infected website? Surprisingly, the answer is usually, just two.

In this Websense Insight we look at how most Internet users are only two clicks away from malicious content in one of three ways: from top sites, poisoned search results, and malicious links..

In the video, we use extensive data from analysis of thousands of links to illustrate that you may be in more danger from searching for items on the World Cup than you would in the "traditionally" dangerous "neighborhoods" of the "adult" or objectionable Web.

We also present some fascinating and surprising data on how close you are to malware and links to malware from some of the most highly trafficked and trusted sites on the Web.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

With millions of Tweets and Facebook postings flying around daily from personal and business users, have you ever wondered where the links in these postings go?

In this Websense Insight we have analyzed hundreds of thousands of social networking links to determine the ecosphere of links and the potential threat vectors of the social Web.  Some of the findings may truly surprise you.

For example, did you know that 40 percent of Facebook status posts contain a URL, and that 10 percent of those are either spam or malicious?

We also provide some top tips for avoiding the potential dangers of user generated content within an organization and on your own Facebook wall.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

Lately we have been referencing something called ACE in our blog posts and some of you might wonder what we mean. ACE is our Advanced Classification Engine which basically is the engine that drives our products. This is the technology that is called into action when we the product does real-time classification of websites, our proactive technologies that protects users from zero-day threats and what ties all of the things we do together.

We made a video a few weeks ago about what ACE is and how it works. We'd like to share it with you here, enjoy!

Attacks on Facebook during weekends are unfortunately becoming a trend. For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes, Sexiest Video Ever or this latest attack which supposedly is the "Most Hilarious Video ever" shown in the screen shot below.

We predicted that this attack would happen again and unfortunately we were right.

This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you're not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login.

Regardless of what you enter in the login form you are then taken to a page on the real Facebook site that asks you to allow the application to access your profile. If you allow that you're taken to a page saying that you need to upload your FLV Player to view the video. Up until this point it's similar to how the two previous attacks have worked, except that this new one also has the phishing component. However, what happens now depends on which country you are connecting from.

If you are coming from a US IP address you are prompted to download the FLV Player, which is detected by 35% of antivirus engines, as can be seen in the screen shot:

However, if you're coming from a UK IP address you're taken to a quiz where they have to answer 10 questions.

Once completed the user then gets the chance to win an iPad! All they have to do is to fill in their address. So instead of tricking the user into installing a malicious file, this time they're after your information in addition to your Facebook credentials from the fake login page.

It's very likely that the behavior is different than the two examples we have described depending on which country you connect from. In our testing we only had the ability to test this attack from the US and UK but regardless of where you are connecting from you shouldn't click on the fake video and never, ever give you Facebook username and password to a website that is not facebook.com. We also recommend you to install Defensio, our free security app for Facebook that will protect your wall from posts like this. You can get it from http://defensio.com

Here's a video explaining this latest attack.

Injecting malicious html code into legitimate Web sites has become commonplace in the past few years.  More often than not, the attackers inject a script or iframe tag in a legitimate site which is meant to redirect visitors to attack sites without their knowledge.  Last week, however, we discovered an outlier of that trend which was a malicious applet code injection.  The injected applet allows the code to work as a drive-by attack that downloads and then executes a malicious application.

Screen shot of injected page:

Reviewing the applet code, we can see that a 'Client.jar' file is downloaded.  This Client.jar file runs and uses some of the code found in the applet to create a .vbs file on the local system.  Reviewing the contents of Client.jar, we can see that it does this by getting the contents of the parameter "windows1". 

Screen shot of Client.jar:

Reviewing the applet code on the injected site, we can see a <param tag with name='windows1'.  The contents of the tag are actually one long command using  cmd.exe to create a .vbs file in %temp%/winconfig.vbs.  At the end of this command you can see that the .vbs file is executed to download a malicious file and place it on the local file system as %temp%/update.exe.  Notice the use of the tinyurl passed to winconfig.vbs, this is probably an attempt to make the code look a bit more legitimate as it doesn't look like it's downloading an executable file. 

Screen shot of the .vbs code:

The interesting thing about these injections is the social engineering aspect of the attack.  Remember that this applet code is being injected by attackers into legitimate pages, and the attack .jar file is hosted on the same infected domain.  This means that you may get a few warnings popped up by Java, but most people will simply click through and ignore them, especially if they are visiting a "trusted" page.  After all, who really reads warnings when they are visiting a page they have been to before?  Most people would think that if a warning is coming from a page which they have been to and trusted before, there must be a false positive situation occurring. 

Here is a quick video of this attack in action.

Websense Messaging and Websense Web Security customers are protected against this attack.

We managed to get our hands on the malicious Facebook application that we blogged about twice in the past few weeks. In the video below we're going to dive into it and see what's going on with this app:

For those of you that can't spare the time to watch the video, this is a brief summary of how it works.

1. The first part of the code contains Facebook-specific information such as API key, secret key etc.
2. It starts off by checking if the app has permissions to post on the user's wall. If it doesn't it will prompt the user to grant it permissions using Facebook APIs.
3. It then enumerates the list of friends, picks a random number (in this case it's hardcoded to be 10) and posts a message to the walls of the 10 randomly picked friends.
4. A message is then displayed asking the user to click "Continue" to watch the video.
5. Yet another page is displayed that loads a thumbnail of a video and overlays the image with a prompt saying that the "FLV Player" needs updating.
6. When the user clicks on "Continue", it loads the file videoplayer.php which does a simple redirect to http://www.flvpro.com/downloadfile.php?aff=3447_movies, where 3447_movies is the affiliate ID of the group/person behind the malicious app.

So far we have identified over 100 apps on Facebook that are all working the same way; the only difference is the API and secret keys that are used. In addition to them all working the same way, they also use the same Google Analytics UA ID to track visitor statistics.

Overall the app is very simple and relies fully on social engineering. The numbers from the two attacks we've seen so far prove that despite its slow propagation method (only sending the message to 10 users at a time) these types of attack unfortunately work very well.

A new malware is making its way across Facebook in messages that claims to be "the sexiest video ever". A screen shot of the message can be seen below.

When clicking on the "video" you are taken to an application installation screen asking you to allow it to access your profile, wall etc. Once approved it claims you have to download an updated FLV Player to view the video and promptly sends an EXE your way.

This is the Hotbar Adware which displays ads in your browser based on your browsing habits etc. In addition, the Facebook application just installed will post messages on your friends wall on your behalf with the same "sexiest video ever" message.

We have seen these malicious applications use names such as K-Multimedia and Winamp.

Here's a video of how it works.

As always, be careful of links you click on Facebook. Note that if you clicked on the link but didn't allow the application access to your profile you are safe. You can also install our security application for Facebook, the world's first and only security app that protects your wall from unwanted messages. It's available for free at http://defensio.com

It’s not a secret that cybercriminals use all sorts of techniques to promote their fake products and services on the Web. To increase the rating of the newly-created fake medical or rogue AV Web site, criminals sharpen their skills in Black Hat SEO (search engine optimization). While White Hat SEO is basically being used by all businesses as well as other non-profit sites, Black Hat SEO poisoning is mostly used for sites that do not want to build their traffic and popularity in a natural way. In some ways Black Hat SEO is a kind of celebrity life – popularity can be on the rise in a couple of weeks or even days and then abandoned just as quickly.

In both cases, this short popularity span can bring enough attention or revenue so that it's not in vain. Search engines like Google, Yahoo, or Yandex invent new solutions every day to filter sites using Black Hat techniques and not allow them to achieve their aim – which is to be seen on the first pages of search engine results when people are looking for genuine information.

If such sites manage to reach top search result positions, the traffic generated by people visiting the Web site will rapidly increase. It is worthwhile for Black Hat SEO teams, even with the risks of being shut down, because of the immediate visibility that their site gets - their 15 minutes of fame. This is another similarity to a celebrity's life: to be banned only once means they will never be highly rated again. The popularity can be built fast, and destroyed even faster.

There are many common techniques used in Black Hat SEO which lead to more or less the same target. It all depends on the time available, the ability to take a risk, and of course, money.

Backlinks – the most common and popular technique. It is not important how many links you point at, but how many links point to you. It's even better if the links are bidirectional, which is of course more difficult to achieve. Therefore "link farms" became a popular service not long ago, offering many servers pointing to one specific site or pointing to each other to build inter-linking. This approach has quickly been discovered and cracked down on pretty well by companies like Google, Yahoo, and others. So Black Hat guys started to infect pages through mass injections or other malicious means to get such links working in invisible form (hidden links) or in a pretty visible way, automatically populating forums, blogs, and directories. Of course, not every link has the same weight. There is a difference if a description of a link says "Go here" and points to "Quality meds", compared to a precise description. Also, links coming from high-ranked sites are weighted much more.

Using a high-ranked domain (for example, YouTube) to propagate such products and services. Especially, accounts that have existed for a long time are much more likely to get better visibility.

Image Crafting – every search engine advances some kind of a picture property. There are different approaches depending on the size, location, "href" description, and "alt" description of a picture. Using the right properties makes some pictures more easily visible than others.

Cloaking – content presented to search engine crawlers is different than content presented to a user’s browser. This kind of "hiding" offers special protection against being noticed and banned.

"Bait and Switch" – this technique is used to get high ranking usually using white methods, and subsequently switching the content from legitimate to something completely different. Even though nowadays this method is almost useless as search engines are parsing Web sites on a daily basis and notice switching immediately, sometimes a couple of hours is more than enough for criminals to achieve their aims.

Microblogging is becoming more popular every day. Pages offering microblogs are getting high ranking very quickly and this ranking is automatically passed to all blog posts. One of many techniques abusing such sites is registering an account into many highly popular groups and slowly posting messages with “appropriate” words, or even better URL links to all of them. These messages get attention at once when posted, due to the fast and privileged indexing of such sites by search engines. Hence all of these crafted microblogs influence query results in a couple of hours.

301/302 redirect (also known as Get Your Traffic Now). Recently we posted an alert about Bloombox SEO poisoning – we have started to see more and more abuse of this technique. Let's have a look.

Screenshot 1 – Bloombox Black Hat SEO

Usually the abuse is achieved through a PHP file installed on a compromised host. The file keeps a parameter of the search term, in this case "bloombox". The search term is usually a word or a phrase used by customers to find information about a particular event. When they follow the link, the user is being redirected to a Web site with rogue AV.

Screenshot 2 – Rogue AV trap presented as a “Bloombox” destination

When trying to access the same link not from a Google search page but by directly pasting the URL into a browser, the user is redirected to http://www.cnn.com.

Screenshot 3 – Imitation of direct input of URL into a browser

The same thing happens when using a Google Bot referrer, pretending to be a Google crawler.

Screenshot 4 – Imitation of Google Bot parsing the page

The next step shows the case when the user gets access to the page from a Google search page.

Screenshot 5 – Imitation of accessing the page from Google search.

This site can be accessed only from a Google search page and only by a user. The whole trick is being done by a PHP file uploaded to a compromised host carrying the 302 (Temporary redirect) or 301 (Permanent redirect) with the cloaking mechanism. The redirection to an appropriate location depends on who or what follows the link.

Such PHP sites will work for any Black Hat SEO hot topics, as any parameter (search term) being passed to the PHP site will work in exactly the same way.

As major events reach the news and articles are being posted, that's where the search terms are being taken from. Also, all the pages redirecting to these high-ranked sites (especially using a 301 or 302 redirect) automatically start to get higher ranking.

Most of the times Black Hat guys compromise hosts with a good "Google reputation", so once the PHP file is uploaded and "glued" to a news site, it's only a short time before they will be seen in the top search results.

Of course, Google and other search sites know about these techniques and do their best to block Black Hat activities. However, as always this is the thin end of the wedge. Cybercriminals compromise as many legitimate sites as possible and just wait for a major event to use. They have no fear of being banned or delisted – they never use their own domains. In a few hours, compromised sites get a high page rank and will stay at the top for several hours, which is enough time for them to get good traffic into their rogue AV or other “chunky” goods sites.

Unfortunately, this is a mere short list of many popular and highly used activities used by bad guys. When companies like Google or Yahoo patch one hole, the Black Hats find a new one in literally a matter of minutes. As we wrote at the beginning, Black Hat SEO is like a celebrity life - an easy and fast rise to fame, and very short lived. Do not be optimistic though. There are always thousands of others having “great ideas” and waiting to take a place in the front row of this show.

Security Researchers: Artem Gololobov, Ivan Sabo

If you think image spam is elaborate, think again!

At Defensio, we see all kinds of crazy and innovative spam each day. But recently, something we never thought we'd ever see showed up on our radar: a significant influx of VIDEO spam, most of it hosted on YouTube.com. I guess this just shows how far spammers are ready to go to sell their junk.

Here's a screenshot...

What do you think will be the next trend in spam?