• Search Blog Archives

  • Recent Posts

  • Archives

  • Categories

  • Websense

  • Security Sites

Follow us: 
Like us on Facebook Follow us on Twitter Visit us on YouTube Follow us on LinkedIn
Browse by Tags



2013 Threat Report: More Than Scary Stats and Chilling Charts
Posted: 13 Feb 2013 08:30 AM

The 2013 Threat Report from the Websense® Security Labs™ is now available.

 

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

 

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

 

Here is a sampling of key findings from this year's report:

 

  1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
  2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
  3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
  4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
  5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
  6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

 

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

 

 

Click for a video introduction or download a copy of the 2013 Threat Report.

Filed under: , , , , , , , , , , , , , ,

Carl Leonard

no comments
I have the latest WordPress version - is my Website protected?
Posted: 13 Mar 2012 04:00 AM

A few days ago, Websense® SecurityLabs™ detected a large-scale malware campaign mainly targeting WordPress pages. We have received many questions about who and which websites are in danger and how to protect against this attack. While many forum posts and comments speculate that outdated WordPress versions are at fault, unfortunately, we found that this is not true. We dug a bit into this subject and analyzed 30,000 domains to see what types and versions of CMS (Content Management System) have been compromised so far.

 

We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment. As you can see in the pie chart below, PHP dominates the server side:

 

 

Digging a little deepter, we were also able to examine which CMS were victims of the attack. Initially, when we discovered the attack, we found only WordPress sites, and after a week or so, the picture did not change that much. WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites are also affected, with all other content managers making up a tinier slice.

 

 

The big question still remains: Is my Website protected if I use the latest WordPress version? Checking all WordPress sites, we conclude that most of the compromised sites were in fact using the most recent version, which indicates that having the latest version of WordPress does not make you immune to this threat. 

 

So how can you protect yourself? Here are some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:

 

  • Weak passwords / stolen credentials
  • Vulnerable third-party modules used in WordPress
  • Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)

 

Websense Security Labs strongly recommends that website owners perform security audits and fix all problems to keep attackers away from their sites. Websense customers are protected from injected websites with our Advanced Classification Engine, or ACE, which detects compromised websites in real time. 

 

 

Filed under: , , ,

Tamas Rudnai

no comments
A typosquat hostname list for Xmas
Posted: 08 Dec 2011 05:06 PM

 

A few weeks ago, we published a blog about typosquatting. This time, we're going to give an actual example of typosquat hosts found in the wild and show how typosquatting scams work. We'll take you through a typosquatting campaign that abuses tenth of known brands and includes thousands of registered typosquat hosts (a typosquat hive). After that, we'll offer a list that includes hundreds of typosquatting hosts from that hive, all of which can be found in the wild. The list is free to download for any of you who are into IT security -- so this Xmas can be a bit safer.

 

In this blog we'll cover:

 

- A typosquatting example: If you make the wrong typo, where will it take you, and how does it work?

- A typosquat hive example from the wild - how does it work, which brands are targeted, and where will the typosquat take you?

- Which countries the typos are coming from with this campaign.

- Where the scam infrastructure is located. 

- A list of hundreds of hosts used for typosquatting found in the wild. The list is free to download.

 

A typosquatting example: If you make the wrong typo, where does it take you?

 

We've all made typing mistakes when typing a Web address in our browser. In better cases, we get nothing more than a 404 not found error. In worse cases, we might be redirected to a scam site or a malware/exploit site.

 

Usually, in the case of typosquatting-based cyber crimes, the victim that mistakenly made the typo is redirected to a scam site that tries to take advantage of the victim's state of mind. For example, victims who thought they typed in the right Web address might not notice if they see a scam site with the look and behavior that they expect, and that can profit the scammer. Victims might see a site with the same color scheme and theme as the brand or site they intended to go to, hand-in-hand with false congratulations on being a random winner who will receive a prize for completing a short survey. The following video shows how it works:

 

 

 

A "typosquat hive" example from the wild: How does it work?

 

Typosquatting is illegal in the US. Nonetheless, a lot of typosquatting sites are hosted in the US. As an example, at the bottom of this blog, you'll find a list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.

 

How does this specific scam work? Please refer to the image below, and we'll take you step-by-step right through it. The typosquat hive (marked 1 in the diagram ) consists of many hostnames registered by the cybercriminals. (If you have a look through the list linked at the bottom of the blog, you'll find those names there.) The list consists of a lot of names that target very well known brands. The cybercriminals are interested in breadth -- they want to target as many well-known brands as possible. This gives their scam good exposure. The cybercriminals that are in control of the hive (the registered typosquat domains) have a few options for how to use the sites. They can set up their own scam infrastructure, like the premium rate phone numbers system we saw in the video above. Usually, the cybercriminals that own the hive partner with other cybercriminals that already have the scam infrastructure established (marked 2). The scam infrastructure is where the victim (marked 3) is ultimately led to separate from his or her money after making a typo in the browser. The scam infrastructure consists of Web servers, changing domain names, and the enticing scam content that victims see. 

 

The agreement between the cybercriminals that own the hive and the ones that own the network could be either fixed cost for the time the typosquat hive is used, or, more often, a "per traffic" agreement. The latter means the owner of the hive gets a cut based on the actual number of victims that fall for the scam. For example, a percentage from the victims that registered for a premium number text service that costs £3 a message. Once the agreement is set up, the owners of the hive can point the hosts they own to the name servers that are part of the infrastructure built by their "partner in scam" (marked 4) for as long as the agreement is on.

 

The typosquat hive in our example targets mainly UK brands (list available for download at the end of the blog). Here are just a few examples from that list of registered typosquatting domains in the hive, including the brands they're targeting:

 

johnlwis.com (targets the legitimate Web site johnlewis.com)

arrgos.co.uk (targets the legitimate Web site argos.co.uk)

debnhams.co.uk (targets the legitimate Web site debenhams.com)

 

As UK Web sites and brands are the main target, most of the requests coming to this typosquat hive originate from the UK (victims making easy typos). Please refer to the pie chart below to see the location distribution of users that end up at a typosquat host in this hive, as observed in the Threatseeker™ Network over one week. It's natural to see multiple countries, as UK residents roam and brands offer services and products that are available globally.

 

 

 

 

 

The scam infrastructure is hosted in the US

 

Typos that go to a host in the hive lead to a scam site. For example, when this blog post was created, typing in johnlews.com redirected any victim to the scam site surveystartweb.com as seen in the diagram below (click to enlarge). Much as in the scam featured in the video, victims are informed that they won a desirable product, and are asked to register to a premium rate number service (click on the second image to see an animation of the redirection in the browser).

 

 

Animated GIF showing the redirection to the scam site after making the typo (click to open - the animation loops):

 

 

 

In this example, surveystartweb.com is part of the scam infrastructure and ultimately redirects to promotions.djummer.com, where victims are likely to be separated from their money. The scam infrastructure consists of many hosts that hold basically the same information. In essence, different typos lead to different scam hosts and URLs that usually follow the same principal, as in this case where victims are led to a premium rate number service. Using the Threatseeker Network, it is possible to check how many unique scam URLs are identified as part of the same scam infrastructure. If you check the graph below, you can see that observing live data for a week yielded an average of 121 unique URLs per day.

 

The GeoIP location of the URLs within the scam infrastructure is mainly in the US, a fact we found astounding. Check out the pie chart below to see the GeoIP location distribution of all the hosts known to be part of the scam infrastructure, as observed by the Threatseeker Network over one week.

 

 

 

 

Some final words

 

It's important to note that good typosquat hosts are very valuable to their cybercriminal owners. There are two main reason for this:

 

1. A good combination of keys both likely to be a common typo and very similar to the legitimate, targeted site is rare. There are a limited number of proximate keyboard buttons that are likely to create a typo: for example, instead of the letter "P," it is easy to type nearby letters like "O."

 

2. Once a typosquat domain is spotted, it's blacklisted and lost forever.

 

For these reasons, it's not a surprise to see typosquat hosts that don't serve scams lying low for a time, coming to life and serving scams for a short while, and then going back to covert mode. Also, it's common for typosquat hosts to employ evasion tactics while they lie low; one method is to redirect any users or nosy researchers to the legitimate Web site to avoid any suspicion. Other tactics could involve blacklisting methods against probing users or researchers that try to poke around the hive.

 

It's important to remember that legitimate Web sites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site's name. This is a good strategy for successful Web sites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused. Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon.com, amaxzon.com, amzon.com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon. 

 

We'd also like to add that other means can be used to redirect or lure victims to the scam infrastructure. For example, not long ago we also noticed that a spammy Facebook campaign titled "In Memory of Steve Giving Away 1000 iPad 2s" that propagated throughout Facebook and ultimately led victims to the same infrastructure. 

 

A list of hundreds of hosts used for typosquatting found in the wild and free to download.

 

Download the full list from here 3324.typo_list_.txt. Please exercise CAUTION as these domains aren't safe. We strongly advise that you not load them in a browser.

 

 

Filed under: , ,

Elad Sharf

no comments
Did you know ... about the dangers of online drug shopping?
Posted: 09 Nov 2011 09:00 PM

Increases in prescription prices and lower insurance benefits have prompted many to look for bargain drugs on the Internet. There are legitimate pharmacies online, but as the highly qualified nurse below suggests, there are obvious dangers. And many dangers that are not so obvious.

 

 

Websites that offer illegal drugs, anabolic steroids and prescription drugs “with no prescription needed!” are clearly dodgy, and are classified by Websense under the category “Abused Drugs”.

 

Products from these sites may be ineffective at best or dangerous at worst. For example, counterfeit tablets of the weight-loss drug, Alli, seized by the U.S. Food and Drug Administration were found to contain twice the recommended dose of another substance that has been associated with heart problems.


Some sites offer a veritable supermarket of illegal drugs, assuring buyers anonymity through the use of Bitcoin, a supposedly untraceable online currency, and other “guarantees.” These protections may not be as effective as users think they are. 

 

Besides the danger of ingesting unknown substances and falling foul of the law, buyers of online drugs risk other dangers as well. Nicolas Christin, a computer scientist at Carnegie Mellon University, found that 32% of searches for prescription drugs led to URLs that were infected with malicious code. Legitimate university sites and even trusted .gov sites are often hijacked and redirect to illegal online pharmacies.  Malicious links can be uploaded as comments to message boards and forums of legitimate sites, often by spam bots posting to thousands of sites.

 

In addition, new synthetic drugs such as "bath salts" and "spice" have been flying under the radar of law enforcement. The effects of these drugs are finally bringing them to headlines—and emergency rooms.  Both drugs exist in a legal limbo which has been exploited by Internet sales.

 

Synthetic canniboids, known as “spice” or “incense,” are touted as a legal alternative to marijuana, but seem to have much more dangerous side effects, possibly due to adulteration with unknown ingredients. The composition of so-called "bath salts" has not yet been conclusively determined, but these synthetic stimulants have nothing to do with floral scents or relaxing bathtub soaks. Sold as "bath salts," "plant food," etc., to skirt drug laws, they are produced by illegal street chemists - with all of the risks that implies.  Reported effects include paranoia, hallucinations, high blood pressure, and violent behavior towards oneself and others.

 

Despite more and stricter laws against possession and distribution of synthetic drugs, they are freely available via the Internet. 

 

Websense ® customers are protected from the dangers of these sites by ACE, our Advanced Classification Engine.

Filed under:

RM

no comments

©2013 Websense, Inc. All Rights Reserved.