Social Media Center

When we were looking at putting out our Websense Security Labs predictions for 2012, we knew that mobile threats were going to be big this year. While we included one prediction on it, there was one piece that I had thought of, but didn’t include. It’s still a ways away, but Paul Henry has an excellent write up on “QR Codes – Leading Lambs To the Slaughter.”

He correctly points out that these “ultimate url-obfuscators” can be a serious threat down the line.

It’s a good reminder that any applications on workforce mobile devices need to be properly sandboxed from the operating system. We’ve already noted in Websense Security Labs research that there are challenges with certain platforms and there are a number of mobile malware variants, including Trojans on handhelds.

It’s interesting to think QR codes as threats continue to evolve in the mobile landscape. What’s funny is as I was writing this, our Security Labs researches discovered QR codes being used a new way – through a spam campaign. 

What do you think about QR codes?

Last week, Lady Gaga became the latest celebrity to have her Twitter account hacked. In this instance the hacker used it to attract clicks to a scam offer for a free iPad. While this scam was designed to collect information rather than inject malware or data stealing code, it was incredibly effective. Hundreds of thousands of clicks happened in a very short amount of time before the post was taken down.

As a Security Researcher in the Websense Security Labs I’m often called upon to explain the dangers associated with these types of hacks, and how to avoid falling victim. It's a tough one because once an account is taken over the hacker mimics/impersonates the true owner of the account. In the Lady Gaga example the twitter hack used the nickname "monsters" in a rogue tweet which is a term her fans will be familiar with. Making it all the more believable. 

Here are some tips for staying safe while following celebrities on Twitter...

With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the highlights; the full report can be downloaded here.

Read more commentary and watch the video here.

Darn – you typed “Faecbook” instead of “Facebook” again… and sneaky scammers are taking advantage of your misspellings online. Businessweek recently wrote an article featuring Websense on the rise of “typosquatters,” the bad guys who buy domain names spelled similarly to those of real companies to take advantage of fat-fingered users.

Businessweek outlines an extensive history of typosquatting, and features Websense research on the subject. The Websense Security Labs are quoted for the statistic that more than 62 percent of the active domain names based on common misspellings of Facebook (and not owned by Facebook led to scams or malicious sites).

Typosquatting is a cheap way to get a lot of traffic, and poses major risks to corporate confidential information. Read more from the Security Labs blog on typosquatting here. 

Find out how to protect your organization from security threats like typosquatting here.

Your worst nightmare has come true: your business has been hacked! What do you do? Today, the Wall Street Journal published an article addressing this worst-case scenario with an insightful to-do list for companies facing a data breach.

While a breach will likely set a company back financially, there are steps a business can take to take to reduce the damage and prevent the event from having a long-lasting impact. The article calls for multiple steps. One in particular is to determine if the breach is still open – companies are warned not to assume that just because one infected computer has been cleaned up or removed the attack is over. The intruder could have taken control of multiple machines. Patrik Runald, Senior Security Research Manager at Websense is quoted in the article on this subject:

“Hackers often send data to so-called dynamic hosts that constantly change their Internet addresses. Most legitimate websites don't use this kind of addressing. If data are still being sent to these types of addresses, it's a possible sign that a breach is still happening.” – Patrik Runald, Websense

The Wall Street Journal cites the Identity Theft Resource Center, which reports that last year, 662 organizations publicly disclosed data breaches. However, the actual number is likely much higher than that, since not all hacking incidents are disclosed. With all of the major security breaches we’ve seen in the last year, it is impossible to ignore the need for organizations to tighten up their security strategy. Cybercrooks are using every possible vector to penetrate your networks and traditional security solutions just don’t cut it. Find out how to protect your organization from the latest targeted attacks here.

The media is buzzing with stories of state-sponsored hacking and so-called advanced persistent threats, as well as high-profile data-theft attacks by cybercriminals. So what does this mean to everyday businesses owners and managers, companies that aren’t defense contractors or giant corporations?

It means watch out. The wildly successful techniques used in state-sponsored attacks are moving down a malware adoption lifecycle. Yesterday’s million-dollar, well-planned, high-profile attack quickly becomes a $25 exploit kit available online to armies of low-level hackers.

This is phase two of advanced threats. This army of profit-driven hackers is using the same advanced techniques to steal any data that they can get their hands on to sell, fence or ransom. No one is safe, because traditional defenses don’t work against advanced malware. And the cybercriminals are targeting every kind and size of business.

This is the part of the story that people need to hear: While the big-name breaches get the headlines, too many companies get lulled into a false sense of security thinking that they are safe because they don’t have state secrets. Our research shows how the advanced techniques used in APT attacks move downstream. From state-sponsored groups, to criminal gangs, and ultimately to individual hackers—they are hitting any business with anything of value. Because that’s where the money is. And it’s easy pickings because their antivirus software is defenseless against these advanced methods. Here’s how we see the malware adoption lifecycle playing out in the wild: 

The Websense Security Labs™ are recognized worldwide for their threat expertise and research on the latest trends and exploits on the wild Web. Recently, the Security Labs began their Video Diary series, a quick look at what they are working or what's hot in security research for that week. These quick insights can be found every week at the Security Labs home page. Archived episodes can be found by clicking on the video player and scrolling across the bottom.

This week, Stephan Chenette and Elad Sharf talk about a recent event in which the Security Labs provided customers a hands on  training experience, sharing how our researchers analyze and understand threats on the Web. This week's video is featured here. 

You can follow the Weekly Video Diary, along with Websense Security Labs Alerts by subscribing to the RSS feed, so you don't miss any breaking security news.

Websense Security Labs has found an alarming number of Facebook scams taking advantage of today’s tragedy in Oslo, Norway. Right now it seems to be infecting one user every second. The scam is a form of ‘clickjacking’ that replicates itself on users’ walls after they click on fake posts within their news feed. 

This Facebook scam is unfortunate, but a very real threat. Criminals know how to take advantage of disasters and the hottest news items to get people to click on infected links. Tragedy is just one type of news that the bad guys use to exploit, compromise and infect your computer. Videos are an especially popular lure, we saw the same thing when Osama bin Laden died and during the Casey Anthony was acquitted. During times of crisis or breaking news, your best bet is to stick with the largest news organizations you trust. Avoid the potentially dangerous halls of search engines and social media sites, which are more susceptible to compromise and manipulation.

Users should also be cautious when clicking on breaking news trends and stories within search results related to the Oslo tragedy. Websense Security Labs have found that searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%), including pornography.

CIO just released an article featuring Websense on best practices for securing your iPhone and iPad in light of the recent iOS vulnerability, Jailbreakme.com 3.0.

Jailbreakme.com 3.0, operates by exploiting a vulnerability in the PDF reader. All users have to do to install the jailbreak is to click on an app-like button – within a few seconds, their phones are opened up to apps outside of Apple’s approval.

Websense security research manager Stephan Chenette is featured in the article –he argues that the danger lurking beneath this jailbreak is that a hacker could easily reverse engineer it to install malicious code through the browser or email attachment.

“Then the attacker could gain full control of the iPhone, iPad or other iOS device and install everything from a keylogger to a full-blown bot… This isn’t just limited to iPhones; iPad users need to be on the lookout, too.” –Stephan Chenette, Websense Security Labs Research Manager

Stephan’s four tips for iPhone and iPad users to stay safe are also highlighted in the article:

1. Don’t download files from suspicious or non-trustworthy websites.

2. Don’t click on links from unknown or untrusted Web sites or suspicious links from trusted sources (including sites like Google Search).

3. Don’t open email attachments from unknown or suspicious emails from trusted sources. Your friend's email account may have been hacked.

4. As soon as Apple issues a patch, apply it! Many consumers don't patch regularly or do so after it's too late.

Read more about the latest iOS vulnerability at the Security Labs blog.  

Today, in a Reuters article, Websense® Senior Security Research Manager Patrik Runald discusses how hackers have revealed a bug in Apple iOS software. The security flaw was discovered today when a popular jailbreaking site (www.jailbreakme.com) released a code for Apple customers to modify their device’s operating system.

In the article, Runald warns that this code could be a major security downfall: cybercriminals could easily download the code, reverse engineer it to find a hole in iOS security and then quickly build malware in a matter of days. The creator of the jail-breaking code, Comex, agrees that the code would not be difficult to reverse engineer.

"If you are a malicious attacker, it is fairly doable.” –Patrik Runald, Senior Security Research Manager

Apple’s iOS software runs on the millions of iPhones, iPads, and iPod Touches sold around the world – any security flaw to iOS holds the potential to create some major damage. Reuters quotes Runald warning that once the device is infected, hackers could do anything they want, including stealing passwords, documents and emails.

Reuters reports that Apple is currently developing a software update to circumvent any potential threats.

In the meantime, learn how to protect your organization from mobile security threats here.

Read a Websense Security Labs™ report on a past jailbreak-related security threat here.

Google announced a number of new technologies as part of their Google Inside Search Launch (http://www.google.com/insidesearch/). One of the more interesting elements is their idea to speed up the Web with something called "Instant Pages." The basic idea is that they are taking their ability to correctly guess what a user is going to search on, and pre-loading the content from the origin server onto your local machine. Apparently, this will only work with the Chrome browser.

On the challenging side, this leads to some interesting exploit scenarios. In the past, search algorithms have been duped to have malicious pages show up in results. In those cases, although they are dangerous, the user still has to click on one of the top results to get infected. In the new scenario, the big question is if a user can be exploited by simply searching, without even clicking on a link.

Though Google has assured in a subsequent interview that they don’t believe this will be an issue due to several aspects of their technology, there still exists an interesting possibility for exploitation of unsuspecting users, as SEO poisoning continues to be an ongoing problem. Remember from our 2010 Threat Report, searching for breaking trends and current news represents a higher risk (22.4% of search results poisoned) than searching for objectionable content (21.8%).

In slightly related news, Google also announced voice recognition to search. It will be interesting to see how the rogue AV camps will also be utilizing this to their advantage in the future.

IT Pro recently released a story on the risks posed by Google’s recent implementation of Instant Pages, a new service that may unintentionally introduce a new twist in the saga of ongoing SEO poisoning.

The article excerpts Websense Security Labs’ Dan Hubbard blog post on how Google’s Instant Pages may add a new and dangerous angle to the drive-by infection process of SEO poisoning. Normally, with traditional malicious pages that pop up in a Google search, users are still provided with the escape route of avoiding clicking on a suspicious-looking link. However, with the new Instant Search, Hubbard is quoted for raising an important question:

“With the pages being pre-fetched in the background, can a user be exploited by simply searching, without even clicking the link?” –Dan Hubbard, Websense CTO

It is a very likely possibility. Remember, the threat landscape is constantly evolving and often positive innovation can also open the door for malicious innovation. Learn how to protect your organization from modern threats with the most modern security here. Read about the latest SEO poisoning discovered by the Websense Security Labs here.

Alan commented on the initial APT post: I hope you don't spew marketing hyperbole else this will turn dull rapidly. Don’t worry. We are going to stick to the facts. In this piece, I want to separate from the buzz around these attacks and talk about why you should care.

We’ve heard from a lot of executives, “What should we do about APTs?” There is a high level of concern from large organizations with serious IP (like source code) that they know others will try to get. But there’s also a large group that thinks, “I’m a $10M manufacturing company, in Ohio. I don’t think Chinese or North Korean hackers are going to be knocking on my door anytime soon.”

And, they are right. (read more)

Who : This is the largest group of cybercriminals. In another era they would have been found nicking your purse, knocking over old ladies or selling solid gold watches for £10 from a battered old suitcase. These guys have picked up a few skills along the way, nothing too complicated, just straightforward malware, adware or spam. Once they have perfected how to do it once, they do it again and again and again.  

Why: Fast, financial gain. The mainstays are fake antivirus programs, manipulating your identity, using your credit card numbers, or stealing passwords. Some make their money through illegal advertising, often paid by a legitimate company for pushing business their way. Cheap pills, anyone? Some members of this group believe they are simply "aggressive marketers." It helps them sleep at night.

What:  Phishing and SEO poisoning was used within minutes of the earthquake which hit Japan in March 2011.  Emails asking for donations to a rogue cause ‘Humanitarian Care Japan’ did the rounds and searching for the latest news online resulted in several links to malicious sites. Following the link, the victim was redirected to fake antivirus via a "CLICK HERE" button. A warning then appears stating that your computer might already be infected. Whether the "Cancel" or "OK" button is clicked, rogue a Windows OS-like anti-virus interface will popup.  The user is then scared into thinking their computer is infected and they must download the scammers' program and pay for it to be cleaned up. 

In a recent article, the Financial Times highlights the evils that come along with the benefits of social networking. While social networks connect millions of people around the world, they simultaneously provide an easily-exploited platform for cybercriminals to operate on. This article calls attention to the imminent dangers of over-sharing personal information via Facebook, and then proceeds to describe criminal social media tactics in other digital spheres like email and Twitter.

The Financial Times highlights Websense® for the discovery of a Twitter scam in the days surrounding the death of Osama bin Laden. The scam worked to lure unsuspecting users to a phishing site to capture their login information.

“OMG CNN confirmed they found Osama alive still!!” was one of the hundreds of malicious tweets posted every second that played on the public’s fascination of the death of Osama bin-Laden. The tweets were accompanied by a malicious link using Bit.ly (a link shortening service), making it difficult for users to discern whether the link was legitimate or not.

Remember from our 2010 Threat Report, searching for breaking trends and current news represents a higher risk (22.4%) than searching for objectionable content (21.8%). We urge you to take extra precautions when searching for hot-button topics on the web. You never know if you’re going to click on a malicious link masked by a legitimate site name – it could put you and your entire organization at risk. When in doubt, run suspicious-looking links through AceInsight.com – it’s a free service from Websense that you can use any time to scan URLs for malicious content.