RSS feed from: Websense.com

Buyers beware—of Olympic scams  1 Feb 2012, 12:06 pm

Shady ticket deals for the 2012 London Olympics? Hardly surprising. But when the source is Google's famous AdWords advertising service—one of the internet giant's main sources of income—then a double take might be in order.

A BBC investigation found that a Google search for "olympic tickets" resulted in top-of-the-page placement of sponsored sites for vendors selling tickets without permission from Olympic authorities, which is a criminal offense in the U.K. under the London Olympic Games and Paralympic Games Act 2006.

Our research confirmed that the Google search shown below displays an AdWords link

that is not authorized to sell Olympic tickets according to the ticketing website checker on the official London Olympics website.

The prominent display of sponsored ads tends to confer on them a sense of legitimacy. Users may assume that Google has approved the businesses, or at least stands behind them in some way. But in response to a complaint from a would-be Olympic ticket purchaser, Google said, "While Google AdWords provides a platform for companies to advertise their services, we are not responsible for, nor are we able to monitor the actions of each company."

The inner workings of AdWords are complex and opaque. These qualities are essential, because if Google revealed its algorithms, for example, people could easily cheat their way to the top. While the automated system does take into account something called "Quality Score" and consumer ratings, it's clearly not foolproof. A filtering system flags certain keywords for manual review and removal if the ad is found to violate Google's policies, and users can also fill out an online complaint form. Due to the volume of ads, however, a questionable ad may be up for some time before it is reviewed.

Websense® researchers investigated some of  the Olympic ticket scam sites. We found that most of them had multiple backlinks, suggesting they have been widely spammed over the internet in addition to being promoted via Google AdWords. A "backlink" is a hyperlink that links to a specific web page. Both legitimate web pages and spam URLs often try to set up as many backlinks as possible to drive traffic to their sites, and the number of backlinks a site has may affect its ranking in search engine results. Like the hyperlnks in this post, links can be used to provide additional context, information, or examples.

An examination of these backlinks confirmed that "birds of a [bad] feather flock together." One URL yielded 500 backlinking URLs in categories such as Adult Material, Gambling, Proxy Avoidance, Potentially Unwanted Software, Suspicious Embedded Links, and Malicious Embedded Links.

A set of 375 backlinks for another URL found that 104 (27.73%) included various kinds of objectionable content, including security risks (the remaining URLs either had no backlinks or had backlinks for legitimate sites such as News and Media, Business and Economy, and so on).  The breakdown for objectionable/security risk backlinks was as follows:

A closer look at just one of the backlinks tells us a lot about the dangers of allowing comments that are not moderated to be added to any site. In this case, a perfectly legitimate website for a church posted a video of a Sunday School Christmas play and invited viewers to comment:

Viewers and spammers did exactly that, adding links not only to the Olympic ticket scam we started with, but also to a variety of other completely unrelated businesses which may or may not be legitimate, including German gambling and phone sex sites and an Italian "escort" agency:

Defensio from Websense is one way to prevent spammers from posting such links on blogs and other social media, including Facebook pages. With this service, it's easy to block and manage comments, protecting you and your followers from comment spam, malware, and other threats embedded in user-generated content.

With Google searches as with everything else, do your own "due diligence" before making a transaction, even if the business is at the top of the page. In the case of London Olympics tickets, the official website includes the handy ticketing website checker that we used to determine if a URL is recognized as an authorized vendor. There's also a page about staying safe online, which includes a long list of known scams that will only get longer as the July 27 opening day approaches.

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

  ===  

3-2-1 Wordpress vulnerability leads to possible new exploit kit  30 Jan 2012, 7:30 am

This past weekend one compromised Web site in particular caught my attention. Based on my analysis, the site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits [1] [2]. The Web site injection is only somewhat interesting. What is more interesting is the redirection chain and resulting exploit site, which might be a new or updated Exploit Kit to watch out for.

Our research indicates that whoever is behind the injection has infected other sites. From our analysis the number of infections is growing steadily (100+). 

The Injection

The site was injected with the following code segment:

The above code is a simple substitution cipher algorithm that applies a basic obfuscation technique, which when deobfuscated produces the following code:

The code above instructs the Web browser to write an iframe to the document of the Web page:

Once the iframe is written to the Web page, the code forces a connection to the malicious site, which downloads content to the user's machine (all without the user's permission or knowledge). The malicious Web site serves a page that we assume includes the Incognito Exploit Kit, because one of Incognito's characteristics is that it uses showthread.php as the Web page filename to serve user exploits. We are still not positive if this is Incognito 2.0 or a completely unknown exploit kit. Most kits, much like Incognito, test the user's browser and/or OS type and version and serve the user various exploits, e.g. PDF exploits, or browser specific bugs. But this Exploit Kit appears to serve only the below Java exploit:

New or Updated Exploit Kit?

The Java exploit being served is CVE-2011-3544 (Oracle Java Applet Rhino Script Engine Remote Code Execution), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits, but as can be seen in the screen shot below, regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt any other exploit.

Exploit and Dropped Malware

The Java exploit that is used isn't a traditional buffer overflow, it takes advantage of a  design flaw within Rhino, the JavaScript engine that runs under the JVM and interacts with Java applets

An attacker can bypass the Rhino scripting engine protection by generating an error object, which runs in elevated privileges and executes code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

If the user isn't patched and is therefore vulnerable to CVE-2011-3544 (see patch details here), two Java files (VirusTotal links [1] [2]) drop Tdss (Virus Total link [1] = 9/43). The Tdss rootkit is one of the stealthiest rootkits in the wild. Its goal is to acquire total control of infected PCs and use them as zombies for its botnet.

Prevalence of Injection Campaign

Since we started tracking this infection this past weekend, we have discovered that this is an infection campaign. The Websense® ThreatSeeker® Network has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:

• Running WordPress 3.2.1
• Force a drive by download via iframe to the same malicious set of domains hosting a PHP Web page in the form of: [subdomain].osa.pl/showthread.php?t=.*
• Attempt exploitation using CVE-2011-3544
• If exploitation is successful, installation of the Tdss rootkit on the user's machine

Here is an example listing of sites that have been infected:

The number of Web pages running the vulnerable, targeted version of Word Press 3.2.1 is in the hundreds of thousands. It is unknown at this time how the attackers are choosing which sites to infect.

What To Do If You Are Running WordPress 3.2.1

If you're running WordPress 3.2.1, we recommend that:

1. You upgrade to the latest stable version of WordPress.
2. Check the source code of all your Web pages to see if you've been infected (see the code above). If you have been infected, be sure to upgrade WordPress while simultaneously removing the injected code so that your Web pages aren't simply being reinfected after being cleaned.

Notifying Compromised Web site owners

As a matter of practice, we attempt to notify certain sites of their infection. First we use the email address that appears in the "Contact Us" section of the site, and then we use the email address in the whois registration database. If those attempts are unsuccessful, we attempt to notify a site owner through their facebook page (we have had very good success with this technique). Our recommendation when attempting to take down malicious URLs is to follow the best practices described in a document published by StopBadWare.org (found here).

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

* Update 2012/02/01: If you realize after reading this blog that your Web site has been compromised, leave a comment (it won't be published) with your contact details, and we will contact you

Thanks,

Stephan Chenette - Principal Security Researcher

  ===  

Trojan caught on camera shows CAPTCHA is still a security issue  29 Jan 2012, 7:00 pm

In a series of blogs a few years back, we covered how malware could abuse and circumvent online services that use CAPTCHA tests as part of their security (1 2). In this blog, we take a look at a recent malware variant from the wild caught on camera that shows CAPTCHA tests used by some online services are still weak and can be broken by malware.

The image below (Picture 1) shows this CAPTCHA breaking malware's ecosystem, which we'll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit. Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server.

Picture 1: The Cridex ecosystem:

Step 6: One of the components downloaded by Cridex with the configuration file is a propagation module or spamming module that allows the botmaster to send spam/malicious emails to infect other systems and increase the bot size. The spamming module holds backdoor components that allow browsing activities in the name of the user. The module opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails. As we know, online mail services hold security checks like CAPTCHA challenges to verify that a human is indeed behind any account registration. Step 7: According to our findings, CAPTCHA challenges in some cases can be broken with the help of a CAPTCHA-breaking server, which allows the bot to register a mail account or address after only a few attempts. This video documents the registration of an online mail account by the bot on an infected machine:

Video:

The CAPTCHA-breaking process consists of posting CAPTCHA challenge images harvested from the online email registration form to a remote Web server (the CAPTCHA-breaking server). The request is an HTTP POST with an embedded CAPTCHA image posted to the CAPTCHA-breaking server. Once the server processes the image, it outputs a response in JSON format with the CAPTCHA text result that responds to the submitted image (see Picture 2). The backdoor component then tries to use that returned CAPTCHA text result in the online email account registration form. In case the CAPTCHA-breaking server output is wrong and does not correspond to the CAPTCHA image challenge, the process continues and the next CAPTCHA image challenge is submitted until the server manages to break the CAPTCHA. You can look at Picture 3 to see the images submitted to the CAPTCHA-breaking server and the corresponding results from the server. Not all the attempts succeed in breaking the CAPTCHA, but some do and in our example you see it took 6 attempts.

The malware reports to the CAPTCHA-breaking server whether the result it got actually broke the CAPTCHA. Picture 4 shows HTTP requests that report back to the CAPTCHA-breaking server whether the CAPTCHA result the server gave in previous sessions was indeed successful in breaking the CAPTCHA. A successful CAPTCHA break is signed with the r parameter: If the parameter is 0 (&r=0), the CAPTCHA break attempt was unsuccessful, whereas if the parameter is 1 (&r=1), the CAPTCHA break attempt was a success.

Picture 2: An HTTP POST request of an image to the CAPTCHA-breaking server and the response from the server

Picture 3: The images posted to the CAPTCHA-breaking server and their corresponding results

Picture 4: The malware reports to the CAPTCHA-breaking server if the CAPTCHA break attempt was successful

Websense® customers are protected from these threats by ACE™, our Advanced Classification Engine.

  ===  

Phoenix, Phoenix, I need help!  25 Jan 2012, 8:30 pm

The Websense® ThreatSeeker® Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user.  We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:

  ===  

entrepreneur.com compromised with CrimePack  25 Jan 2012, 6:40 am

Today, Websense® ThreatSeeker® Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user's machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We'll explain how this works in detail. Let's start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:

  ===  

Search for Google Chrome leads to Compromised Chrome Plugin Forum  23 Jan 2012, 4:00 pm

This morning Websense® ThreatSeeker® Network alerted us that if a user enters the term "Download Chrome" in Google Search, the 36th result would result in potentially malicious content being downloaded to the user's machine.

I'll briefly describe the attack vector in which the content is sent to the user.

Web Search

Search for "Download Chrome":

The 36th result leads to a compromised, unofficial Google Chrome plugin Web page:

Compromised Web site

The 36th result leads to to this website:

The above site:

is a legitimate, unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised.

One indicator that this is a compromised site, as opposed to a site set up for strictly malicious purposes, is that the whois registration information, which helps indicate the reputation, is registered in 2008. The registration details also seem to indicate that real information was provided. Again, this isn't a 100%, foolproof indication that the site was compromised, but it does help as circumstantial evidence.

Redirection

Looking at the source code of this Web page, we see that the page redirects the user's browser to two malicious Web sites:

1)  pagead2.googlesyndlcation.com/pagead/show_ads.js (via JavaScript include - this is a Google AdSense typo-squatted URL!)

2)  best-videogames.com (via iframe html tag include - results in a server 503 = Service unavailable)

This redirection diagram shows the content the user is served by visiting the Chrome Plugin forum Web page. All this content is served to the user without the user having to click on anything at all (except for the link from Google search):

Google AdSense Typo-Squatted URL

The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly not a site owned by Google Inc.

Notice the details:

The real Google hosting server for show_ads.js is pagead2.googlesyndication.com (notice the letter "l" changed out for the letter "i" in the word "syndication").

I have archived a copy of the fake show_ads.js here in case you wish to research the compromised site a bit further.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

Stephan Chenette - Principal Security Researcher

  ===  

The rise of a typosquatting army  21 Jan 2012, 8:30 pm

The week before we published a blog that discussed typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site. The Websense® ThreatSeeker® Network has discovered over 7,000 typosquatting sites within this single network.

These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site (which we showed you in this blog). After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed based on the their interests. An example of such advertisment is a free movie downloader as shown below. Currently, these spam advertisements are not spreading maliciously. However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks.

You'd surprised by the number of visitors who mistype popular domain names. These mistyped domains generate a huge amount of traffic (some sites even managed to reach the Alexa top 250 list). For the careless users who fill in the survey, the cyber-criminals obtained their sensitive data. All of this can be translated into profit. Based on online web site valuation tools such as worthofweb.com (as shown below), we expect that attackers are pulling in a substantial income from typosquatting campaigns.

Websense Security Labs will continue monitor these campaigns and Websense customers are protected from these threats via ACE, our Advanced Classification Engine.

  ===  

Trending Topic Search for "QuickTime" Leads to Phishing Site  19 Jan 2012, 3:09 pm

The Websense® ThreatSeeker® Network routinely monitors search results from Google trending topics. For example, if you were to search for the term "QuickTime" today, the 31st resulting entry would lead to a typosquatted URL, which pulls content from a phishing URL.

Clicking this Google search entry sends you to a fake QuickTime download site.

The "Download Now" button doesn't take you to the download page for QuickTime software. It directs you to a phishing site instead. This alleged music download site phishes your credit card information on the membership fee payment page. Be aware of the risks of using your credit card on random websites to avoid such phishing attacks.  

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine. 

Ping Yan - Security Researcher & Stephan Chenette - Principal Security Researcher

  ===  

My email address was shared on Twitter, but who cares?  18 Jan 2012, 7:11 pm

Websense Security Labs™ has found that thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter.

We conducted research on how data that might be considered private is exposed via Twitter. The research focused on shared data, in particular email addresses, that can potentially be used against the one (or the organization) that shared it. During the research we monitored Twitter over a 24 hour period and found that users were publicly sharing email addresses connected with their inboxes, social media identities, and bank accounts. This leaves them open to advanced ‘social spear phishing’ attacks and spam campaigns.

Social spear phishing sees criminals attacking harvested email addresses with information gleaned from monitoring users’ Twitter conversations.  It's recommended that businesses update all acceptable use policies to warn employees of this risk.

Our research found that thousands of Email addresses are publicly shared daily via Twitter:

* More than 11,000 email addresses were shared worldwide

[Research data was collected over a 24-hour period in January 2012]

Gmail, Hotmail and many other free web-based email services are particularly under threat as cyber criminals can harvest social information on individuals via Twitter to break into these accounts.

We realise that sometimes you need to share your email address. Here are some security tips on how to best avoid your shared data potentially being used against you:

• Use direct messages (DMs) for sending email addresses to contacts on Twitter

• Treat emails from friends linking you to other sites with caution

• Never use passwords that can be inferred from publicly accessible information

• Since email is an often used route into a company by cybercriminals, ensure your email security has superior malware protection against modern threats  

  ===  

Malicious email scam "Re: Scan from a Xerox W. Pro #XXXXXXX" returns with a new face  17 Jan 2012, 10:23 pm

About 6 months ago, a malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link. You know you shouldn't click this link, right?

The Websense® ThreatSeeker® Network has detected that the download URL link is actually a malicious URL.

As shown in the screenshot below, we can see that there is an iframe in its payload. This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded. Upon decoding the code, we can now see that the actual code searches for vulnerable software, and uses an appropriate exploit. Successful exploitation executes a shellcode that triggers the download and execution of malware.

The kit is currently widespread and popularly used by attackers. It offers users software-as-a-service (Saas) solution, where all they need to do is simply rent the kit. The domain registration, site configuration, and setup are handled by the author group.  Another really interesting aspect of this kit, that uniquely differentiates it from its competitors, is that it provides administration options for smart phones!  Users do not need to install any application; it is simply a Web-based interface optimized for smart phones.  Furthermore, there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live.

So far, the Websense® Triton® Hosted Security Message Center has detected more than 3,000 messages in this campaign.

Websense customers are protected against this attack with ACE, our Advanced Classification Engine.

  ===