News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed

Following yesterday's news, the Duke and Duchess of Cambridge are now the proud parents of a baby boy and future heir to the British throne. While they revel in the joy of being a family, cyber-criminals have predictably been busy delivering various malicious campaigns in order to piggyback on the news. The Websense ThreatSeeker® Intelligence Cloud has been tracking malicious cyber-campaigns that started in the hours following the official announcement that the Duchess of Cambridge was in labor.


The campaigns detected so far are utilizing email lures, which either redirect unsuspecting victims to Blackhole Exploit Kit URLs or, indeed, provide malicious attachments in the form of Windows SCR files in an attempt to dupe users. These kinds of threats are often launched when topical or global news stories develop. We'll step through both current campaigns in order to relate them to our 7 Stages of Advanced Threats and will detail how they propagate, as well as illustrate that the kill chain leading to malicious content breaks if any one link breaks.


(Stage 2 of the 7 Stages of Advanced Threats)

In this latest example of a malicious campaign that takes advantage of users' thirst for news, the Websense ThreatSeeker® Intelligence Cloud detected and stopped over 60,000 emails with the subject "The Royal Baby: Live Updates" (including quotes) that were mimicking a ScribbleLIVE/CNN notification and encouraging victims to "catch up with the latest." Clicking any of the links in this lure email resulted in the victim being lead to the same malicious redirect URL. This is similar to a recent campaign that used topical events in email lures (the Fox News-themed Malicious Email Campaign).


Email Lure: Links to Redirect URLs ...


A different campaign, using multiple lures containing malicious attachments has been detected in lower volumes with enticing subjects designed to pique interest and encourage victims to open the message:

  • Amazing, incredible share! Follow our leader, share it!
  • Royal Baby: Diana, Charlotte or Albert
  • Royal baby in fantastic picture!

In addition to varied but Royal Baby-themed subjects, the message bodies encourage victims to open the attached "image," although the file, itself, is a malicious binary used to contact command and control (C2) infrastructure and download further malicious payloads:

Email Lure: Malicious attachment ...


Should you receive any email news alerts or unsolicited messages regarding topical events, be sure that the message is legitimate before clicking any links or downloading any attachments. It is unlikely that reputable news agencies will send unsolicited email, and, therefore, any unexpected message should be treated with caution.


By their very nature, lures rely on human curiosity and our thirst for knowledge. In addition to needing an integrated security solution that is able to detect and protect against lures, be they delivered via social web or email, users need to also be educated to be wary of unsolicited links or messages and to consider visiting reputable news sites directly to gain the latest information.


(Stage 3 of the 7 Stages of Advanced Threats)

Should users fall for the ScribbleLIVE/CNN lure, they are taken to intermediate websites that redirect victims to sites hosting exploit code, in this case the Blackhole Exploit Kit. The redirect sites, as is often the case, are legitimate websites that have been compromised or injected with malicious code that is hidden and obfuscated in order to abuse the compromised host site's reputation. Real-time analysis of these sites at the point-of-click provides immediate protection and can effectively break the chain before a victim is redirected to an exploit.


Exploit Kit
(Stage 4 of the 7 Stages of Advanced Threats)

Another thing we see in these broad topical and global news campaigns is the use of common and accessible exploit kits, such as Blackhole, which allows the cyber-criminals to rapidly deploy their attack infrastructure and snare as many victims as possible. Once the exploit kit URL has been visited, the victim's machine is likely to be assessed for vulnerabilities that can be exploited in order to deliver malicious payloads. In this case, as well as delivering malware, such as Zeus, which is designed to pilfer financial information from victims, the site utilizes a social-engineering method to trick the victim into installing a fake Adobe Flash Player update:


Exploit Kit: Social-engineering with a fake Adobe Flash Player update ...


Real-time analysis of web content and malicious payloads protects users from both known and unknown threats.


Dropper File
(Stage 5 of the 7 Stages of Advanced Threats)

Should exploitation be successful, dropper and/or downloader files are used to install additional malicious payloads onto a victim's machine. In the campaigns detailed so far, one relies on the victim falling for the lure and then being redirected to an exploit site from which this would be delivered, while the other simply attaches a malicious file directly to the initial email lure. These files are often encrypted and packed  to thwart detection by traditional signature-based solutions, and, therefore, require more advanced solutions to recognize malicious behavior, such as Websense ThreatScope™. Using the email attachment as an example, the ThreatScope™ Analysis Report nicely illustrates how the file sent requests to malicious hosts, as well as wrote further executable files to the local file system ...



Call Home
(Stage 6 of the 7 Stages of Advanced Threats)

Once a victim's machine has its malicious payload installed, it will attempt to "call home' and contact the C2 infrastructure to receive commands by those behind the campaign. Real-time detection of nefarious outbound communications, in lieu of a threat being caught at an earlier stage, can prevent this call home and prevent attackers from achieving their goals.


Data Theft
(Stage 7 of the 7 Stages of Advanced Threats)

The exfiltration of databe that personally identifiable information (PII) from an individual, company confidential data, or even a list of potential royal baby namesis often the attackers' endgame. Utilizing methods such as slowly "drip-feeding" data out of a compromised network or creating custom encryption routines to stay hidden, attackers attempt to steal data, which can then be used for further attacks or simply for criminal gain. Advanced data loss and theft prevention features, such as Drip DLP, OCR analysis, and the detection of custom encryption routines can be deployed to keep your data where it belongs and out of the hands of cyber-criminals.


Websense customers are protected by ACE, our Advanced Classification Engine, against emerging cyber-threats of this nature at multiple stages throughout the kill chain. While we await further official announcements regarding the Royal Baby, the Websense Security Labs™ team is monitoring developments and will post updates should further campaigns surface.


Read more »

Margaret Thatcher's Death Used in Cyber Attacks
Posted by uwang on 10 April 2013 08:09 AM

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.



When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.


Server-side polymorphic technology has been applied to evade traditional AV detection. 



It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'


Websense technologies can protect customers in a multi-stage attack:

  • Websense email security blocks the malicious email.
  • Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
  • Vunlerability files and the payload trojan are detected by Websense Gateway products.
  • Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).


Read more »