News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Ongoing Targeted Attacks Continue to Plague Healthcare
Posted by AToro on 12 September 2014 01:30 PM

Websense® ThreatSeeker® Intelligence Cloud has detected a phishing campaign that targets the Healthcare sector--especially hospitals--phishing for Outlook credentials. This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector (for example, the CHS breach), along with a trend of phishing for corporate Outlook credentials.


Gaining access to corporate Outlook credentials allows attackers to get a foothold in the victim's organization. This foothold allows them to search for other high-value targets, and then send internal, legitimate-seeming emails to extract additional information and get access to strategic infrastructure or data. It also allows attackers to leverage good reputation the compromised accounts might have to attack its contacts at other organizations.

Healthcare organizations, and hospitals in particular, have a wealth of patient records that are very valuable to cyber criminals, as discussed here.


Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages:

  • Stage 2 (Lure) - ACE has detection for the email lure.
  • Stage 3 (Redirect) - ACE has detection for the link inside the email lure, and for the ultimate destination of the phishing site.



The Lure Email


The phishing email seen below, with the title "Your Mailbox account closure." is sent to users, enticing them to click on a link.



The campaign is highly targeted. ThreatSeeker telemetry shows Websense Cloud Email Security blocked a few hundred of these messages, all targeting a US healthcare organizations, between 9/12/2014, 6:19:34 AM PDT and 9/12/2014, 7:13:10 AM PDT.

Reviewing the email path, it appears that compromised accounts were used to send this campaign. This suggests that the actors behind the campaign try to spread laterally from one infected organization to another, taking advantage of the reputation of affected organizations. It is especially interesting since the compromised account is also a healthcare provider, which is likely to already have a good reputation in the victim's email protection systems. This helps to bypass any reputation-based defense.


The Phishing Page

If the user follows the link he or she are led to where they are presented with a legitimate-looking Outlook login page, which is used to steal credentials.



A high-level look on the top 5 threats hosted on subdomains of "URL.PH" suggest it is becoming more popular in the last few months. Looking into the threats served by websites with the "URL.PH" top-level domain (TLD), we can see a diverse set of threats including Zeus and Citadel, as well as other types:





Websense® Security Labs™ will continue to monitor this campaign, and will update the blog as new information is gathered.



Contributors: Abel Toro, Ran Mosessco, Elad Sharf

Read more »


Websense® Security Labs™ has received reports about the new "Point Of Sale" malware dubbed "BackOff" as published by The US Homeland Security office. We have decided to explore the activity through ThreatSeeker® Intelligence Cloud. Our research shows some interesting finds that conform with what was shared in the original "Backoff" publication, but also adds some intelligence information that sheds more light about the industries targeted in this campaign. It shows that the actors behind it could be potentially targeting more than just POS retailers, and that toolkits used in this campaign are not limited to "memory scrapers" but also include other toolkits like the infamous Zeus, Spyeye, Citadel malware, and also a worm that spreads through peripheral devices called Gamarue.


(Please note: hosts that are part of this campaign are blurred at this time to not disrupt any concurrent active investigation committed by the authorities.)


Research From The Bird's Eye View


Looking at one of the first samples according to the paper published by the US Dept. of Homeland Security (SHA1:caf546e3ee1a1d2768ec37428de1ff7032beea94),  we verified the version of the malware in one of its earlier versions: 1.4 and that the command and control point was at dom<*snipped*> This command and control host seems to be one of the most popular ones in this campaign and got one of the highest numbers of hits as observed from our telemetry data.


One of the interesting observations we made is that this domain wasn't registered through any services that are meant to hide the identity of the registrant; this was unlike subsequent domains used in this campaign that were registered through an anonymizing Chinese registrar. The domain dom<*snipped*> was registered on the 13th of October 2013 for one year, which ties perfectly with the start of the campaign according to the paper. Here is a snapshot of the registry information of dom<*snipped*>




Looking at Threat Intelligence sources, we've found more hosts registered by the same registrant; the activity that we've spotted involved with those domains was exclusively associated with CyberCrime (you can also find the list attached to this blog):




Lateral Targets: Retailers +
The Tools:  POS + Zeus, SpyEye, Citadel, Gamarue


By mining our data repositories of global security catches and correlating across these vectors, we confirmed that the actor behind this campaign started their activity in October 2013 and appears active until today. Most of the targeted industries have been confirmed as retailers, but there were also other industries which show that the actor behind this campaign may have a broader agenda in mind. The top 5 targeted industries showed in addition to retailers were industries that are usually seen as the targets of more sophisticated targeted attacks, including Agriculture, Mining & Construction, and Oil & Gas Exploration & Production. We've essentially confirmed that the activities on the additional set of hosts registered by the same registrant were also active from around October 2013 in addition to each holding a direct link to cybercrime.






Our research also determined that the hosts involved in the observed activity are not only related to "Point Of Sale" malware but to other malware types/toolkits like Zeus, Citadel, SpyEye, and Gamarue. This suggests that the actors behind this campaign don't just limit themselves to one toolkit but employ several that are probably utilised based on specific needs of data theft functionality required per target. In the next graph are the top 5 most active domains seen through our telemetry that were registered by that same registrant:





In this blog we covered how threat intelligence can uncover more interesting points that are linked to a certain attack in order to expand the view of the attacks and get more information on affected target verticals and the type of malware toolkits that are used part of that broader context. It appears that cyber criminal actors utilise malware campaigns that spread across different target laterals to steal information and benefit from it financially or by other means. The malware toolkits used by the actors behind the "BackOff" POS campaign suggest that they are diverse, and unleashing or experimenting with different toolkits, most likely to allow different functionality as required per target, increase their chances of successfully staying persistent on targeted networks and successfully stealing data.



Blog Contributor: Nick Griffin, Ran Mosessco



Read more »