News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Mar
14
Malaysia Airlines MH370 Used as a Lure in Facebook-Themed Scams
Posted by Carl Leonard on 14 March 2014 09:21 PM

The Websense®  ThreatSeeker® Intelligence Cloud has observed Facebook-themed scams using news of the missing Malaysia Airlines MH370 flight as a lure. Legitimate news sources report that on March 8, 2014, the plane went missing over the South China Sea.

 

The lure websites have been configured to appear like a legitimate Facebook page; complete with sharing button, suitable graphics, and relevant links.

Should users browse to the lure website, they are presented with a series of dialogue boxes, which eventually lead to a Facebook popup supposedly referencing a Yahoo! News article. We shall walk through an example of a user interacting with such a website.

 

Figure 1: The relevant lure title is displayed to the user, yet when attempting to close an unrelated dialogue box, the user is directed to "Please Share Us on Facebook To Close."

 

 

 

Figure 2: The user is then encouraged to share the link. Should the user click the link while logged onto Facebook, a share action occurs thus spreading the threat further.

  

 

Figure 3: The user is then presented with another page of a YouTube video overlayed with a further request to interact, by taking a short test.

 

 

Thus, we identify the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action (CPA) lead scam. Certainly not a new idea as our previous blogs show.

 

When we review our telemetry, we observe that the registrant responsible for this timely scam has also been responsible for Facebook-themed lures as far back as December 2012.

 

 Other websites hosting the fake news include:

  • hxxp://cotmot.com/mh370plane/
  • hxxp://mh370malaysia31.droppages.com/
  • hxxp://insidevideo.net/

 

Websense Protection

Websense customers are protected with ACE, our Advanced Classification Engine. Specific attributes which triggered our analytics include domains registered between 12 and 25 days ago, which are now being used to host the fake video lures, and the association to the past CPA ecosystem.

 

A sample ACE Insight report showing the protection offered is available here: http://csi.websense.com/Report/Index/6eb049c1-7d42-4056-b568-a2ee009c97a9

 

If you are searching for information on this event, Websense Security Labs strongly recommends that you use trusted and legitmate media outlets to source your news.


Read more »



Oct
31
LinkedIn Lure Looking for Love-ly Profiles, Possibly More
Posted by Carl Leonard on 31 October 2013 01:45 PM

Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified a LinkedIn profile configured to use social engineering techniques in order to target fellow LinkedIn users.  Here at Websense we refer to The 7 Stages of Advanced Attacks.  This model of describing the kill chain discusses Stage 1: Reconnaissance - the act of uncovering information that will facilitate the attacker to conduct a later, more successful attack .  We believe that this particular campaign may be a precursor to a more specialized targeted attack.

...(read more)
Read more »