News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Ongoing Targeted Attacks Continue to Plague Healthcare
Posted by AToro on 12 September 2014 01:30 PM

Websense® ThreatSeeker® Intelligence Cloud has detected a phishing campaign that targets the Healthcare sector--especially hospitals--phishing for Outlook credentials. This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector (for example, the CHS breach), along with a trend of phishing for corporate Outlook credentials.


Gaining access to corporate Outlook credentials allows attackers to get a foothold in the victim's organization. This foothold allows them to search for other high-value targets, and then send internal, legitimate-seeming emails to extract additional information and get access to strategic infrastructure or data. It also allows attackers to leverage good reputation the compromised accounts might have to attack its contacts at other organizations.

Healthcare organizations, and hospitals in particular, have a wealth of patient records that are very valuable to cyber criminals, as discussed here.


Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages:

  • Stage 2 (Lure) - ACE has detection for the email lure.
  • Stage 3 (Redirect) - ACE has detection for the link inside the email lure, and for the ultimate destination of the phishing site.



The Lure Email


The phishing email seen below, with the title "Your Mailbox account closure." is sent to users, enticing them to click on a link.



The campaign is highly targeted. ThreatSeeker telemetry shows Websense Cloud Email Security blocked a few hundred of these messages, all targeting a US healthcare organizations, between 9/12/2014, 6:19:34 AM PDT and 9/12/2014, 7:13:10 AM PDT.

Reviewing the email path, it appears that compromised accounts were used to send this campaign. This suggests that the actors behind the campaign try to spread laterally from one infected organization to another, taking advantage of the reputation of affected organizations. It is especially interesting since the compromised account is also a healthcare provider, which is likely to already have a good reputation in the victim's email protection systems. This helps to bypass any reputation-based defense.


The Phishing Page

If the user follows the link he or she are led to where they are presented with a legitimate-looking Outlook login page, which is used to steal credentials.



A high-level look on the top 5 threats hosted on subdomains of "URL.PH" suggest it is becoming more popular in the last few months. Looking into the threats served by websites with the "URL.PH" top-level domain (TLD), we can see a diverse set of threats including Zeus and Citadel, as well as other types:





Websense® Security Labs™ will continue to monitor this campaign, and will update the blog as new information is gathered.



Contributors: Abel Toro, Ran Mosessco, Elad Sharf

Read more »

New Phishing Research: 5 Most Dangerous Email Subjects, Top 10 Hosting Countries
Posted by Elisabeth Olsen on 11 December 2013 10:33 PM

With cloud infrastructure easily scalable and rented botnets coming on the cheap, the cost of conducting massive phishing campaigns continues to decline for cybercriminals. Even if the return rate is small or the campaign is poorly executed, phishing can result in serious money for criminals. Phishing will never simply go away—meaning ongoing headaches for security professionals.


Top 10 Countries Hosting Phishing

To shed some light on how targeted attacks and user education awareness are evolving, Websense Security Labs researchers investigated current phishing trends. We found that the percentage of phishing attempts within all email traffic dropped to 0.5 percent in 2013 (down from 1.12 percent in 2012). This may sound like good news, but certainly does not mean the coast is clear for businesses.


Today’s phishing campaigns are lower in volume but much more targeted. Cybercriminals aren’t simply throwing millions of emails over the fence. They are instead targeting their attack strategies with sophisticated techniques and integrating social engineering tactics. Scammers use social networks to conduct their recon and research their prey. Once the intelligence is harvested, they use that information to carefully construct email lures and yield maximum success.


In addition to social engineering, geographic location also plays an intricate role in phishing. By rank, here’s a list of the top 10 countries hosting phishing URLs: (Based on research conducted 1/1/13-9/30/13)

1. China 

2. United States 

3. Germany 

4. United Kingdom 

5. Canada 

6. Russia 

7. France 

8. Hong Kong 

9. Netherlands 

10. Brazil


Some interesting points about this list:

• China and Hong Kong made their debuts this year, having never before been included in our lists

• The UK moved up from the number six spot 

• The U.S. dropped out of the number one spot, for the first time in a long, long time

• Russia moved up from the number 10 spot

• Egypt and the Bahamas have disappeared from the list, after recent appearances


Five Most Dangerous Subject Lines


As you can see, where you are in the world can influence how much your organization is at risk. However, geographic location is only one piece of the puzzle for detecting and stopping unwanted emails. How the emails are titled also plays a significant role in the success of a phishing campaign.


To further investigate, our security researchers took a closer look and determined that the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)

1. Invitation to connect on LinkedIn

2. Mail delivery failed: returning message to sender

3. Dear <insert bank name here> Customer

4. Comunicazione importante

5. Undelivered Mail Returned to Sender


The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign.


Phishing Security Tips and Infographic


To combat phishing attacks, be sure to adequately prepare yourself with a security solution that can expose advanced threats and alert your security team in real time. You can protect your organization by implementing web, data, email and sandboxing security solutions that share crucial intelligence to analyze potentially malicious content in real-time. Promoting and adhering to these tips can significantly decrease your organization’s chances of becoming a victim of a phishing campaign. Click here for a webcast on “Defending Against Today’s Targeted Phishing Attacks.” Below is also the Websense Security Labs infographic on this research:



How has your organization tackled the ominous and ever–present phish? Please feel free to drop us a line below. We would be happy to answer any question(s) you might have.

Read more »