Websense Security Labs serves as a powerful resource to customers and the security community to discover, investigate and report on Internet threats.
Malicious Web Site / Malicious Code: Erste Securities in Poland Hosting Malic... WebsenseŽ Security Labs? ThreatSeeker? Network has discovered that the web site of Erste Securities in Poland is hosting malicious code. Erste Securities Polska S.A. represents the Erste Bank group in Poland - one of the largest Austrian banking groups and a leading financial services provider. Erste Bank is a retail bank in Central Europe based in Vienna, Austria, and operating in Austria, Bosnia and Herzegovina, Croatia, Czech Republic, Hungary, Romania, Serbia, Slovakia, and Ukraine.
The malicious code is named foto.exe, but uses the default JPG icon on Windows XP to disguise itself from appearing as a Windows executable. Upon execution, the malware (SHA1: 0f7151400dbb7ecf5f9e7a4dc7947891) downloads a keylogger/password stealer Trojan banker, that steals personal financial information.
Screenshot of the web site's main page:
Websense Messaging and Websense Web Security customers are protected against this attack.
In the past, we have seen user invites sent within YouTube containing URLs to spam sites. Also, we have seen emails sent that spoof YouTube user invites but contain a link directly to the spam site. This time around, spammers and malware authors are combining to send out spoofed YouTube user invites that link to a profile on the legitimate YouTube Web site. The spam link is then advertised on that profile. From a spammer's perspective, the chance of success is increased with such attacks, because they make use of the clean reputation of YouTube services.
Here is a screenshot of some sample spam emails:
Clicking on the link in the email directs the user to a user (spammer) profile on a legitimate YouTube site. When users visit the profile page, they are encouraged to visit the spammers's advertised domain.
Here is a screenshot of YouTube profiles used for advertising a spam domain:
Here is a screenshot of the actual spam domain:
Websense Messaging and Websense Web Security customers are protected against this attack.
WebsenseŽ Security Labs? ThreatSeeker? Network has discovered a new phishing campaign targeting American Airlines AAdvantage(R) Program customers.
Users receive an email, which is spoofed, that tries to convince the user that, if they log in and fill out a 5-question survey, they will get a $50 reward. The email provides a link that takes visitors to the phishing Web site. The email also provides a fake code which is meant to entice the user even more.
Screenshot of Email:
Screenshot of Phishing Site:
Websense Messaging and Websense Web Security customers are protected against this attack.
WebsenseŽ Security Labs? ThreatSeeker? Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook. The email is spoofed to appear from the domain facebookmail.com, an official domain used by Facebook for their outbound emails when notifying their users of an event.
It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse.
A login page to Facebook is included in the body of the email. We have previously alerted on our discovery via our HoneyJax system about a viral Facebook phishing campaign, and thus would not be surprised if the login page presented was merely a fake front to a phishing site.
However, an examination of the HTML form's source code shows that it was indeed passing the user name/password to Facebook itself. This may be to increase the legitimacy of the email to evade reputation-based spam filters.
Screenshot of the email:
Websense Messaging and Websense Web Security customers are protected against this attack.
WebsenseŽ Security Labs? ThreatSeeker? Network has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp://homemade*snip*.com/. While the video plays for 14 seconds, malicious applications are installed on the victim's machine.
Screenshot of example email:
The email encourages users to download and run obama-*snip*.exe The MD5 of the Trojan Dropper is 26B861DF715549C537C28E4D60D8D0B7.
Screenshot of pornographic video ran through Windows Media Player:
The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp://*snip*-hotel.com/
Screenshot of code locations pointing to compromised Web site:
Websense customers are proactively protected against this latest attack as our ThreatSeeker Network identified a malicious IRS scam hosted on the same domain only last week:
Websense Messaging and Websense Web Security customers are protected against this attack.
WebsenseŽ Security Labs? ThreatSeeker? Network has discovered a developing "reverse Vishing" attack in China.
The attackers have been posting to BBS fake telephone numbers against the names of legitimate organisations in an attempt to associate those numbers with the customer support numbers for famous Web properties. The use of search engine optimisation (SEO) poisoning techniques in this manner shows the increasing sophistication behind traditional telephone lottery scams. If users search for customer support information, the highest ranking Web sites are returned in Baidu or Google search results with the fake phone numbers.
The attackers are using this in two ways. First, they send out spam email suggesting the recipient has been successful in a lottery. Before sending on the requested contact details the user would wish to verify these claims. Upon conducting a search in popular search engines, the user would see the association of fake telephone numbers with the customer support details.
Second, the high-cost telephone numbers are an additional revenue generator for the scam artists, and they add a layer of authentication to the scam. Unlike traditional Vishing where automated voice sytems call the victims in order to gain information this attack prompts uses social engineering to prompt the user into calling the fraudalent phone line. As of this morning, our China-based Security Labs team has proven the fake telephone numbers are still active. The messages provide details to convince the user the lottery fund is genuine.
As we have found so far, most of these numbers belong to the Hainan province in China. Many high profile names like Sina, Taobao, QQ, Tencent, etc., from portal sites to shopping sites, have been used as part of the attack. Dozens of fake telephone numbers are being used to lure users into dialing. This makes association with a single attack source more difficult. The scam artists post these fake phone numbers to some popular BBS and message boards because those BBS and message board Web sites have a high ranking returned in search engine results.
An example blog spam post to a high profile forum:
To illustrate the scale of the blog spam / comment spam technique used in this attack, Google and Baidu are currently indexing tens of thousands of Web sites containing the fraudulent telephone numbers.
Screenshot of the search results in the first page of Google:
Screenshot of the search results in the first page of Baidu:
Websense Web Security customers are protected against this attack.
Malicious Web Site / Malicious Code : MSNBC.com "BREAKING NEWS" Alert Update ... WebsenseŽ Security Labs? ThreatSeeker? Network has discovered a new replica wave of fake celebrity news being sent out via spam emails. Similar to previous attacks related to 'MSNBC.com Breaking News' and 'Bogus CNN Custom Alerts ', these emails contain links to a malicious Web page on a compromised site, that is designed to encourage users to download a malicious application posing as a video codec. This malicious Web page also holds Iframes leading to an exploit site.
Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file.
Here is a screenshot of a sample spam email:
The malicious payload is only accessed when the user clicks on the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ?missing? video codec, a file called video98.exe.
Here is the screenshot of index97.html page showing the popup and download window:
The obfuscated source code from index97.html:
The source code from index97.html, deobfuscated by ThreatSeeker:
Here are a few examples of the varied subjects we have seen in this campaign:
Sensational news. Check the message. Breaking news! Be the first to know. Very important news. Astonishing Please take a look. Sensational information inside. Check this out. This is a bomb This is really great news. Please check.
Websense Messaging and Websense Web Security customers are protected against this attack.
Malicious Web Site / Malicious Code: Sunkist Web site: Mass Injection WebsenseŽ Security Labs? ThreatSeeker? Network has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from nine different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world. (Please refer to the Sunkist entry on Wikipedia).
It is interesting to see how such attacks prevail over reputed Business-to-Business (B2B) and Business-to-Clients (B2C) Web sites, because they target their peers, their own users, and other visitors.
Screenshot of the infected site:
Screenshot of the infected site's source:
Websense Messaging and Websense Web Security customers are protected against this attack.
Malicious Web Site / Malicious Code: China Netcom DNS cache poisoning WebsenseŽ Security Labs? ThreatSeeker? Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.
These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.
The following screenshots show an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:
Unaffected name server:
Poisoned DNS server:
A user querying an unaffected DNS server is taken through to a clean site:
A user querying a poisoned name server is taken to a malicious site under the attacker's control:
The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.
Websense Messaging and Websense Web Security customers are protected against this attack.
WebsenseŽ Security Labs? ThreatSeeker? Network has discovered a new campaign of malicious spam posing as FedEx notifications.
The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader.
This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector.
Here is a screenshot of the malicious email:
Websense Messaging and Websense Web Security customers are protected against this attack.
This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.
