Archived Blog

Month of August 2008

Continuing with our series of monthly recaps of what's hot and what's not in the wicked world of Web threats, here is a summary of what happened in the month of August, 2008.

This month contained more incidents around notable world events such as the Olympics; and attacks carried out with the aid of big name reputable Web sites, such as MSN, Digg, Newsweek, and CNET. This pattern is consistent with what we have observed in our latest research report, also outlined below.

Follow our This Month in the Threat Webscape series to stay informed of emerging Web threats.

---

Malicious Web 2 dot uh-oh
Facebook continues to be plagued with outbreaks caused by a worm known as Koobface. Malicious links, disguised as links to popular video clips, prompt users to download a "codec" (and we should all know what these "codecs" really are by now - Trojan horses).

In a separate incident on Facebook, a proof-of-concept was released showing how a third party Facebook application can be used to hijack a user's session, and possibly send or read the user's messages. We've also blogged about malicious links spreading virally through social networking sites like Facebook, delivered directly to your Inbox.

As Web 2.0 tools such as Twitter continue to make headway into corporations as a way to improve customer intimacy and for branding, we begin to also see a parallel trend: the use of Twitter itself for malicious purposes.

---

Ex-tra, ex-ploits, read all about it!
Patch Tuesday this month brings us the joy (or lack thereof) of 11 security bulletins, 6 of which rated critical, for Microsoft products ranging from Internet Explorer, Windows Media Player, MS Office, and the Windows OS itself.

Ryan Naraine blogs on ZDNet that Microsoft has failed to ship certain patches due to "a last minute quality issue" - patches which Microsoft had previously pre-announced that it would ship a patch for. An extended window of exposure, anyone? anyone?

In other Web threat news, the latest version of Opera has just shipped with at least 7 "extremely severe" flaws.

Cisco WebEx Meeting Manager users may also want to update their software, per CERT's alert on a vulnerability in the ActiveX Control, where visiting a malicious Web site could lead to the execution of arbitrary code on the victim's computer.

---

Major hits
CNET Networks, a media company owned by CBS Corporation had one of its Web sites fall prey to attackers, who planted malicious code on CNET's, site aiming to infect visitors to the site. Websense was the first to discover this attack and promptly reported it to CNET for action. The malicious code was observed to exploit a known integer overflow vulnerability in Adobe Flash (CVE-2007-0071). For more details on this compromise, view our alert here.

Digg, MSNBC, Newsweek, and MSN Norway were hit by a series of malicious third party banner ads, which led visitors to rogue security software sites and hijacked the clipboards of visitors. One of the vulnerabilities exploited was an integer overflow in Adobe Flash (CVE-2007-0071)

The Beijing Olympics is not to be missed, of course - even by the crooks. We alerted on an interesting Olympic lottery phishing scam that includes a phone call "verification" step to appear more legitimate and garner more trust from unsuspecting victims.

Sunkist, a popular drink in the USA, Canada, UK, Australia, and other parts of the world had its site infected with malicious JavaScript code that loads malicious code from nine different hosts. See our alert for more details.

---

Adobe Flash malicious redirectors and clipboard hijackers
This month saw a rash of emails being sent with links to .swf (Adobe Flash) files hosted on popular file hosting services. The emails touted free software updates. Within the Flash file were redirects to a malicious executable named "install.exe". This is yet another method to throw off security vendors, by having to track yet another trail before finding the malicious payload.

The utility of Adobe Flash in carrying out mal-intent does not end there. This month also saw Flash being used in clipboard hijacking. Victims would find links to malicious rogue software sites in their clipboards, after visiting popular Web sites serving Flash banner ads that were crafted by the attackers - all without any explicit user-interaction, aside from simply visiting the Web site. A harmless proof-of-concept is available here.

---

Ham or Spam
This past month we have seen spammers continue to take advantage of good reputation in order to reach potential victims. From fake CNN Custom Alerts, which progressed to use MSNBC and BBC brands, spammers were using headlines ranging from the nondescript (How to save money on gas) to the topical (Michael Phelps wins 10th career gold, making him the greatest Olympian ever). The aim – for users to download a ‘missing’ codec. The rate – 5 million messages per hour.

The most convincing of these were the CNN and MSNBC fake alerts by lifting content from legitimate alerts and changing the hyperlinks such that clicking on those links would lead the user directly to a malicious Web site. There have also been reports of spammers taking advantage of clean IP addresses in the academic space to spam out messages and cause a DDoS for the education institution. Spammers have also begun to adopt the use of legitimate technologies to slip spam through filters. Also of note are spammers' innovation in the automation of email harvesting.

---

Gone Phishing
Rock Phishers with their classical fast-flux infrastructure have once again indicated their interest in obtaining the user account credentials, using mass phishing campaigns targeting banks (recent attacks reported on Colonial, Lloyds, and Abbey). ISC reports that a well-formatted phish can score about a 10% click-through rate, whereas a targeted phish can score upwards of 80%.

Another emerging trend in phishing are phishes that bite back - when the Web site form is filled with junk information.

---

Don't touch that file! Malicious zip attachments (UPS, Fed Ex, Tax Invoice, Parcel)
Spammers and malware authors have been increasingly carrying on localized (attacks confined to one region and corresponding language) as well as globalized attacks. In order to increase their chances with their attacks, spammers keep switching their themes to target unsuspecting users. With spammers switching their themes, malware authors have increased success with their attacks.

---

DNS cache poisoning
The Security Labs discovered this month that a major Chinese ISP, China Netcom (CNC) has had its DNS cache poisoned. This attack resulted in their customers being redirected to a malicious site when the hostname in a URL is mistyped. Dan Kaminsky had earlier estimated during BlackHat this year that only about 60-70% of Fortune 500 companies have patched the reported DNS cache poisoning vulnerability. To this date, we are unable to confirm if CNC's servers have been compromised or not. ZDNet has also picked up our story here.

---

Security Trends
We've recently published our report of the state of Internet security. Click for the full report (in PDF format). Key stats:

1. 60% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites
2. More than 75% of the Web sites that Websense classified as malicious were actually sites with seemingly "good" reputations that had been compromised by attackers.
3. More than 45% of the top 100 most popular Web sites support user-generated content.
4. 29% of malicious Web attacks included data-stealing code