Threat Report 2012

The Year in Review for Threats

data theft targeted attacks exploit kits

CONTENTS
EXECUTIVE SUMMARY.................................................................................. 4 Part 1 ADVANCED THREAT STAGES........................................................ 5
Six-Stage Threat Model.. ......................................................................................... 5 Malware Adoption Life Cycle ................................................................................. 11

Part 2 WEB SECURITY.................................................................................... 12

Web Security Statistics ............................................................................................ 13 Web Security Incident Blogs and Videos ......................................................... 14 Facebook Profile.......................................................................................................... 16 Facebook and Defensio Blog Incidents.............................................................. 17 Web Security Strategies.......................................................................................... 19

Part 3 DATA LOSS SECURITY...................................................................... 20

Data Loss and Theft Blog Incidents..................................................................... 21 Data Loss Theft Prevention Strategies................................................................ 22

Part 4 EMAIL SECURITY................................................................................ 23

Email Security Statistics........................................................................................... 24 Email Security Blog Incidents ................................................................................ 25 Email Security Strategies......................................................................................... 27

Part 5 MOBILE SECURITY............................................................................. 28

Mobile Security Blog Incidents ............................................................................. 30 Mobile Security Strategies ...................................................................................... 31

Part 6 REGIONAL SECURITY....................................................................... 32 WEBSENSE SECURITY INTELLIGENCE.................................................. 35

ThreatSeeker Network............................................................................................. 36 The Websense Difference is ACE.......................................................................... 36 Defensio....................................................................................................................... 36 Websense Security Labs....................................................................................... 37

SUMMARY........................................................................................................... 38 APPENDIX........................................................................................................... 39 ABOUT WEBSENSE........................................................................................ 40

VIDEO LINKS
Malware Adoption Life Cycle ............................................ 11 Zero-Day Vulnerability in WordPress.............................. 15 Microsoft File Classification Infrastructure (FCI)........ 22 Increase in Cybercrime in Canada.................................... 32 ACE (Advanced Classification Engine).......................... 36 Defensio................................................................................... 36 Websense Security Labs Technical Advisory Board.................................................... 37 Stephen Chenette Presenting on Fireshark.................. 37 Websense Security Labs Predictions for the Upcoming year.......................................................... 39

EXECUTIVE SUMMARY
The Year in Review
The year in review for threats hit on three themes: data theft, targeted attacks, and exploit kits. Almost all attacks now involve
An executive review of the numbers from the year in review shows the following:

a web component and take advantage of the human element as the weakest link. Social engineering combined with social profiling and geo-location variables provide easy entry for targeted attacks. Yesterdays high-volume attacks are quickly caught by threat-monitoring radar systems, so they have been replaced with focused sniper attacks that use exploits for a clear shot of threat delivery. The static web world is history. Everything today is dynamic. The dynamic delivery of lures, the use of dynamic downloads, and dynamic call-home traffic used in advanced threats are the rule. And the tactics get more sophisticated each month. Malware adoption life cycles are driving faster attack innovation leading to under-the-radar targeted attacks to specific individuals. And attacks are increasingly aimed at application vulnerabilities that are discovered by exploit kits (and less on operating systems, thanks to automated patch cycles). Defenses are entering an era of big data and machine analysis to create predictive defenses that adjust automatically to content assessment variables in real-time. Defense assessments must be made right when a user accesses desired web content, not weeks, months, or a year ago. And to be effective, todays defenses need to provide containmentbecause most traditional defenses do not analyze outbound traffic, which is where you have to look to detect data theft. Protecting data is absolutely a weak point for most organizations. Attacks can be described in six stages: lures, redirects, exploit kits, dropper files, call-home communications, and data theft. Each stage has unique characteristics that need specific defenses. Traditional defenses have focused for years on the fourth stage looking for malware files. However, attacks now use unique dropper files that go undetected by traditional defenses for hours or days during attack analysis.

82% of malicious web sites are hosted on compromised hosts 55% of data-stealing malware communications are web-based 43% of the activity inside of Facebook is categorized as streaming media 50% of malware connections lead to the United States 60% of phishing attacks are hosted in the United States 36% of malware is hosted in the United States
After the United States, Canada and Russia are the top two hosts of unwanted content. Having more than 8 out of 10 malicious websites hosted on compromised hosts is unacceptable for a society that is moving to the cloud as a backbone for commerce, communications, and culture. Because almost no organizations mass-block domains from the United States or Canada, they are logical choices for malware communications, hosting, and phishing. Facebook users now frequently post video links with status updates. The Websense partnership with Facebook provides an unique position to understand content activity within social circles. Streaming media ranks first within Facebook and cybercrime has responded by increasing their use of video lures. In summary, social networking continues to dominate communications as mobility and cloud computing extend security perimeters into devices, networks, and apps that we no longer control. What is left in our control is our data. And the shift to risk management and defenses to protect confidential data is urgent and imperative.

The Breadth and Depth of Modern Attacks

Part 1 Advanced Threat Stages

More than 80% of todays attacks require multi-stage defenses for protection.
Charles Renert, Vice President, Websense Labs

Security used to be easy: patch your software and update your AV (antivirus), and youll have an effective defense. Websense Security Labs proved the ineffectiveness of this old strategy. They analyzed a four month period with six vulnerabilities. And they found that if an organization deployed the patches immediately, they were still open to vulnerabilities 88% of the time. Exploit kits focus on these windows of opportunity. Yes, updating software patches and AV signatures is a good security practice and is still advised. However, it is not a front line defense for todays advanced threats. Consider, too, how poor AV is at detecting the incidents within this report.

SIX-STAGE THREAT MODEL

If you want to develop and manage an effective defense, you need to understand how advanced threats work. In this section we describe a six-stage model, along with examples and questions that will help you evaluate your current and planned defenses.

Free Gifts

1.

2.

3.

4.

5.

6.

CYBERCRIME OPERATIONS

1. LURE
Two Types: email and web

2. REDIRECT
Funnels and sends the user to a hidden server.

3. EXPLOIT KIT
Users system is inspected for an open vulnerablity

4. DROPPER FILE
If vulnerabilty exists, malware dropper le is delivered

Calls home for more malware to expand attack

5. CALL HOME

Cybercrime reaches out into internal systems for data to steal

6. DATA THEFT

Advanced Threat Stages

5

ADVANCED THREAT STAGES

Free Gifts

Stage 1 Lures

Web lures prey on human curiosity and have moved into private social circles between friends within social networking. Already common is Search Engine Optimization (SEO) poisoning, leveraging natural disasters, and using celebrity events as lures. Newer trends include free gifts for completing fake surveys, videos about ex-girlfriends and boyfriends, must-see and greatest-ever videos, the ability to see who has looked at your social profile, and also Twitter and YouTube lures. Noting that more than 42% of Facebook activity is streaming media, the video lures slip right into the vast world of social networking. Below is a more complete list of examples of web lures.

SEO Poisoning Like-Jacking YouTube Scams Twitter Scams FREE Gift Offers MUST SEE Videos Celebrity Events Natural Disasters Targeted Email Alert/Event Email

Social Profiling Fake Surveys Fake Facebook Photos Deaths & World News Profile Creeper/Watcher Ex-Girlfriend Topics Typo-Squatting Hives Hidden Camera Guestbook Entries Blog Posting

Email lures are less social and event-based, as they lean towards an expected notification that you are likely to allow through a spam filter. The top five email lure topics are: Order Notifications, Ticket Confirmations, Delivery Notices, Test Emails, and Tax Refund Information. More specific examples of email lures are below.

Top Five Email Lures

Orders Tickets Delivery Test Tax Refund

DELIVERY CONFIRMATION FROM FedEx [Reference Number]: FedEx DELIVERY CONFIRMATION [Reference Number] Your FEDEX id.[ReferenceNumber] Wrong transaction from your credit card in The[Hotel Name] Changelog: [Reference Number]

Re:Fw: Intercompany inv. from [Organization Name] Corp From USPS [Reference Number] DHL id. [Reference Number] DHL ATTENTION [Reference Number] Your credit card is blocked

Targeted attacks come in low volume to specific individuals (often for known upcoming events or expected meetings divined through social profiling), whereas broad attacks will use video, news, or celebrity lures in social networking. How comfortable are you with your current defenses ability to analyze content within private social circles to identify lures and protect users? Is threat intelligence between web and email shared and correlated? Does it recognize and reflect that 92% of email spam has a URL? Today, a good email defense starts with a great web defense.

ADVANCED THREAT STAGES

Stage 2 Redirects
Mature redirects are SQL injections and iFrame injections that take users blindly down a path to web services, content, and often to offers that they do not desire. Malvertising (malware advertising) also blindly redirects users within popular sites. Newer redirects include social networking wall postings, fake plug-ins, fake certificates, and heavily obfuscated java script. The goal for a blind or hidden redirect, or from a lure, is to herd users onto a desired path for analysis by an exploit kit, to a survey, rogue AV offer, or fake web page. As redirects are often dynamic and fast changing, defenses need to be able to assess web links in real-time. An infected app within Facebook with a redirect is shown below alongside redirect examples.

iFrame Injection SQL Injection Wall-Postings Malvertising Obfuscation Techniques JavaScript

Active Content Dynamic Variables -Twitter ratings Fake CA Certificates Fake Plug-ins

redirect to malicious link

ADVANCED THREAT STAGES

Stage 3 Exploit Kits

One of the more powerful and effective stages of an advanced threat is the exploit kit, with Blackhole being one of the leading exploit kits for the year in review. In the past, the objective was to lure users, redirect them down a path, and then dump a malware file on their systems. This led to quick detections by threat labs and gave the attack a very short life. However, in a few minutes or an hour, many people could still be impacted. The exploit kit objective is more like that of a sniper: take the shot with a malware dropper file only when an open door for tested vulnerabilities is found. If no open vulnerability is found, then redirect the user to a clean web page and remain hidden. A screen shot of the Blackhole exploit kit interface is shown below next to other examples and vulnerability topics. Understanding exploit kits is important to advanced threat analysis and developing real-time defenses. Blackhole uses criminal encryption, which makes it difficult to detect with AV engines and generic de-obfuscation tools. If your only defense at the web gateway is AV, then the odds of exploit kits successfully penetrating your systems through vulnerable applications is high.

Blackhole uses criminal encryption, which makes it difficult to detect with AV engines and generic deobfuscation tools.

Blackhole Exploit Kit -Encrypted, Custom -Java OBE + JAR files Neosploit Exploit Kit -ActiveX, Adobe Reader Missing Software Patches Zero-day Vulnerabilities Adobe & Java Exploits Browser Vulnerabilities -Chrome, Firefox, IE, Opera TrueType Font (Duqu) WordPress TimThumb

ADVANCED THREAT STAGES

Stage 4 Dropper Files

This stage has the most attention and is what most people consider the focus of their forward-facing defenses: analyze every file that comes into the network for malware. The problem today is that dropper files use dynamic packers so known signatures and patterns are not available. As many incident reviews and links to Websense Security Lab blogs show within this report, very few AV engines detect dropper files at the time of threat analysis. The IDC quote at the beginning of this section on web security is as a wakeup call to analyze your defenses. What do you have beyond AV for advanced threats and data theft protection? One of the most popular dropper files is Rogue AV, or the fake scan and offer to clean your system. Traditionally focused at Windows systems, new versions are now being seen on Apple computers with names like Mac Defender or Protector. Below are some examples of dropper files and a screen shot of VirusTotal, an online website that will test files or URLs with more than forty AV engines. www.virustotal.com

Rogue AV Mac Defender Information Harvesting Fake Apps & Surveys (CPA) Browser Plug-ins Malware Droppers Trojan Droppers - Zeus/Zbot Trojan Mal-PDF

641

409

298 153

2011

2010

2009

2008

Average Day Zero attacks per day undetected by top 5 anti-virus engines detected by Websense multi-stage defenses

ADVANCED THREAT STAGES

Stage 5 Call Home

This stage and the next suggest that no set of defenses are 100% effective and that containment is the new defense for data theft protection. Cybercrime only needs one entry point into a network to start an infiltration aimed at stealing data. Calling home for malware downloads and tools, and for sending back information is standard fare for any successful online attack. The problem is that most defenses are only forward-facing and do not analyze outbound traffic from infected systems. The use of dynamic DNS is a common attack method to avoid call-home detection to static addresses. However, it also lends to a new defense for call-home analysis. Infected systems and bots calling back to command and control servers are blocked from using dynamic DNS while users can opt to continue on to trusted sites. Geo-location awareness is another call-home defense, however as noted in the executive summary, malware communications, hosting, and phishing are mainly within the United States, domains that few policies will block. Destination awareness in the context of data loss prevention is also emerging within this stage. Contextual analysis of the data, user, destination, and other variables is an advantage to policies so that confidential information is not sent to personal web mail, social networking accounts, or posted within private cloud storage apps. What defenses do you have that analyze outbound traffic for call-home advanced threat communications?

Sophistication of call-home tactics with Tweeter, DNS, VoIP and other open communication channels continues to advance for command and control.

Stage 6 Data Theft

The headlines for the year in review made data theft a top concern for many industries. The ability to contain an attack and stop data theft raises many questions. Can your defenses detect password files leaving your network or the use of criminal encryption on outbound files? Data theft where confidential information is exported in low volumes per request (drips) to avoid detection over a defined period of time should also be considered. Forensic reporting that shows what data was blocked by data-theft defenses from leaving an organization completes the picture. To summarize, defenses against advanced threats and data theft should cover all six stages. And to be effective, it all has to be backed by research teams and extensive security intelligence networks. One of the challenges for web security is the depth of understanding in our very fast-paced world of threats and changing attack techniques. It is estimated that only 15-20% of individuals involved with online security defenses have the time to follow and fully understand the scope of advanced threats and data theft. And the next subject does not make it any easier.
10

55% of datastealing malware communications are web-based.

ADVANCED THREAT STAGES

WEBSENSE MALWARE ADOPTION LIFE CYCLE

The malware adoption life cycle describes how newly developed advanced threat techniques and intelligence move from well-funded organized criminals to the masses of the cybercrime world. When advanced techniques quickly become widely available at very low cost, and especially when they use attacks that are targeted at specific individuals, effective security becomes challenging for organization of every size. For example, the Blackhole exploit kit is rented to attackers, and the more effective the tool, the more customers and resulting revenues are generated for the authors or controllers of the exploit kit. To the right is a typical adoption life cycle for new technologies, products or trends. Applying the Adobe Reader vulnerability (CVE-2010-0188) to the malware adoption life cycle shows the rate of acceleration for adoption. Over time, the cost to acquire exploit kits drops and thus expands use until eventually defenses catch up and the effectiveness of the kit declines. But when you combine exploit kits, custom encryption to evade AV detection with the acceleration of new attack techniques and vulnerabilities in the malware adoption cycle, and consider that even perfect patch management still leaves large windows of exposure, the advantage goes to cybercrime.
Websense Malware Adoption Life Cycle

Websense Malware Adoption Life Cycle Video

The malware adoption lifecycle shows how advanced attack techniques migrate into easy-to-use exploit kits for the underground masses. For example, as noted in the above incidents, multiple vulnerabilities are packaged into the Blackhole and Phoenix exploit kits for attacks that evade AV defenses time after time. Techniques that were once only available to well-funded and patient statesponsored attackers quickly find their way in the wild within weeks. And after a few months they are often used within affordable exploit kits impacting tens of thousands of compromised users. Video Link: http://wb-sn.com/GJrFNf

Adobe Reader Vulnerability (CVE-2010-0188)

11

Part 2 WEB SECURITY

Insights and Lessons
The web is the largest entertainment platform surpassing all other forms of media. The entertainment factor of the web leads to lures that mine the natural curiosity of humans. While the concept of cybercrime hiding behind the next corner is popular, often lures leading to threats are in the open, clearly visible and viral in nature. Cybercrime is visible, however masked by the volume and absurdity of online communications in a dynamic environment. Video lures stood out for the year in review often with claims of shocking or exhibitionist themes with many examples listed in the web security blog incidents section. Blackhat SEO poisoning declined as lures and redirects moved into social networking, blogs and tweets. Selective delivery of malware dropper files were determined by exploit kits that detect open vulnerabilities. Web threats now focus more on application vulnerabilities and less on operating systems. One application on multiple platforms can open an exploit door for cybercrime even if the underlying operating systems have secure ratings. Social circles continue to create private communications between associates, friends and family. Harvesting social networking credentials opens the door for cybercrime to leverage a trusted relationship to introduce lures. Users with the same password for online accounts make the situation worse. Access credentials for social networking accounts may provide access to online financial accounts or other confidential information. Consumerization and enablement are fed by free gift offers or rewards for very little effort. Increasing online communications develop behavioral patterns of anonymity, extroversion, multi-tasking leading to less focus, instant gratification, and impatience. Creating an optimal environment for cybercrime to strike and leverage the weaknesses of humanity. One click continues to open the door for cybercrime. The majority of threats today involve a web component for lures, redirects, finding vulnerabilities, malware delivery, calling-home or stealing data. An insecure web environment undermines trust, confidentiality, business enablement and reputations. Helpdesk incidents, malware infections, system refreshes, data theft and regulation violations are the barometers. Web security today is about context and containment in a real time predictive analysis environment to reduce risk.

Your social media identity may prove more valuable to cybercriminals than your credit cards.
2012 Security Predictions, Websense Security Labs

12

Web Security

WEB SECURITY STATISTICS

One of the most interesting statistics from the year in review is that 82% of malicious websites are hosted on compromised hosts. Meaning cybercrime has full access to all elements and data as host access credentials have been compromised. Next on the list is that 43% of requests inside of Facebook are for streaming media (the second-ranked category, news and media, is far below that at 8%). The importance of these statistics become apparent when you correlate them to the growth of video lures to threats, scams, fake gift offers, and surveys inside of Facebook. Another major trend is how more malware redirects, malware hosting, and phishing are occurring in trusted locations like the United States and Canada. Almost no organization is going to block U.S. domains (the web experience for users would be impacted too severely). So it makes sense for cybercriminals to leverage these trusted web locations. Like the U.S., only Germany shows up in all three lists within the top five. Below, we provide more details on the top five locations for malware connections, malware hosting, and phishing. Year over year there was a significant drop in Blackhat SEO poisoning leading to malware, thus resulting in safer search results. This reduction comes at the expense of strong evidence of cybercrime activities increasing within social networking, Twitter, and blogging.

59.9%

Netherland s

France

Russi a

Singapor e

USA

50.1%

USA

Canada

Germany

Canada

36.3%

Germany

China

Germany
2.3%
Germany

Egypt

USA

14.7%

13.2%

13.2%

5.4%

4.9%

4.1%
USA RussiaF rance

7.0%

3.4%
USA

9.8%
Canada

6.8%
Egypt

Germany Singapore

Top 5 countries for malware redirects

Top 5 countries hosting malware

Top 5 countries hosting phishing

13

U.K.
1.8%
U.K.

Web Security

WEB SECURITY BLOG INCIDENT & VIDEO HIGHLIGHTS Websense Security Labs produces an award-winning blog that provides education and details on threats and attack tools used by cybercrime. Below are some of the most relevant for the year in review, plus a short executive summary.
Web attacks follow a pattern similar to exploit kits. Lures in black hat SEO poisoning, Facebook social networking viral scams, Twitter scams, YouTube video scams, or email phishing lead to web servers hosting exploit kits, with one of the most popular in the wild being the Blackhole exploit kit. Its goal is to find exploit vulnerabilities silently on a victims machine to deliver a dropper file with malware when conditions are met. If not, then the user is redirected to a common site to continue surfing the web. To learn more about the Blackhole exploit kit from Websense Security Labs click here.

Free gifts such as a MacBook Air, iPad, or iPhone 4 lure users into phishing attacks and malware downloads when they mistype popular names in Google, Facebook, and YouTube, or popular domains in their browser. The ACPA act of 1999 was designed to stop the illegal registering of domains confusingly similar to a popular domain or brand. However, typo-squatting remains popular with cybercrime. One recent example was a Free gifts for Googles birthday scam, while short gift option surveys on Facebook and YouTube, often leading to phishing and malware attacks hidden behind the images, are increasingly appearing. While domain registrations for typo-squatting should be protected, no act protects users in social media or search engines. Websense customers with ACE defenses at gateways are protected from typo-squatting attacks.

Free Gifts for Googles Birthday

http://wb-sn.com/GS7BHP

Blackhole Exploit Kit

http://wb-sn.com/GR4uSS

Google image searches show new trends in black hat search engine optimization (SEO) campaigns. Analysis shows use of the Neosploit exploit toolkit with variants leveraging MDAC, ActiveX, and three Adobe Reader vulnerabilities among others. In one search result analysis, a path titled TF19 apparently used to identify the campaign resulted in a heavily obfuscated malicious PDF file that only 6 out of 40 AV engines on VirusTotal detected at the time of analysis. In a second search analysis, a Rogue AV drop file was delivered that only 20% of AV engines on VirusTotal detected at the time of analysis. Websense customers with ACE defenses at gateways are protected from these image search attacks.

Poisoned Google Image Searches

http://wb-sn.com/GJZsqM

Twitter Trends to Create Dynamic URLs

Injection attack techniques advanced during the year with one attack using the Twitter Trend Service to dynamically create two unique redirect URLs per day. This sophisticated attack hit more than 10,000 websites with a very large injection of code using five layers of obfuscation techniques to conceal the final redirection code. The redirect selected one of the many servers hosting the Blackhole Exploit Kit and if successful resulted in a Rogue AV dropper file to the victims system.

http://wb-sn.com/GS6msp

DigiNotar, a Dutch certificate authority, was recently compromised and several SSL certificates were illegitimately issued. While most were revoked in the subsequent investigation, one for *.google.com was missed. With the rogue certificate issued by a trusted CA, its possible to do Man-in-the-Middle (MITM) attacks and listen into any traffic going to Googles services, such as Google Mail, Google Docs, Google Plus, and Google Apps, without any visible warnings to users.

DigiNotar Rogue Certificates Issued

http://wb-sn.com/GRpwzo
Major news events continue to provide opportunities for cybercrime to lure in victims. The attack on Osama Bin Laden opened up a flurry of fake CNN tweets in Twitter that he was still alive with a link to a phishing page to harvest Twitter account credentials. After entering Twitter credentials, the victim was lead to a CNN video on the event. Trendistic noted that the scam accounted for 1% of all tweets in an 8-hour period, averaging around 200 tweets per minute. The attack likely used harvested accounts to automatically send more tweets for the scam to expand. Once Osamas death had been confirmed,

Java Exploit Code within Web Page

Direct exploit code injections to websites are not as popular as the redirect scenario above. However, a Rogue AV attack recently placed exploit code within legitimate web pages with no redirects. The code leveraged a Java exploit in the Java Runtime Environment (JRE) that would enable IE, Firefox, and Opera browsers to run an applet leading to Rogue AV. Customers are reminded to keep Java versions updated and that they are protected with ACE defenses from Websense.

Fake Tweets in Twitter

http://wb-sn.com/GIIQwi
14

Web Security

cybercrime moved into Facebook with a similar harvesting scam. Later in the year, at the time of Colonel Gaddafis capture and death, Gaddafi ranked at the top of Twitter trends for some time, providing cybercrime another lure for spam and malicious attacks. Websense customers with ACE defenses at gateways are protected from these scams.

Comodo Rogue Certificates Issued

Comodo, a certificate vendor, announced that nine rogue SSL certificates had been bought and issued for the following domains: mail.google.com (Gmail) login.live.com (Hotmail and Microsoft Live services) www.google.com login.yahoo.com (three different certificates) login.skype.com addons.mozilla.org (Firefox extensions) Global Trustee

http://wb-sn.com/GIJSs3

When Duqu, believed to be created by the same group as Stuxnet, was uncovered, the infection vector was still unknown. That changed when Hungarian research lab CrySys announced that it had found the dropper file which was a Word file using a new zero-day vulnerability in how Windows parses TrueType fonts. Microsoft confirmed a vulnerability exists within TrueType Font parsing. An attacker could use this vulnerability to run arbitrary code in kernel mode. Vulnerabilities that allow the attacker to run code directly in kernel mode are very rare, and the attacker could, for example, create new user accounts with full access rights. Microsoft released a remediation tool to fix the vulnerability. Websense is an active member of the Microsoft MAPP program and works proactively with Microsoft to protect customers. Any website trying to download a file with this vulnerability is blocked by Websenses Malicious Websites security category.

Duqu Dropper File Discovered

Comodo notes that a user account at one of their affiliate partners was compromised and used to issue the rogue certificates. The attacker used several IP addresses when doing this, but mainly used an IP address from Iran. According to the investigation done by Comodo, the attacker was very quick to issue the certificates, knew exactly which domains to issue them for, and didnt waste any time when doing this.

http://wb-sn.com/GJhJja

http://wb-sn.com/GSXxgG

Zero-Day Vulnerability in WordPress

Apple Mac OS X popularity has started to draw interest from cybercrime. In 2009, Mac OS only had 34 vulnerabilities, in 2010 that number grew to 175. And in 2011 many of the patches cover vulnerabilities for remote code execution. The general theory is that malware and exploits designed to target Windows systems do not operate on Mac OS. That feeling of false security changed during the year with do-it-yourself (DIY) kits now producing executables for Mac OS with Rogue AV screen captures representing the Mac graphical experience. Mac Protector, Mac Defender and Mac Security all have the same objective: to trick Mac users to pay to clean fake infections and collect personal and credit card information. Like attacks on Windows systems, it all starts with lures in email phishing attacks, Facebook, Twitter, and YouTube scams, plus search engine poisoning.

RogueAV hits Mac OS

The popular TimThumb plug-in for image re-sizing in WordPress blogs contained a zero-day vulnerability that impacted more than 10,000 websites using WordPress. Like all zero-day vulnerabilities, the race is between cybercrime to quickly exploit the vulnerability and the developer to patch it. The attack started out delivering ads at the end of blogs and then a second injected domain led to malware.

http://wb-sn.com/GJSxcE VIDEO LINK: http://wb-sn.com/GIKlut

http://wb-sn.com/GKVLQb

The death of Steve Jobs, Apple founder and CEO, lead to email phishing scams that claimed he was still alive. The link path led to servers with the Blackhole Exploit Kit and eventually Rogue AV. The download file contact.exe was used in the attack was only detected by 5 out of 43 AV engines in VirusTotal at the time of analysis. Websense customers with ACE defenses were protected.

Blended Threat with Steve Jobs Status

http://wb-sn.com/GHLamK

15

Web Security

FACEBOOK PROFILE
Websense started partnering with Facebook in October 2011 to provide security intelligence on malicious sites to protect users. Websense has been working with Facebook and their security teams for a number of years in order to keep their users safe, and now we have integrated directly into the platform for an unprecedented security combination. Websense Security Labs receives URLs to analyze and also categorize, resulting in the profile to the right, for the top twelve categories with the percentage of occurrence. If you are an avid Facebook user or have teenagers, note that most status updates now include videos, placing streaming media at the top of the categories with 42.8%, more than 5 times the second categoryof news & media. Cybercrime has responded with an increasing use of video lures inside of Facebook. Videos about ex-girlfriends, videos from exboyfriends, web cams being left on, dad walks in on daughter video, hot actress exposes self on TV video, hottest golf video ever, and the array of must-see and breaking news videos all provide lures for cybercrime within Facebook. Several examples are provided in the Facebook Blog Incidents review below. And beyond malware, legitimate sharing of streaming media among friends and co-workers can be viral and therefore spike network bandwidth loads without warning. Websense recommends that customers use the real-time defenses of ACE (the Websense Advanced Classification Engine) within Websense gateways to protect against threats within social networking. Companies with a Facebook page or important individuals on Facebook should also use Defensio to protect their pages from posted malicious links and objectionable content. Defensio is free to download from the Websense website and also works with blogs such as WordPress. http://wb-sn.com/GMDZL

Threatseeker Network Top 12 Categories for Facebook

7.8% News & Media 4.1% Entertainment 3.6% Blogs & Personal Sites 3.6% Information Tech. 3.3% Shopping 2.9% Social Networking 1.7% Business & Economy 1.4% Sports 1.2% Society & Lifestyles 1.2% Personal Network Storage & Backup 1.1% Games

42.8%

Streaming Media

16

Web Security

FACEBOOK & DEFENSIO BLOG INCIDENT HIGHLIGHTS Here are some of the more interesting Websense security posts relating to Facebook, and examples where Websense Defensio would provide protection. Review the short executive summaries or click on the links for more detailed information.
The Facebook Profile Photos malware attack posts messages on a compromised users account wall to infect friends. Upon clicking on the posted link, users are asked to sign in to a fake Facebook application that collects user account credentials, enabling the attack to then spread quickly within their circle of friends. When the attack was analyzed only 2 of 42 AV engines on Virus Total could detect the malware dropper file from the attack. Defensio is recommended for Facebook personal and corporate page protection, as is having ACE protection deployed at gateways.

As Facebook grows its worldwide presence, it has also become an attractive target for cybercriminal typosquatters. Researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. The research shows that of typo-squatted variants of Facebook, 62% of links lead to: bot networks (24%), phishing (21%), and malicious websites (17%).

Facebook Typo-Squatting

http://wb-sn.com/GSaadb
More details on how typo-squatting works, how typosquatting hives operate, which brands are targeted, and where these attacks take you are covered in a comprehensive Websense Security Labs blog at the following link.

http://wb-sn.com/GJSPA5

Fake Facebook App

The death of Amy Winehouse and the shooting and bombing in Norway also provided cybercrime opportunities to lure users to exploit kits and malware downloads with Facebook scams. Anybody can get a hold of Facebook application templates and quickly create a scam in minutes. Other popular Facebook scams include Look what he did to his Ex Girlfriend!, This Is What Happens When Ex Girlfriend Forgets To Turn Off Her Webcam!!! and others with similar context. Websense customers with ACE defenses at gateways are protected from these types of social networking scams.

Facebook Lures

http://wb-sn.com/GIKst1

http://wb-sn.com/GJ1xAB

A new Koobface campaign within Facebook spread by direct messages from compromised accounts lured friends to a fake video (e.g., Video posted... by Hidden Camera...) with new obfuscation techniques to avoid detection. Compromised users provided account credentials, and at the time of analysis the variant of the Koobface worm had a 23% detection rate by AV engines on VirusTotal. Websense customers with ACE deployed at gateways were protected.

Hidden Camera Video Lure

Other year-end highlights included Lady Gagas hacked Twitter account offering free Apple products to her 17 million followers in an effort to complete surveys and gain personal information. Another enticing lure took a more common approach, but was still highly effective in getting clicks: an offer on Facebook to lose 30 pounds with fake comments from friends to further entice the lure.

Fake Offers & Gifts

http://wb-sn.com/GSayZ0

http://wb-sn.com/GRqgEO
Facebook attacks continued with the use of the Blackhole Exploit Kit to deliver a variant of the Zeus/Zbot Trojan with only a 7% detection rate for AV engines on VirusTotal at the time of analysis. The blended attack uses social engineering in an email campaign that appears to come from Facebook. When users click on the link within the email they are redirected to a fake Facebook page to run an update. The update runs the Blackhole Exploit Kit to find an opportunity to install the Zeus/Zbot Trojan.

Facebook Blended Attack

1,760 online vistors per few seconds 1,267,200 visitors a day One infected visitors share with 130 friends 823,680 Facebook users see scam

http://wb-sn.com/GRqjAu

17

Web Security

As the year ended, Facebook scams kicked it up a notch with Chrome and Firefox browser plug-ins. Scam pages typically utilize social engineering trickslike enticing users with videos or offers for a free voucher, all of which lure victims to take part in the scam. Now on top of that, weve found that victims are also asked to install a browser plugin. The plugin is an integral part of how the scam is spread. Once installed, the plugin connects to a script that uses the Facebook API and then posts the scam to the victims friends pages. One of the advantages of using a plugin is the ability to persist in the victims browsers and propagate to other profiles. One scam used a Cheesecake voucher to lure users to install the plug-in. Websense customers with ACE defenses deployed at gateways are protected.

Facebook Browser Plug-in Scam

This like-jacking attack lures in victims with video of The beautiful Marika Fruscio shows her breasts on Italian TV! which the title alone should be a warning. An infected account has the lure posted as something they like for their circle of friends to view, when friends click to view, they are infected and the cycle continues. Use of Defensio will protect social networking walls for individuals and companies from like-jacking attacks.

Like-Jacking Attack with Video Lure

http://wb-sn.com/GWSiwZ

Golfing Video Lure

http://wb-sn.com/GIKGx3

Fake Facebook apps claim to show who looks at your profile which no application can on Facebook. However, users install these apps from lures posted on a friends wall, which then posts to their wall to infect their circle of friends. The fake apps run a lead survey generating cost per action (CPA) revenues for the creators. The fake profile creeper applications are built from a tool kit based on a viral Facebook application template called Tinie App available for $25 or less. Use of Defensio will protect an individual or company Facebook wall from these attacks.

Fake Profile Creeper

Similar to the video lure above, one titled The Hottest & Funniest Golf Course Video had over 200,000 likes when detected, and in the time required to write a blog post update, 7,000 more people liked it. The scam lead users to lead surveys to prove they were human to see the video (which was never delivered) and the creators collected cost per action (CPA) revenue. Use of Defensio in Facebook accounts will block these scams.

http://wb-sn.com/GSaQzc

http://wb-sn.com/GRXCyn

Blog Spam Attack

Defensio detects a popular spam attack in social media that leads to Rogue AV and provides an example how multiple variables in the ThreatSeeker Network are utilized to detect and block attacks. The investigation leads to a home PC based in the Ukraine as the source, however wider analysis shows a very active botnet infecting multiple home PCs and automatically posting blog spam attacks with fast flux and short lived domains.

http://wb-sn.com/GIKLnv

18

Web Security

WEB SECURITY STRATEGIES

The importance of web gateways with real-time defenses that analyze both inbound and outbound traffic for the six phases of advanced threats is more important now than ever before. For over a decade, traditional defenses have provided value. However, the state of cybercrime and modern malware has advanced past their capabilities. Effective defenses are shifting as end points such as mobile devices become more heterogeneous, plus as consumerization of IT drives smaller, lighter devices with longer battery life. The inability to host layers of defenses on end points with real-time updates necessarily moves defenses to gateways and within cloud services. Cloud computing is increasing the use of HTTPS for secure tunnels. And social networking within private circles of friends is a known blind spot for cloud-assist defenses working to probe collected URLs. Inline defenses with real-time analysis beyond AV and URL filtering are strongly recommended. Administrators are advised to monitor HTTPS growth rates and to plan for the impact of moving to cloud application services that can generate multiple secure tunnels per user. As a general rule, web gateways provide approximately one-fifth the performance for HTTPS as they provide for HTTP. For network devices like firewalls, the ratio is even worse as HTTPS has a larger impact on performance. Finally, many defenses are blind to HTTPS traffic so security defense strategies need to be reviewed. The most effective and efficient defenses will leverage big data, machine learning, and analytics to create predictive defenses that block threats on outbound requests for stages one and two of advanced threats. Outbound traffic at web gateways is approximately 15% of the traffic load while returning web requests are approximately 85% of the traffic load. Defenses on returning traffic mainly in stages three and four of advanced threats need efficient real-time defense assessments than can adjust automatically to the context of security variables. Administrators that consolidate URL filtering into network devices and continue to rely on traditional AV, firewall, and IDS defenses, are likely to see increasing malware incident rates and helpdesk activity. What appears as a way to save money actually results in higher remediation expenses and higher risk. URL filtering should be upgraded to web gateways with real-time defenses as cybercrime leverages dynamic delivery, content, and call-home techniques. In summary, call-home and data-theft outbound defenses provide containment and should not be ignored. Last year, many leading companies were victims of data theft (the incidents will be reviewed in the next section). DLP engines embedded in web gateways for data-theft protection are moving into the spotlight with risk reduction as a new focus.

19

Data Loss Security

Part 2 DATA LOSS SECURITY

Insights and Lessons
The year in review put data theft on the front page. The headlines have changed company management and boardroom conversations. Thinking that data theft will not happen to your company has changed to what a breach would cost and how it would impact business. Risk management quickly loomed over security technologies for an understanding of risk profiles and risk reduction. While Data Loss Prevention (DLP) is known as a security product solution with unique technologies, the second part of methodology and execution is what really drives risk reduction desired by senior management for success. Based on an August 2011 study by The Digital Forensics entitled The Leaking Vault Six Years of Data Breaches, we know that 78% of all of the records reported compromised since 2005 were lost over three vectors: hacking (includes Trojans, key loggers, P2P, SQL injections, and others), the web channel, and drives/ media (USB). The report is the most comprehensive study to date. It covers 28 countries and over 3,700 incidents involving more than 800 million records with an estimate of more than $156 billion in data breach costs. Per the report, in 2010, the top three channels of hacking, web, and portable drive/media moved up to 81% of records compromised. Data stealing malware web communications increased to 55%, up from 52% for the year before. The remaining 45% of nonweb malware communications use non-web channels such as ports 8000 and 1034 by Trojans or port 25 for SMTP (email) communications. Year over year, non-web port traffic for SQL on port 1433 and NetBios on port 139 were down. Data stealing malware email communications have remained at consistent levels. A strong web defense is vital for data-loss and theft-prevention projects. Even better is having complete integration for dataaware defenses in gateways for web and email. Administrators are advised to focus on high-risk areas first (versus dataclassification at large). The difference of implied risk for data-atrest versus the real risk of data-in-motion-and-use is surfacing as risk reduction goals to stop data theft surpass the basics of regulation compliance. The six phases of advanced threats bring to light defenses against call-home communications, and data theft as hacking ranks at the top of the list. As mobility and cloud computing move security perimeters outward, organizations are determining what they do not control: mobile devices as BYOD (Bring Your Own Device) programs evolve; public accessible Wi-Fi networks; and cloud-based applications often served through mobile apps. All that is left to control is your content. This shift is driving contextual security with data-awareness into defenses. While many may think of DLP as large data classification projects for regulation compliance, the real value to protect data in motion and use, stop data theft, and reduce risk is surfacing.
20

55%

of data-stealing malware communications are web-based

The difference of implied risk for dataat-rest versus the real risk of data-in-motionand-use is surfacing as risk reduction goals to stop data theft surpass the basics of regulation compliance.

Data Loss Security

DATA LOSS & THEFT BLOG INCIDENT HIGHLIGHTS Below are a few data breaches that highlight the severity of the situation for the year in review. The stolen data is often used for future attacks or to profile individuals with targeted attacks. Some companies have data-theft clauses in their insurance policies. However, proof of negligence for not protecting data and providing containment against datastealing attacks puts almost all expenses on the shoulders of the attacked company.
TripAdvisor Email Breach
Travel site TripAdvisor had its members email IDs stolen loading up cybercrime with more opportunity to launch targeted attacks. Only days earlier, the loss of Play.com member email IDs did result in a follow-up attack to a fake Adobe software update. Play.com puts the blame on its email marketing associate Silverpop.

The impact of data theft was front page news in the first half of 2011 and resulted in boardrooms discussing risk profiles and risk management.

http://wb-sn.com/GMEKEE

Epsilon, a well-known marketing services firm, had its email system hacked, impacting the security of millions of customers for some of the 2,500 known companies that employ Epsilon. The company claims to send over 40 billion emails annually for over 250 million email addresses. What may be one of the largest attacks of its kind was then followed up with a web attack using a fake Epsilon news page offering users a tool called the Epsilon Secure Connect Tool to see if their private information was exposed. The Trojan dropper in the executable file was only detected by 18 out of 40 AV engines in VirusTotal at the time of analysis. Websense customers with ACE deployed at gateways were protected from this attack.

Epsilon Email Breach

http://wb-sn.com/GIL1zL

Trapster Breach

Trapster, a website that uses crowd sourcing to compile locations of police using radar, was hacked exposing an estimated 10 million subscribers email IDs and passwords. A month earlier, hackers stole 1.5 million email IDs and passwords from Gawker Media servers and the stolen identities were posted online. The reality of users with the same password for online accounts led spikes in account violations for Facebook, Twitter, and other online applications.

http://wb-sn.com/GJiVD0

http://wb-sn.com/GIL5jb
The Sony PlayStation Network breach that at first was estimated to expose up to 70 million user names, addresses, passwords, and credit card information eventually led to a tally estimated at 103 million users. As the internet weaves itself into games, television programming, movies, sports, and appliances within our homes, protecting the data of customers is paramount. Data theft and loss of this magnitude impacts business continuity and revenues, even more so when your insurance company finds proof of negligence and your organization must cover all expenses to remediate the attack.

Sony PlayStation Breach

Australian cosmetic retailer Lush had its website hacked exposing its entire customer database and credit cards. Claiming failure to keep the website updated resulting in the vulnerability. Company officials also did not how long attackers had access to confidential information. Despite a similarity to a previous attack on Lushs UK website, officials stated the attacks were not related.

Lush Website Breach

http://wb-sn.com/GJv3aY

http://wb-sn.com/GKA7Y7

March 17, 2011 will be remembered as BreachID day when RSA executives announced a possible breach of SecurID product information from an Advanced Persistent Threat (APT). Later, on May 27, 2011, Lockheed Martin announced it had been hacked and RSA SecurID tokens were involved.

RSA SecurID Breach

Late in 2011, the Chinese internet suffered the most serious user data leak in history. First the CSDN (Chinese Software Development Network) was hacked and personal information for more than 6 million members was quickly exposed on the internet. One day later, Tianya, the biggest Chinese online forum was repeatedly hacked for account information of 40 million users. Attacks continued on gaming sites Duowan and 7k7k, plus e-commerce sites 360buy and DangDang. Finally, social networking sites and dating sites were hacked, with user account information leaked on the internet. These incidents are the largest data leaks in Chinese history.

Largest Data Thefts in Chinese History

http://wb-sn.com/GVxJj1
21

Data Loss Security

DATA LOSS & THEFT PREVENTION STRATEGIES

Start with a risk reduction methodology that focuses on high-risk areas first, and you should see results that reduce risk in five to six weeks. Without a plan to reduce risk, the methodology and execution side of data loss and theft prevention projects will fail and results will not be seen, nor shown to senior management. More specifically, make sure that sufficient information is provided on who is using the information and where the information is going. Without these variables, youll spend too much time remediating alerts and policy enhancements are hindered. Think of the metaphor of Wall*E (in the movie of the same name). The small robots quest to compact and stack trash on an abandoned earth brings to mind the futility of classifying all data. Similarly, the advice to not boil the ocean on DLP projects acutely reflects past project frustrations with misguided methodology and execution plans. To make data classification easier in the future, Websense has partnered with Microsoft to integrate with Windows Server 8 and the File Classification Infrastructure (FCI) so as documents are created they are automatically classified. For more information on the partnership: http://wb-sn.com/GUcPiZ or to watch a video about Microsoft FCI integration VIDEO LINK: http://wb-sn.com/GILlld The integration of DLP technologies is critical for contextual security at perimeters and end points. The Websense TRITON architecture embeds DLP into web and email gateways for data loss protection. The ability to detect data theft of password files, the use of custom encryption, drip or behavioral DLP analysis over time versus one request, and optical character recognition (OCR) within scanned images are all recent and important innovations. Correlation to geo-location and categorization or application identity with user and data identity also brings context into security policy controls. The Digital Forensics study referenced in the beginning of this section clearly shows the outsider as the biggest threat for data loss and theft. Details on hacking as the leading cause of record loss highlight malware, key loggers, injection attacks, and stolen credentials. The ability to detect and respond becomes critical to stop data loss and theft leading to risk reduction objectives. DLP with the correct methodology and execution is the best step forward.

22

Part 4 EMAIL SECURITY

Insights and Lessons
Email is an important way to monitor for targeted attacks directed at profiled individuals, which are often based on business-related topics for orders, tickets, delivery confirmations, and events. AV alone at email gateways is not enough, nor is anti-spam, as cybercrime designs email lures that lead to blended attacks. These blended attacks easily step over those traditional defenses for email gateways. While email spam is about shotgun blasts to mass volumes, the effectiveness of lowprofile below-the-radar sniper shots of email lures has impacted security companies and defense organizations. While email spam volumes are down year over year, the ability to cloud-cleanse email before delivery saves on bandwidth, and improves on-premise appliance performance and overall security as cloud defenses are automatically updated. For email that is delivered to users, all embedded URLs need security analysis when opened. Good email security today is built around great web security due to the high percentage of embedded URLs in email. Predictive real-time defenses are recommended with collective security intelligence for web and email. Email remains a top activity on mobile devices where loss of device and data present a risk to manage. Mobile email DLP solutions with ActiveSync agents can control confidential data between Exchange and mobile devices using like enterprise DLP policies for web and email overall. Data theft protection with mobile devices and the empowerment of cloud applications and personal web mail move email security perimeters outward.
w htt w p: w

92%

of email spam contains a web link

23

Email Security

EMAIL SECURITY STATISTICS

Email spam for the year in review was 74% of email compared to the previous year of 84%, so efforts to take down spam botnets are showing results. The shift to blended threats using email as a lure and web links remains strong as 92% of email spam contains a URL. Email spam correlated to phishing came in at 1.62% while virus-related email spam was 0.4%. Threats are normally in the 1-2% range of overall traffic being measured. To put the statistics in another light, Websense ACE and the ThreatSeeker Network detected 3.46 million email threat instances before AV detection. The alignment between the top five email categories and lures are matching as expected. Business-related topics that users may be expecting in email are the core themes for email spam with details below. A top five security category perspective of where email spam URLs lead is also shown below. If your only defense at email gateways is AV, which correlates to stage 4 with dropper files, the list below should open open your eyes. A great web defense makes for a good email defense across the six advanced threat stages. Even more so is the ability to evaluate email spam URLs in real time when the user opens the email, not the day before or a few hours earlier with known reputation ratings or other static defenses. Low-profile targeted attacks often start with a few emails to specific individuals well below the radar of traditional defenses. So the ability to sandbox email spam URLs in real time for assessment is an important defense. The email security incidents in the next section bring to light these techniques. Top 5 1. 2. 3. 4. 5. Top 5

Email Spam Categories

Information Technology Business and Economy Shopping Financial Data and Services Travel

Free

Email Malware Lures

1. Orders 2. Tickets 3. Delivery 4. Test 5. Tax Refund

Top 5

Email Security Threats

1. Malicious Websites 2. Phishing and Other Frauds 3. Malicious Embedded iFrame 4. Potentially Unwanted Software 5. Bot Networks

24

Email Security

EMAIL SECURITY BLOG INCIDENT HIGHLIGHTS Email attacks turned to more business-related topics that individuals may expect for deliveries, orders, and payments. Plus low volume targeted email attacks use stolen email IDs and knowledge of individuals and future events. Below are security blog incidents and third party reviews to illustrate the current state of email threats.
A new disturbing trend in email spam attacks involves compromising email marketing campaign companies. We have seen compromised user accounts in Gmail and Hotmail to send spam, plus compromised corporate accounts used for their strong reputations to avoid spam detection. The new trend of compromising email marketing web accounts enables cybercrime a new advantage. Following an attack in Argentina on an email marketing services company, an email for an international retailer was sent out with links to domains only a day old that led to a malware file that no AV engine in VirusTotal could detect at the time of analysis. The attack then moved to an Australian email marketing services company with similar tactics. One thing these marketing companies have in common is that they appear to include their account names in the user part of the email address combined with their own domain. This makes it very easy for an attacker to subscribe to a newsletter and receive account and marketing website details. A compromised account not only provides access to customer email IDs and campaign infrastructure, it may be linked into CRM services giving the attacker the opportunity to sell customer lists to competitors.

Japans Nuclear Crisis Lure

Japans earthquake disaster provided ample opportunities for cybercrime to leverage multiple attack vectors. The techniques seen and analyzed by Websense Security Labs include SEO poisoning, Rogue AV, phishing emails asking for donations, malicious files attached to emails claiming to be legitimate documents, and Facebook apps with cost per action (CPA) lead surveys. One email file attachment titled Understanding Japans Nuclear Crisis.doc was only detected by 5 of 43 AV engines on VirusTotal at the time of analysis. Websense customers with the TRITON solution for web and email with ACE defenses are protected from these attack methods.

http://wb-sn.com/GKAuBW

Email Marketing Service Attacks

An email spear-phishing attack succeeded at Oak Ridge National Laboratory before the organization cut off internet access to workers. The lab is known for many research topics, which includes cyber security research, malware, and vulnerabilities, and phishing attacks. The attack was described as an Advanced Persistent Threat (APT) by the lab using an Internet Explorer (IE) zeroday vulnerability linked to phishing emails of which 530 workers received the email, 57 clicked on the malicious link, and two machines were infected with the malware. The lab previously suffered an email spear phishing attack in 2007 where non-classified data on individuals Social Security numbers and birthdays that visited the lab from 1990 to 2004 were exposed. Seven phishing email variants were used, one about an upcoming scientific conference, others with malicious attachments.

Oak Ridge National Lab Attack

http://wb-sn.com/GUdlgQ

Malicious E-cards continue to prowl providing evidence they must be working on targets with weak defenses. A recent analysis found an email providing a postcard greeting with links traversing compromised sites or newly created sites less than two weeks old. The eventual outcome is an exploit kit finding an opening to install Rogue AV on the victims system. All the victim sees in this example is a postcard with a cute bear stating I miss U beary much! Customers with Websense Email and Web security are protected from these attacks.

E-card Attacks

http://wb-sn.com/GR9WFb

http://wb-sn.com/GScvVe

25

Email Security

Popular brands and web domains continue to provide social engineering lures in email spam campaigns. In one phishing attack example, a fake Apple Store Order Notification email is sent to targets, the link within then leads to a website with an interesting name that blends a well-known web domain + pharmacy (titled WikiPharmacy). Looking into the new WikiPharmacy template for IP addresses shows that it belongs to over 24,000 IPs with many used for pharmacy phishing scams. Websense customers are protected from this blended attack with ACE defenses at email and web gateways.

Popular Brand Lures

http://wb-sn.com/GILwgm

Email phishing scams continue with one bold claim coming directly to the legal department of Websense. An email with a cease and desist letter is sent to target company legal departments claiming a domain use violation and demands immediate remediation. However, rather than registering a typo-squatting domain close to the target company domain, a completely different domain is leveraged in the scam. The unrelated domain is injected with a redirect to the target company; in this case it was a Websense web domain for email services. The scam objective is to sell the unrelated domain or determine compensation to resolve the situation.

Domain Use Violation Lure with Legal Letter

http://wb-sn.com/GILB3G

Tracking charts showed the awakening of a botnet serving malicious email spam in August as volumes spiked. Some of the message subjects that weve seen include, but are not limited to:

Shipping & Credit Card Status Lures

DELIVERY CONFIRMATION FROM FedEx [Reference Number] FedEx DELIVERY CONFIRMATION [Reference Number] Your FEDEX id. [Reference Number] Wrong transaction from your credit card in The [Hotel Name] Changelog: [Reference Number] Re:Fw: Intercompany inv. from [Organization Name] Corp From USPS [Reference Number] DHL id. [Reference Number] DHL ATTENTION [Reference Number] Your credit card is blocked

We are going to sue you scare tactic used in email spam attacks surfaces. The emails suggest that your email account has been spamming a known and popular company. The spoofed emails appear to come from known and established companies and that the attachment has proof for your inspection. The attachment is a disguised executable that appears to be a ZIP file and after decompression appears to be a document file. The end result is Trojan downloader virus that installs on the next system reboot. Websense customers with ACE defenses in web and email gateways are protected.

Pending Legal Action Lure

http://wb-sn.com/GJ2Uzi

Top 5 Email Spam Campaign Topics

Customers are protected with ACE defenses in email and web gateways.

http://wb-sn.com/GWU4y7

November analysis of email spam campaigns shows the following five topics at the top of the list. Beware of emails with subjects containing: 1) Orders, 2) Tickets, 3) Delivery Companies, 4) Test, and 5) Payment/Tax Systems. The malicious spam campaigns listed have the same recurring themes which spammers do not change. However, major differences include the following: Switching between Attachments and Malicious/ Compromised links Repacking attachments so they will not be detected by AV engines Slightly changing the template of the email

The Rustock botnet, one of the largest spam generator botnets with an estimated 250,000 bots, was taken down by the Microsoft digital crime unit and US federal law enforcement agents. The author took great measures to hide the bots within the Windows operating system from AV engines, often sitting silent for days after infecting a system. Not the first botnet to be taken down or the last, however its demise was evident on spam measurement charts.

Rustock Botnet Taken Down

Websense customers with ACE defenses at web and email gateways are protected from these attacks.

http://wb-sn.com/GVyzw6

http://wb-sn.com/GK2WJX

26

Email Security

EMAIL SECURITY STRATEGIES

Consider cloud cleansing of email to reduce the large 76% portion that is email spam and threat-related before delivery. It saves on bandwidth and improves on premise appliance performance, plus in some cases reduce appliance footprints for lower total cost of operations. Embedded DLP with email security gateways and mobile email DLP combined with encryption services should be used to detect and respond to confidential data in use and motion within email. While social networking continues to grow at unprecedented rates, confidential data and communications for most organizations remain with email services. Targeted attacks often start with low-profile email lures to specific individuals making email gateways an open door for cybercrime if they are only guarded with traditional AV. Administrators are advised to upgrade email security to predictive real-time defenses that lead in the web sector to analyze embedded URLs within emails as users click on them. Unified security architectures and defenses cover advanced threat stages with more breadth and depth. Given 92% of email spam contains a web link, administrators are advised to upgrade email security to predictive real time defenses that lead in the web sector to analyze embedded URLs within email as users click on them. Analyzing web links for email sent on Sunday for a user to open on Monday morning when they start their day leaves the door open for cybercrime. Dynamic content changes for threats in web properties that email lures redirect users require unified security architectures and defenses that cover advanced threat stages with more breadth and depth.

27

Part 5 MOBILE SECURITY

Insights and Lessons
As we move through 2012, mobile security is the hottest topic at most events, venues, and meetings we attend. Bring Your Own Device (BYOD) to work and cloud computing are outpacing most IT teams for both support and security measures. Often, the BYOD impact starts at the top with executives and business leaders drawn to the ease of use and convenience. Next come several lost devices with confidential information and the mobile-security discussions start. Early on, corporate-issued mobile devices with full controls, security, and data protection have lost the cool factor battle against users with a desire for social networking and media, cloud app empowerment, and the blending of work and personal lives on one device. Astute organizations recognized the productivity gain and enablement, thus provided access to corporate email and services via access credentials. Albeit, with an agreement to wipe the device if lost or if the employee leaves employment. But mobile device management (MDM) and wiping devices is not enough for BYOD or corporate-issued mobile devices. Mobile devices are subject to threats accessing web and email content and humans remain the weakest security link in the chain. Email and web lures still apply, plus redirects to free gifts, surveys, fake app pages, and credential-collecting scams. The security picture expands with malicious mobile apps that exploit permissions, plus a higher probability of devices being lost or stolen. Thus, mobile devices, networks, and apps are out the control of most IT organizations. Its the datanot the device is what really matters Mobile security requires web and email security, data loss and theft protection, malicious app and malware protection, plus device management. All provided via cloud services to users anywhere and anytime. From a risk management perspective, detecting and responding to data loss incidents is vital, plus controlling the flow of confidential data to devices and cloud based applications.

**pass**

51%

of users circumvent or turn-off device passwords and security controls on mobile devices

28

Mobile Security

Cybercrime has developed exploit kits and advanced methods to attack Windows systems and the software that resides on this platform as the target installed base is very large. And new Rogue AV dropper files are surfacing for Mac OS as it continues to increase in popularity. In comparison to Windows systems, iOS on iPhones and iPads, plus the controlled AppStore environment, are noticeably more secure for the year in review. The risk is more about lost devices for iOS with confidential data and access credentials than data-stealing attacksat least at this point in time. Because Android is an open OS where anyone can update an app with malicious intent and repost it in a few minutes, the Android environment is rife with security concerns. Websense Security Labs has analyzed more than 200,000 Android apps and sees a noticeable percentage with malicious intent or permissions which other third-party reports confirm. Readers are advised to always review permissions for any Android app installation or update. The popularity of mobile devices is creating a large target installed base and cybercrime is actively innovating to harvest information for profit. We are not yet near the sophistication of attacks for desktops and laptops, so enjoy the lull before the storm as we are prepare for a disruptive shift with end points.

29

Mobile Security

MOBILE SECURITY BLOG INCIDENT HIGHLIGHTS Below are security blog incidents for mobile security, with most attention going to Android devices. While mobile security incidents are hyped in news stories, they are not near the levels for desktops and laptops for the year in review.
The DroidDream attack posted more than 50 malicious apps to the official Android Market in early 2011 and thus invoked Google to wipe the apps from user devices as a security clean up step. Yes, Google can wipe apps from user phones as a security measure and this is not the first time. DroidDream infected apps would gain root access to Android mobile devices once installed and then download more apps, some with special permissions to remove them. The malicious apps operated from 11 p.m. to 8 a.m. when most users are not using their mobile devices to avoid detection. While the malicious mobile app attack was limited, it raises questions about vetting processes for mobile app online markets.

Android Permissions

Pay close attention to permissions with Android mobile app installations. The link below provides a good example from the author of the game Tank Hero that was approached to install spyware within the popular game. Websense researchers highlight permissions that can lead to confidential information loss that you should understand.

http://wb-sn.com/GT2LJe

Jailbreakme.com version 3 was released mid-year providing a very simple and flawless way to jail break an iOS device in about 20 seconds. The user must click on Free and then install for the app to download a PDF file with a vulnerability for a specific font type, which turns into an actual jailbreak. It works like a drive-by install seen with Windows systems, and has the potential for some serious security concerns.

IPhone & iPad Jail Break

DroidDream

http://wb-sn.com/GJweHt

http://wb-sn.com/GWUjcv

Researchers in early 2011 unveiled physical methods to access passwords on locked iPhones and iPads without breaking the devices passcode. Passwords hidden behind the device passcode remain safe. However, the passwords that can be obtained in the six-minute procedure may include VPN access credentials, WiFi accounts, LDAP accounts, Microsoft email accounts, and voice mail systems. On the other hand, the recent Ponemon Mobile Security survey sponsored by Websense noted that 51% of users circumvent or turn off device passwords and security controls on mobile devices, so there is a good probability the device is unlocked.

Password Access Method

Android Power & User Profile

http://wb-sn.com/GL8vZH

Droid Razr commercial Too Powerful to Fall in the Wrong Hands shows a leather-clad motorcycle rider on a dramatic high-speed chase to capture the latest Droid, a precision-timed heist is worthy of a Mission Impossible movie scene. The high risk profile of Droid users may not be that far off from reality. While iPhone users are busy listening to music and watching videos, Android users are surfing through some of the most dangerous areas of the web. Android users are more likely to visit sites with real security risks and sites known to have a high probability of leading to real security risks based on Websense ThreatSeeker Network analysis. And android apps can be repacked with malicious intent by anybody and reposted in the open marketplaces. Power comes with risk that needs to be managed.

http://wb-sn.com/GUe29X

30

Websense 2012 Threat Report

Mobile Security

MOBILE SECURITY STRATEGIES

Like all end points, mobile devices need protection from web and email threats, scams, and lures. Humans will always provide too much information unknowingly and enable the dispersion of threats and lures to others. While malicious apps remain low for iOS devices, they are a valid concern for Android devices, so permissions need to be reviewed. If Apple continues to provide a low-risk environment for iOS and its AppStore, we may encourage its use for BYOD and corporate-issued mobile devices. Preventing the use of mobile devices denies competitive productivity gains, employee expectations, and customer satisfaction. And a prevention policy holds back enablement to grow business. Data loss and theft remains the primary security concern to reduce risk with mobile end points more likely to be lost or stolen. The popularity of mobile devices and the topic of mobile security will drive cloud security services forward as security perimeters expand outward. To read more about a 3-Step Plan for Mobile Security, download our Websense white paper. http://wb-sn.com/GHMKoP

31

Regional Security

Part 6 REGIONAL SECURITY

Perspectives & Insights Per Country The security incidents below are specific to countries and regions and often follow the security trends noted in this threat report. A profile on Canada as a new hotbed for cybercrime activity aligns with year-end statistics for malware connections and hosting phishing to place Canada second after the United States. Many countries saw popular online newspaper and TV websites attacked for the large audiences they serve. Media and music sites were attacked, along with campaign meltdowns that consumed time and bandwidth as fast moving viral media.
Argentina, Uruguay, Mexico, Columbia, and Panama
The popular Spanish online TV site cuevana.tv was injected with malicious code in September along with many other sites all using redirects with the domain .cx.cc that lead to exploit kits and a Trojan download. Websense customers with ACE deployed at gateways are protected.

Australia

Police arrest a 17-year old boy for posting a fake Facebook page of a girl with an invitation hoax to her birthday party providing information on her name, address, and cell phone number. More than 200,000 replies came back to the fake invitation. The girl originally posted her birthday invitation and when more than 2,000 replies came back she removed it.

http://wb-sn.com/GMHpOs

Canada

Fake email from Microsoft Canada (URGENT: Critical Security Update) well timed with a patch Tuesday Microsoft real patch update. The content in English and French lures users to malware with a Zeus Trojan variant with an 11% detection of AV engines in VirusTotal at the time of analysis. The malware also calls home with command & control traffic to visitortracker.net.in.

http://wb-sn.com/GL8Dbz

Shows signs of becoming the new hotbed for cybercrime hosting as the US takes down major botnets challenging cybercrime to find new locations with positive reputations. A risk analysis of Canadas cyber security profiles shows the following:

Canada

Jump in Hosted Phishing Sites - Canada saw

a huge increase in the number of servers hosting phishing sites, jumping 319 percent in the last year. This tremendous increase over the last 12 months is second only to Egypt in terms of the growth of sites hosting crime ware. moving their command and control centers to safer grounds. In the past eight months, Canada saw a 53 percent increase in bot networks. In fact, Canada scored the second highest for hosting bot networks, when compared to the U.S., France, Germany, and China.

Increases in Bot Networks - Cybercriminals are

http://wb-sn.com/GT34Uw

Australia

Phishing attack fronting the Australian Tax Office (ATO) targets the seven largest banks within region for E-tax Refunds. Most phished users occur in the first 24 hours providing banking account access credentials to cyber criminals. This attack followed a similar phishing attack for UK tax assessments. Websense customers with ACE deployed at gateways were protected.

malicious websites decline across the board. However, Canadas decline is tremendously slower, when compared to the countries listed above. #13 in previous rankings for hosting cybercrime by Websense Security Labs, now in 2011 it moves up to the #6 position.

Malicious Websites - Were seeing a trend of

Increase in Cybercrime - Canada was ranked

http://wb-sn.com/GSf9KX

VIDEO LINK: http://wb-sn.com/GRvkZN

32

Regional Security

An attack on CCTVs (China Central Television) popular CCTV Box software to deliver TV programs over the web installs hidden malware when downloaded. The malware installs desktop IE shortcuts to redirect web requests to increase advertising affiliation, site popularity, and cybercrime revenue. When the attack was analyzed, 6 of42 AV engines on VirusTotal could detect it, the redirects included links with hidden referrals to taobao.com, the most popular online shopping site in China. Websense customers with ACE deployed at gateways were protected.

China

Popular Polish government site Opole.pl injected with pharmaceutical links. The attack objective is to raise the SEO reputation of the fake pharmaceutical site by linking it to a very popular and trusted government site. The technique is called spamdexing. The reverse holds true for the injected site (its reputation is lowered). The daily count of hijacked web pages due to spamdexing is huge and these injections could quickly be changed to deliver malware. Websense customers with ACE deployed at gateways are protected from these types of attacks.

Poland

http://wb-sn.com/GRckMi

http://wb-sn.com/GIKLnv

Sina Weibo is the most popular micro blog in China with over 100 million registered users. Sina Weibo was attacked by an XSS (cross site scripting) exploit impacting over 30,000 high profile accounts with messages being sent out with a malicious link. The messages contained a hot topic of famous film star to lure users. Clicking on the malicious link enabled the XSS exploit to execute malicious JavaScript to post messages on the users account, send messages to friends, and follow the suspicious account used in the attack titled hellosamy which may have reference to the first XSS worm Samy spread on MySpace in 2005. Websense customers with ACE deployed at gateways are protected from XSS attacks.

China

Fake lures claiming real pictures of Osama Bin Ladens remains made their way through Facebook, Twitter, and email with one example in Portuguese using the subject titles As Fotos do Terrorista Osama Morto and As Fotos de Osama Binladem Morto to tap into a users curiosity. Clicking on the link in the email resulted in a malicious file download of Fotos.exe with a detection rate of 19 of 41 AV engines in VirusTotal at the time of analysis. Customers with ACE defenses at web and email gateways are protected from these type of attacks.

Portugal

http://wb-sn.com/GJwGp7

http://wb-sn.com/GRciUC

One of the oldest and most popular newspapers in Pakistan, the Daily Jang, had its online version at jang. com.pk infected with two attack types. The first was an iFrame injection attack that silently leads users browsers from the main newspaper page to an exploit server using the g01pack exploit kit. If one of the exploits is successful, a Trojan Backdoor drop file is delivered to the victims system. At the time of analysis it had a 26% detection rate for AV engines in VirusTotal. The other attack type was obfuscated JavaScript script code that silently leads to a web server hosting exploit code that was not active at the time of analysis. Fireshark (at fireshark.org) is one of the many tools used to proactively analyze websites in the ThreatSeeker Network for these types of attacks within Websense Security Labs. Websense customers are protected with ACE deployed at gateways from these attack types.

Pakistan

Two major data leaks happened with days of each other when Short Message Service (SMS) text messages and personal information about people who ordered goods from Russian and Ukrainian online shops (including sex shops) were exposed in search engines. Human error led to the removal of the robots.txt file with the replacement of Yandex.bar (equivalent to the Google toolbar) that sent over 8,000 private SMS messages to search engines for indexing including Google and Yandex. The second data leak did have the robots.txt file in place, however improperly configured and thus allowing personal buyer information to be indexed by search engines. All customer information for online shopping sites should be encrypted or password protected so search engine robots cannot index the information.

Russia

http://wb-sn.com/GL8ViA

http://wb-sn.com/GIMyJp

The Philippine Bureau of Immigration was attacked when emails disguised as HSBC banking notifications contained a link to their site where it was hosting a malicious file (atualizer.exe) that only 18 of 37 AV engines could detect on VirusTotal at the time of analysis. Customers with ACE defenses deployed at web and email gateways are protected.

Philippines

http://wb-sn.com/GKCaeO

Spotify, the popular music streaming service, displayed malicious ads (malvertising) within their free version to users. What was unique was the ad was embedded within the Spotify application and users did not even have to click on it to be infected with the malware, meaning free does come with a price. The attack leads to websites that used the Blackhole Exploit Kit to deliver the Windows Recover fake AV application. The kit uses an Adobe Reader/ Acrobat vulnerability with a heavily obfuscated PDF file to make computers download the fake AV. At the time of analysis, only 3 of 41 AV engines on Virus Total detected the malicious PDF file. Once the fake AV was launched it reached out for a rootkit with a packed version of TDSS, a Trojan known for collecting passwords, credit cards, and other credentials.

Sweden and United Kingdom

http://wb-sn.com/GUgX2q
33

Regional Security

Thailand

Fake Facebook site threatens Thai population during the year. The fake site is not even close to resembling the real Facebook website; however users need to be careful with lures to become friends that lead to unrated and uncategorized sites. Collecting credentials is not likely for non-characteristic looking web pages. Inspection of other hosted pages for the site shows they contain various types of malware downloads.

http://wb-sn.com/GJBpsE

New viral video category proves beneficial as social media popularized the YouTube video Watch Rick Perrys Campaign End Before Your Eyes with views skyrocketing to 1.7 million views in just two days. Searches on the term Rick Perry found 206 URLs that lead to malicious or potentially harmful content. For the two days, the time spent watching the video computed to 2.95 years and the bandwidth consumed was 167 gigabytes. Websense customers now have the new Viral Video category to control this content and its associated risks.

United States

Turkey

http://wb-sn.com/GS3xmS

Turkish Government websites were compromised and defaced as the attack enabled access to a vulnerable website on the same IP address and thus allowed access to the server itself and the underlying server files for other websites including the Turkish Government website.

http://wb-sn.com/GL9clw

Malvertising (malware advertising) that delivers fake AV hits Autotrader.co.uk, plus Ebay.co.uk, Myvue.com and the londonstockexchange.com over the weekend when security staff relaxes. These websites were not compromised; however the ads within from Unanimis lead to malware that exploited Internet Explorer, Adobe Acrobat Reader and Java. The exploit kit similar to Blackhole, the PDF file and Java JAR file all had low AV detection rates on VirusTotal at the time of analysis. The dropped file installed a Fake AV program that disrupted PC functions by hogging CPU and displaying annoying pop-ups, plus the offer to clean the system with payment leading to credit card theft.

United Kingdom

One of the largest online US benefits providers, WageWorks, was impacted by a website injection attack on one of its secondary web properties that redirects users to site hosting the Phoenix Exploit Kit, one of the most popular kits to install malware on a users PC. Websense Security Labs contacted WageWorks and they quickly corrected the issue. The real-time analytics within ACE protect customers from attacks of this nature.

United States

http://wb-sn.com/GRdd7B

United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates
Facebook scam My Top10 Stalkers targets multiple countries with a spam campaign to provide a Facebook app that can track your top10 stalkers. While the first version of the app was removed by Facebook security, a second version emerged using the same techniques to spam users and infect friends. When the app is installed it spams the users circle of friends and it eventually delivers lead surveys resulting in cost per action (CPA) revenue for the creators and possible collection of personal information about the victim. As always, if a page forces you to Like, Share, or install an application in order to view it, do not do it, chances are it is spam. Install Defensio at no charge to protect yourself from Facebook spam attacks.

http://wb-sn.com/GUhdys

BBC 6 Music and 1xtra sites injected with iFrame injection attack that uses Phoenix Exploit Kit to deliver malware only once to users as the attack tracks users. Simply browsing these web pages with no actions invokes the attack. Upon time of analysis only 9/43 AV engines on VirusTotal could detect the attack.

United Kingdom

http://wb-sn.com/GL9gSm

http://wb-sn.com/GJ4SQ0

Researchers note that 41% of 170 Thanksgiving holiday search terms had malicious links containing script injections in the top search results. These script injections use exploit kits to take advantage of vulnerabilities in plugins such as Flash and Acrobat and install malicious software on a victims system. Tweets per second in Twitter on the Thanksgiving holiday were much higher than on Black Friday, a known holiday shopping day. Researchers also saw double the number of links shared about Thanksgiving compared to Black Friday.

United States

http://wb-sn.com/GMIaHr

34

Websense 2012 Threat Report

WEBSENSE SECURITY INTELLIGENCE

Websense unified security intelligence and defense assessment techniques are designed to address the six stages of advanced threats outlined within this threat report and numerous security blog incidents. Traditional independent defenses in sequential order are low hurdles for cybercrime to step over to meet their objectives of data theft and profit. We are in an era that requires unified security intelligence and real-time threat analysis that adjusts automatically to defense assessments for a composite and predictive score against cybercrime. THE THREATSEEKER NETWORK The Largest Security Intelligence Network
The Websense ThreatSeeker Network, powered by the worlds largest internet HoneyGrid, is the technology foundation for Websense web security, email security, data security, and mobile security solutions. It provides the intelligence that underlies TRITON solutions by delivering real-time security intelligence from big data clusters, machine analysis and learning, and advanced queries with experts in obfuscation, reverse engineering malware, reputation analysis and expanded behavioral analysis. This gives users the most up-to-date protection possible from unwanted content and malicious threats. To create the ThreatSeeker Network, Websense augmented its ThreatSeeker technology with organically developed and acquired email security, cloud security, mobile security, and data loss prevention technologies. The result is a network of technology and human intelligence that creates an adaptive feedback network that uses more than 850 million real-time data collecting systems to parse 3-5 billion pieces of content daily, including Facebook and other web properties. This allows Websense to provide customers with the most advanced content classification, data identification, and security intelligence available to mitigate risks to customer data and productivity.

35

Websense Security Intelligence

THE WEBSENSE DIFFERENCE IS ACE The Advanced Classification Engine

Real-time inline contextual defenses for web, email, data, and mobile security within ACE use composite risk scoring and analytics from the ThreatSeeker Network to deliver the most effective security available. ACE provides containment by analyzing inbound and outbound traffic with data-aware defenses for data theft protection. Classifiers within ACE for security, data, and content analysis have been developed with years of research and development and are proven daily to detect more threats than traditional antivirus engines (see the Websense Security Labs website for more information). The TRITON architecture uses ACE as a primary defense, plus within the ThreatSeeker Network, uniting over 850 million end points and analyzing 3-5 billion requests per day. Learn more about ACE from the Websense website: http://wb-sn.com/GT4le2 or watch an overview video: VIDEO LINK: http://wb-sn.com/GJxbj5 Would you like to see the benefits of ACE and learn more about a URL before clicking on it? Just copy/paste the link into ACE Insight for an immediate profile and security rating, a free service from Websense. http://aceinsight.com

WEBSENSE DEFENSIO The Next Generation of Security for the Social Web
Defensio is a service that protects you and your social networking or blog followers from malicious links and objectionable content. Content can be filtered by security categories, keywords, script and executable filters, plus protection from un-reputable sites and domains. Defensio protects Facebook pages, WordPress blogs, and other platforms. Personal use is free. Companies with a Facebook page or important individuals on Facebook should use Defensio to protect their pages from posted malicious links or objectionable content. Learn more about Defensio from the Websense website: http://wb-sn.com/GMDZLP or watch a short video: VIDEO LINK: http://wb-sn.com/GWXHEt

36

Websense Security Intelligence

WEBSENSE SECURITY LABS 24/7 Global Security Research

Websense Security Labs discovers, investigates, and reports on advanced internet threats that traditional security research methods miss. Recognized as a world leader in security research, Websense Security Labs publishes findings to hundreds of security partners, vendors, media outlets, military, and other organizations around the world 24 hours a day, seven days a week. With four locations around the globe, the sun never sets on the security intelligence gathering and analysis. Follow Websense Security Labs. Web: http://securitylabs.websense.com/ RSS: http://community.websense.com/blogs/securitylabs/rss.aspx Facebook: http://www.facebook.com/websense LinkedIn: http:/ /www.linkedin.com/company/websense?trk=fc_badge Twitter: http://twitter.com/websenselabs YouTube: http://www.youtube.com/user/WBSNMKTG Customers can experience the security lab environment with hands on sessions with Websense Security Labs researchers covering exploits, obfuscation, how to analyze PDF, JAR and SWF malicious files, the inside view of classification and categorization among other topics on a 2-day training agenda. The Websense Security Labs Technical Advisory Board training is by invitation to our customers, please contact your sales team for more information on the next event. VIDEO LINK: http://wb-sn.com/GUicP2 During the year user groups are hosted by select Websense customers for their region to collaborate with other customers on solution deployments, best practices and topics of interest. Consider having Websense Security Labs representatives attend your next meeting to provide the latest updates on cyber security research. Please contact your local sales team for details and scheduling. Websense researchers attended and presented at Black Hat USA in Las Vegas. Here is a blog and short video about Stephan Chenette presenting on Fireshark. www.fireshark.org VIDEO LINK: http://wb-sn.com/GINo99 An open source tool for website analysis, plus Armin Buescher presenting ReplayProxy: http://wb-sn.com/GHNvy5.

Websense 2012 Threat Report

37

Websense contributes to the open source community of security research tools and encourages customers to leverage these tools. Websense researchers also attended the annual PacSec conference in Tokyo and the Association of Anti-Virus Asia Researchers (AVAR) conference in Hong Kong to present research tools. Ulysses Wang and Nick Guo from Websense delivered the presentation A New Approach to Automated JavaScript De-obfuscation at PacSec in Tokyo. While Xue Yang and Elson Lai from Websense delivered the presentation Dissection of Exploit Kits at AVAR in Hong Kong. In their presentation, they showed the analysis statistics of the top 10 exploit kits, and used some typical exploit kits as examples by highlighting their key features and differences. They also compared the exploit kits with current APT (Advanced Persistent Threat) attacks from several aspects. http://wb-sn.com/GL0Fga

SUMMARY
The year in review proved that in the world of enterprise security, anything and everything goes. This year, as broader adoption of mobile, social, and cloud technologies explodes, we will see the bad guys move rapidly to take advantage of this shift.
One thing we know from the explosion of breaches, amplification of advanced malware, and propagation of exploit kits, is that the common factor here is very simply, the web. Almost all of the major attacks of 2011 employed a web component, whether as a vector, command-and-control center, or the pipeline for stolen data and critical IP. Web attacks are going beyond the browser, and as the number of API web requests gains momentum we will see attackers using the APIs for their own malicious exploitation. The most advanced criminals are going to ride the waves of personal devices, personal social media use, and personal web activities of employees to create more advanced social engineering attacks to get in. Many of the business and government attacks in the coming year wont necessarily be about how complex the attack code is, but how well they can convincingly lure unsuspecting victims to click.

38

APPENDIX: 2012 SECURITY PREDICTIONS

Below are Websense Lab predictions for the upcoming year in review 2012.
VIDEO LINK: http://wb-sn.com/GKpBzx

1.

Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums. Trust is the basis of social networking, so if a bad guy compromises your social media log-ins, there is a good chance they can manipulate your friends. Which leads us to prediction #2. will be to go through your social media friends, mobile devices and through the cloud. Weve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012.

2. The primary blended attack method used in the most advanced attacks

3.

1,000+ different mobile device attacks coming to a smartphone or tablet near you. People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyper-specific geo-location social engineering attempts. increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

4. SSL/TLS will put net traffic into a corporate IT blind spot. Two items are

5. Containment is the new prevention. For years, security defenses have

focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection. and apocalyptic predictions will lead to broad attacks by criminals. Cybercriminals will continue to take advantage of todays 24-hour, up-tothe minute news cycle, only now they will infect users where they are less suspicious: sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations.

6. The London Olympics, U.S. presidential elections, Mayan calendar,

7.

Social engineering and rogue anti-virus will continue to reign. Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. Except, instead of seeing You have been infected pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems.

Websense 2012 Threat Report

39

ABOUT WEBSENSE
Websense, Inc. (NASDAQ: WBSN), a global leader in unified web security, email security, mobile security, and data loss prevention (DLP), delivers the best content security for modern threats at the lowest total cost of ownership to tens of thousands of enterprise, mid-market, and small organizations around the world. Distributed through a global network of channel partners and delivered as appliance-based software or SaaS-based cloud services, Websense content security solutions help organizations leverage social media and cloud-based communication, while protecting from advanced persistent threats and modern malware, preventing the loss of confidential information, and enforcing internet use and security policies. Websense is headquartered in San Diego, California with offices around the world. For more information, visit: www.websense.com. Follow Websense on Twitter: www.twitter.com/websense Join the discussion on Facebook: www.facebook.com/websense

Tom Clare authored this report.

2012 Websense Inc. All rights reserved. Websense, the Websense logo, and Threat Seeker are registered trademarks and TRITON, TruHybrid, Security Labs, and TruWeb DLP are trademarks of Websense, Inc. Websense has numerous other registered trademarks in the United States and internationally. All other trademarks are the property of their respective owners. 4.16.12