May 17, 2011

This Month in the Threat Webscape - April 2011


Major Hits

Automattic, the company that maintains WordPress.com admitted a breach in which parts of their sensitive code could have been copied. Even though WordPress is an open source project, there are apparently bits which are not that open.

We all presume that U.S. federal sites are protected the most. They really should be. However, the latest hack on the Oak Ridge National Laboratory showed us the contrary. Spear-phishing is really a challenge for everyone these days.

April was also a month of data breaches including marketing company Epsilon, the European Space Agency, and Sony. These breaches may have affected millions of individuals in their recipient databases. Be wary of and suspect all emailscoming from your usual and otherwise trustworthy senders. Remember also to regularly change your passwords. 

With all of the breaches running around, the news about the kidnapping of Kaspersky's son sounded like something unusually new. It apparently took only two days for Russian police to free him from the kidnappers. It would be great if we could fix all data breaches so quickly.


Web 2 dot uh oh

How can you tell whether a Facebook scam is effective or not? By the number of "likes" it can gather. All you need is a very provocative title, like "The Hottest & Funniest Golf Course Video" scam then sit back and see how many facebook users dare to click the Like button to see the said video. As expected, the end result is a number of survey scams and no trace of the promised video.

Scammers are picky, too, sometimes, as demonstrated in "My Top 10 stalkers" scam. This scam targets specific countries based on the user's IP address. The U.S., Norway, U.K., and the United Arab Emirates are some of the targeted locations.

A CAPTCHA image sitting on top of a Facebook comment box is the pawn used by scammers in a recent click-jacking attack. The lure promises yet another provocative video while the real intent is of course for scammers to offer surveys and games.

Facebook issued a fix on a glitch discovered by Turkish researcher Serkan Gencel involving users who linked their Facebook profile to a Hotmail email address.

In early April, reports surfaced about Google adding a banner to GMail accounts warning if someone from China accessed someone's user account. This sort of security blanket, along with Google's two-factor authentication, seem to be Google's response in the wake of the infamous Aurora attack.

Exploit kits appear to be stealing the spotlight from the usual rogue AV payload on poisoned search results. Searching for celebrity child "Presley Walker" returned some poisoned image search results with both exploit kit and rogue AV as its payload.

Apparently, even Twitter users are curious to see who tried to view their tweets. Twitter-ers who fall victim to this rogue app called "Profile Spy" are offered endless surveys, pop-ups and ads.

Smartphone apps invading privacy? That's the case federal prosecutors are making on Pandora, claiming that the company has been supplying advertisers with consumer information using one of its free smartphone apps running on Google's Android OS.


Browser and friends

This month, Apple continues to fix security holes including a few that were successfully exploited by Pwn2Own winners through a series of ios 4.3.2/4.2.7 software update. It provides cover for 5 documented security problems. Apple has also released several security updates including Safari 5.0.5iTunes 10.2.2.

On April 15, Adobe released a security update for Adobe Flash Player to fix a new 0-day vulnerability(CVE-2011-0611), which could cause a crash and potentially allow an attacker to take control of the affected system. This vulnerability is also being actively exploited in both Adobe Reader and Acrobat via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Excel (.xls) file. On April 21, Adobe came up with another important security update for Adobe Reader and Acrobat X to fix several vulnerabilies including the previous one.

Right after the Firefox 4 release last month, Mozila delivered the first security update for Firefox 4, including a fix for two chunks of code that had allowed attackers to override a key security protection baked into recent versions of the Windows operating system. A noted security update for Firefox 3.6.17/3.5.19 fixes several vulnerabilities. Three of them – for bugs involving an escalation of privilege through the Java Embedding Plugin, multiple dangling pointers, and miscellaneous memory safety hazards – were rated critical.



Microsoft released its biggest ever Patch Tuesday of this year in April. It updated 17 bulletins covering 64 vulnerabilities in Windows, Office, Internet Explorer, Visual Studio, SMB, .NET Framework, and GDI+. Among them, 9 bulletins are rated critical and 8 as important.

The most important fix is MS-018 that provided a cumulative security update for Internet Explorer. This security update is rated as critical for Internet Explorer 6, 7, and 8 on Windows clients; and Moderate for Internet Explorer 6, 7, 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities. Microsoft encouraged all users to apply this bulletin first.

The other top 8 critical bulletins fixed vulnerabilities in the SMB client and server, .NET Framework, GDI+, DNS Resolution, JScript and VBScript Scripting Engines, and CFF Driver.

From 60 vulnerabilities Microsoft patched, 30 of them are addressed by a single bulletin MS11-034 which resolved the vulnerabilities in Windows Kernal-Mode Drivers that lead to elevation of privilege. The XSS vulnerabilityCVE-2011-0096has been patched in MS11-021.

Beginning in April 2011, the MSVR(Microsoft Vulnerability Research) program began issuing MSVR Advisories that Microsoft had privately disclosed to third-party vendors. It published two bulletins in April. One is covering Use-After-Free Object Lifetime Vulnerability in Google Chrome, the other is about HTML5 Implementation in Chrome and Opera. All the vulnerabilities were already patched by December 2010.


Hello ThreatSeeker® Network. You've got mail!

Another malicious e-card campaign attacked innocent users. What was on the menu this time? Nicely obfuscated content providing spicy iframe to rough AV. Sounds good to you? Sorry, we don't serve this juicy content to our users.

Do you have a small business and wouldn't $1,500 make your month nicer? Well, forget about promises offering easy money for an "innocent" money transaction. First, you give up your confidential data to "who-knows-who" followed by installing some malicious friend on to your computer.

Osama Bin Laden's death is big news. Everybody is curious and wants to see the proof. Why not, right? Be wary though. It is better to live without the proof than infect your computer with an unwelcome maliciously crafted guest.


Security Trends

"Coreflood" botnet was taken down by the U.S. Justice Department and the FBI. "Coreflood" was an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the U.S.

new marketplace has sprung up to buy and sell IPv4 addresses (or rather, to broker transfers from one organization to another with dollar figures attached). Sites like www.depository.net, www.addrex.net, and www.tradeipv4.com look like they'll be with us for a while.

Nikon's Image Authentication System has an vulnerability that revolves around cryptographic shortcomings in how the secure image signing key is handled by Nikon digital cameras. The Russian encryption specialist, ElcomSoft, has already created a gallery of hoax images that successfully pass validation with Nikon Image Authentication Software. 

Apple's iPhone and iPad constantly track users' physical location and store the data in unencrypted files on both the iOS device and any computers that store backups of its data. That information can be used to reconstruct a detailed snapshot of the user's comings and goings. 

Websense solutions with the ThreatSeeker Network and our Advanced Classification Engine (ACE) helped protect customers from April’s blended threats


This month's roundup contributors:

  • Ivan Sabo
  • Grace Timcang
  • Qiong Ran
  • Xue Yang
  • Lei Li


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.