We value your relationship with Bank of America to serve you better,we are installing the Best Banking software and would require you Update Your Online Banking Records.
In accordance with Halifax Online Internet Banking User Agreement and to ensure that your account is protected from an unauthorized persons or location, access to your account has been locked due to some reasons.
Due to this, you are requested to follow the provided steps and confirm your
Online Banking details for the safety of your Accounts by click on the link below.
To protect your accounts, our monitoring process has temporarily suspended your online access due to high fraudulent activities on some of our customers account.
We have just completed a scheduled Update on our HSBC Online Banking server, we have every reason to believe your account (s) held at HSBC Bank will experience minor errors/interruption.
Due to recent attacks on multiple PayPal accounts and cardholders,
PayPal Online Department has created and implemented a new
security system designed to protect your account and provide
an increased level of protection to your money and personal data.
We recently noticed that different computers
have logged into your halifax online access,
and multiple password failures were present before the
logons.
Websense® Security Labs™ has been closely following US-CERT Vulnerability #800113: “Multiple DNS implementations vulnerable to cache poisoning”, originally announced on July, 8th 2008. Many of the details regarding the vulnerability are being temporarily withheld by the security researcher who made the discovery, which has caused some confusion on the severity of the vulnerability. Recent investigations by the security community have revealed that there is at least one serious vulnerability in most existing DNS implementations. This vulnerability can lead to DNS cache poisoning which can allow attackers to redirect traffic to a destination under their control.
For complete protection, customers are advised to ensure their DNS implementations are resilient to this type of attack. Customers who do not implement an internal DNS infrastructure are advised to seek cooperation from their upstream DNS provider, typically their ISP. Contact your DNS vendor to verify that source port randomization is enabled on your DNS servers. In many situations, this may require the application of a patch.
At time of this alert, an exploit targeting this flaw has been added to Metasploit, an open source penetration testing tool that is free and publicly available.
The US-CERT advisory also makes the several important “DNS best practices” recommendations. Please reference the advisory for complete details. http://www.kb.cert.org/vuls/id/800113
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new Storm Worm campaign around the theme of the U.S. credit crunch. We have detected a series of email subject lines used to entice users into downloading a Trojan. Here are a few examples of the subjects we have seen in this campaign:
The new currency is coming
Amero arrives
Amero currency Union is now the reality
The AMERO currency replacing the Dollar
We have previously seen the group behind the infamous Storm Worm use the tried and tested U.S. Independence Day theme and capitalize on global attention around fake World War III news.
Here is a screenshot of some of the newest spam messages:
Clicking the link in one of these messages directs users to a site laden with drive-by exploits inside of a script file named ind.php. The use of this script file name has been constant throughout this campaign. In typical Storm Worm fashion, infection success rate is highly dependant on the social engineering tactic employed and thus the malicious file in this campaign is appropriately named amero.exe .
Here is a screenshot of the templated malicious Web site:
Here is a screenshot of the malicious Web site's source:
Websense Messaging Security and Websense Web Security customers are protected against this attack.
If you think the trusted Web sites your employees are visiting are safe, think again. Attackers are increasingly targeting “trusted” Web sites, with good reputations, to circumvent traditional security measures and bypass much hyped “reputation-based” systems to increase attack effectiveness.
The latest Websense Security Labs™ research states that 75 percent of malicious Web sites are actually legitimate sites that have been compromised by attackers. This represents a dramatic increase of almost 50 percent in compromised sites—sites with seemingly good reputations—over the last six months.
Attackers are quickly changing their game—are you prepared?
Register today for an informative webcast featuring Stephan Chenette, Websense manager of security research, who will provide insightful details into the latest security trends and threats from the first half of 2008, including Web 2.0 security and new attack methods. Attendees will receive a complementary research report prepared by the Websense Security Labs team as well as an overview of how Websense messaging security products now integrate the new discoveries about Web and reputation data to deliver effective protection from today's blended threats.
Websense® Security Labs™ ThreatSeeker™ Network has discovered yet another peak in Storm Worm's spam campaign. This time the socially-engineered messages announce the start of World War III, indicating that U.S. forces just invaded Iran. The messages offer a video of this alleged recent drama.
Here is a screenshot of sampled spam messages:
The structure of the attack is similar to the 4th of July alert; initially, several exploits are delivered to the user’s browser under a script file named ind.php . The names of the socially-engineered executables in this attack are iran_occupation.exe and form.exe.
Here is a screenshot of the malicious Web site:
Here is a screenshot of the malicious Web site's source:
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new Storm worm campaign emerging. To tie in with the 4th of July Independence Day celebrations in the US, we have detected a series of email subject lines around this theme to entice users into downloading a Trojan.
We have just previously seen the group behind the infamous Storm worm utilize the tried and tested 'I love you' theme and then capitalizing on the global attention around the Olympics to be held in Beijing.
Here are some samples:
Clicking on the link in the email directs the user to a site laden with drive-by exploits inside of a script file named ind.php. The use of this script file name has been constant throughout this campaign. In a typical Storm worm fashion, its infection success rate is highly dependant on the social engineering tactic employed and thus the malicious file is appropriately named fireworks.exe.
Screenshot of malicious web site:
Here are a few examples of the varied subjects we have seen in this campaign:
Amazing firework 2008 America for You and Me Celebrate Independence Happy Fourth of July Light up the sky Stars and Strips forever Super 4th!
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software.
It is interesting to note and observe how quickly spammers react to the latest major online news updates, capitalizing on these events to achieve better success rates with their social engineering tactics. The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign.
The intercepted emails typically look like the following:
The messages include a link to a compromised site which contains an obfuscated JavaScript that tries to exploit a rather old vulnerability corresponding to Microsoft Data Access Component (MDAC). Here is the part of the de-obfuscated exploit code:
Regardless of whether the exploit succeeds or fails, the visitor is then redirected to a page showing a fake security warning encouraging users to download anti-spyware tools to repair their system. Spammers usually use this tactic to encourage users to install rogue applications. In this particular example, the malicious file installs itself as a service on the system.
Screenshot 1:
Screenshot 2:
We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:
Jennifer Aniston Interesting mp3!!! Clara Morgane Shocking photo!!! Kylie Minogue Interesting video without cowards!!! Demi Moore New sexy songs!!! Avril Lavigne Shocking porno dvd!!! Nicole Richie Kick-up cd!!! Beyonce Shocking sexy songs!!! Keira Knightley Gallery photo!!! Britney Spears Interesting cd!!!
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a reliable social engineering trick that lures users to download a Microsoft critical security update.
The intercepted emails typically look like the following:
The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor.
Here is what the redirect looks like inside the spam messages: hXXp://shopping.***.com/go.nhn?url=hXXp%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E<removed>%2Enet
An interesting trait of this particular attack is that the malicious top level domain is pointing to the government site of the United States Secret Service - The Electronic Crimes Tasks Forces Web site in an apparent attempt to work around IP reputation-based systems.
We have detected email lures containing links to this site spreading rapidly through our Websense Hosted Email Security and Websense Email Security products.
It is important to add that Microsoft never sends security update notifications through emails.
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ has received reports that the official website of ICANN and IANA Domains have been hijacked by a Turkish group called “NetDevilz”. ICANN and IANA are responsible for the Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code Top Level Domain Name System management, and root server system management functions. NetDevilz is the same group that has hijacked many other domains listed here: Zone-H Attack Archive.
The ICANN and IANA web sites were defaced and left the following message: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)”
The following domains were hijacked, and some of them still return the defaced pages - http://icann.***; http://icann.^^^; http://iana-servers.@@@; http://internetassignednumbersauthority.!!!; http://iana.&&&. These sites are redirecting visitors to http://atspace.%%%. So far, none of these DNS hijacks served any malware or live exploits.
Websense® Security Labs™ ThreatSeeker™ Network has detected an increase in spam targeting the current economic factors.
The tough economic times are hard on consumers, but spammers have not skipped a beat. They are now using economic factors like high gas prices, the credit crunch and housing costs to advertise their products and services. Today the Websense® Security Labs™ ThreatSeeker™ Network is reporting an increase in spam surrounding these themes. Additionally, with a growing number of people facing foreclosure and other financial distress, Websense researchers are also noticing an uptick in solicitations for credit cards, credit reporting services, and debt consolidation services.
Scammers have long used "pump and dump" spam stock investment schemes which attempt to boost the price of a company's stock through false and misleading promotions or highly exaggerated statements. As a sign of the times, with the stock market down, Websense researchers have also noticed fewer and fewer of these campaigns.
Here is an example of spam advertising a product which claims to lower your gas costs:
Here is an example of spam advertising a credit score lookup service:
Here is an example of spam advertising a service to obtain more credit:
Here is an example of spam from the folks behind the Nigerian 419 fraud:
Websense® Security Labs™ ThreatSeeker Network has detected a malicious email spam campaign that is targeting Latin America. The spam uses a social-engineering tactic that focuses on the hype around the upcoming Apple iPhone 3G launch, due for release in July.
Clicking on the email's links for a "presentation" or for "more information" trigger the download of a Trojan, innocently named "presentacion.mov.exe".
