The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection
|
|
- Emil Osborne
- 8 years ago
- Views:
Transcription
1 The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection Trend Micro, Incorporated Marco Dela Vega and Norman Ingal Threat Response Engineers A Trend Micro Research Paper I November 2010
2 CONTENTS Introduction...3 Building Doorway Pages...5 Redirection and Stealth Tactics Malicious Landing Pages and Damaging Payloads Conclusion References RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
3 INTRODUCTION From the outset, blackhat SEO attacks are relatively simple. Clicking poisoned search results direct unwitting users to malwarehosting sites. What users do not know is that before they end up on the final landing pages, the cybercriminals had to compromise several sites and to instigate a series of redirections to deliver the final malware payloads. With the endless stream of information available on the Internet, website owners now find it increasingly difficult to get their sites noticed even if their content provides very useful and interesting information on popular subjects. To gain and improve site traffic or to attract visitors, a site now needs to reach the top ranks in engines via search engine optimization (SEO). SEO s popularity, however, has also piqued cybercriminals attention. In fact, a widely used cybercriminal technique to deliver malware to unsuspecting users systems while earning huge amounts of profit, it has given rise to what we now know as blackhat SEO. Blackhat SEO attacks are relatively simple, as discussed in more detail a previously published Trend Micro research paper, How Blackhat SEO Became Big. What users do not know is that before they end up on the final landing pages, the cybercriminals instigated a series of redirections, which means taking users to several compromised sites, in order to deliver the final malware payload. Figure 1. Typical blackhat SEO infection diagram This research paper will explain how cybercriminals leverage blackhat SEO to compromise systems. It will share our observations regarding various sites that have been compromised and on doorway pages that have been specially crafted for use in blackhat SEO attacks. It will also identify the techniques that cybercriminals use to mask infected pages and the different payloads that the said compromised sites deliver. This paper focuses on the overall blackhat SEO-instigated infection chain and provides data on the latest SEO tool kit versions cybercriminals use today. Finally, it provides best practices that anyone who uses a search engine can adhere to in order to prevent system infections as a result of SEO poisoning and to rid infected systems of malware payloads. 3 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
4 4 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES Figure 2. How a blackhat SEO attack occurs
5 BUILDING DOORWAY PAGES A blackhat SEO infection chain always starts with doorway pages, the landing pages that serve malware. Doorway pages aka portals, jumps, gateways, or entry pages are primarily designed to trick search engines into treating them as legitimate pages. Cybercriminals have found a way to automate SEO poisoning in such a way that, as a certain topic becomes more popular, related doorway pages instantly appear among the top search results. These pages are usually hosted on specially crafted or on compromised legitimate sites. Legitimate sites can be compromised either by exploiting improperly configured Web servers or by using known vulnerabilities in server and other Web applications. Most of the compromised sites that host doorway pages ran on Apache servers with Hypertext Preprocessor (PHP) functionality. In several cases, these also used common Web applications such as Joomla! and WordPress as content management systems (CMSs). We also found several exploit codes in some compromised sites that strongly suggest that cybercriminals also used the said sites to find and exploit other vulnerable sites. These exploit codes varied from site vulnerability scanners to proof-of-concept (POC) codes that target specific vulnerabilities, making both users and site owners potential victims of this threat. Once a page has been compromised, cybercriminals then set up its SEO components using a tool kit that performs poisoning routines. Doorway pages are the landing pages that serve malware. These portals, jumps, gateways, or entry pages are primarily designed to trick search engines into treating them as legitimate pages. Figure 3. Compromised site with an SEO tool kit installed One of the most interesting components of the SEO tool kits we found in compromised sites is a log file that contains a list of strings and keywords similar to those used as search strings in Google Trends or Yahoo!, which feature trending topics. This clearly shows that cybercriminals harvest the said information as an important part of the infection process, as this will dictate their success in delivering threats to unsuspecting victims. 5 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
6 The list of search strings is managed and controlled by a central command-andcontrol (C&C) server and is distributed to different compromised sites using a variety of methods. The C&C server also distributes links to other compromised sites, which are appended to doorway pages that have been constructed to improve their ranking among search results. In a blackhat SEO attack, a C&C server: Manages and controls a list of search strings Distributes links to compromised sites, which are appended to doorway pages that have been constructed to increase the sites ranking among search results Figure 4. Search strings and links found in compromised sites Another doorway page component is a record of all kinds of information requests from unwary page visitors. This information may include HTTP requests (i.e., query parameters), visitors IP addresses, and user-agents HTTP headers. Information about HTTP referrers is also recorded since this is used to verify if a visitor found the doorway page as a search engine result or not. Figure 5. Log file containing information on a site s visitors 6 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
7 The blackhat SEO tool kit s main component is a single PHP script that handles an attack s overall operation starting from obtaining HTTP requests to generating content for the compromised sites based on the responses. The latest script we obtained had several encryption layers, making it more difficult to analyze. Figure 6. First encryption layer Figure 7. Second encryption layer To avoid detection, when a compromised site receives an HTTP request, the main script checks if it came from any of the following: Search engine crawler User via a search engine Direct site access Figure 8. Decoded part of the script When compromised sites receive an HTTP request, the main script checks if the request was received from any of the following: Search engine crawler User via a search engine Direct site access The main script identifies the above-mentioned sources by checking different HTTP header fields such as $_SERVER[ HTTP_USER_AGENT ] and $_SERVER[ HTTP_ REFERER ] as well as the HTTP request itself. The PHP tool kit at hand checks if the $_SERVER[ HTTP_USER_AGENT ] value is googlebot, slurp, or msnbot, common user-agent strings search engine crawlers use. It also checks for specific strings used as part of request parameters such as q and page as well as their corresponding values. To determine if a user request arrived via a search engine, the script checks the $_SERVER[ HTTP_REFERER ] header field. 7 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
8 The Dark Side of Trusting Web Searches If a request was found to have come from a search engine crawler, the main script generates doorway pages stuffed with content it harvested. Using the search string parameters, content is harvested by lifting off relevant text and images from the results presented by any single search engine. The SEO tool kit that we analyzed, for instance, obtains the top 100 search results from Google Russia. Figure 9. SEO tool kit uses Google Russia for spamdexing The contents of doorway pages are mainly created for spamdexing purposes. These pages increase a linked page s ranking among search engine results. In some cases, however, a dormant doorway page may contain links to compromised sites to further increase its ranking. The contents of doorway pages are mainly created for spamdexing purposes. These pages increase a linked page s ranking among search engine results. Figure 10. Dormant doorway pages with links to a malicious site 8 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
9 Malicious scripts are embedded in doorway pages in such a way that users who access the said pages are redirected to several malicious sites. This is done by referencing another PHP component from the tool kit that contains the URL to which the doorway page should redirect users. Note, however, that this URL frequently changes, as it is updated from a master C&C server every 10 minutes. The payload or malware that the product ID points to can also be modified to identify what threat the tool kit should deliver. We can also assume that these tool kits are being sold to cybercriminals so they can more easily distribute their malicious creations. Malicious scripts are embedded in doorway pages in such a way that users who access the said pages are redirected to several malicious sites. Figure 11. SEO tool kit can be configured to provide different malware as payloads 9 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
10 REDIRECTION AND STEALTH TACTICS Users who access doorway pages via search engines are either directed to fake scanning or video-streaming pages that then lead to the download of different malware binaries. Before the users reach the final destination pages, however, a series of link hops or redirections first takes place. These redirections help hide the actual URLs of the final landing pages and of the pages that host the fake scanning results. Users who access doorway pages via search engines are either directed to fake scanning or videostreaming pages that then lead to the download of different malware binaries. Figure 12. Two-week diagram of a blackhat SEO infection chain from the initial landing page 10 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
11 More than simple redirections, however, cybercriminals also use other techniques to redirect users to their specially crafted malicious pages. These include a combination of the following stealth tactics: Geo-targeting or IP delivery: This utilizes users IP addresses to determine their geographic locations in order to deliver location-specific content to their systems. Blog scraping: This refers to regularly scanning blogs to search for and to copy content using an automated software. Referrer page checking: This ensures that only users arriving via search engines will be included in the infection chain and prevents security analysts or system administrators from seeing anything malicious when they directly access a doorway page. User-agent filtering: This refers to distinguishing between browsers to enable OSspecific download of payloads. Since we started monitoring recent blackhat SEO attacks, we observed several variations as to how cybercriminals implemented the above-mentioned techniques. The foremost tactic we found was the use of server-side redirections, specifically HTTP 3xx redirections. Using this method, however, requires cybercriminals to gain administrative privileges on Web servers. More than simple redirections, cybercriminals also use the following techniques to redirect users to their specially crafted malicious pages: Geo-targeting or IP delivery Blog scraping Referrer page checking User-agent filtering Figure 13. How an HTTP 3xx server redirection takes place 11 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
12 Cybercriminals who have limited privileges on Web servers inject server-side scripts into sites to compromise them. The following redirection techniques can lead users to sites with malicious payloads: Use of JavaScript codes Cybercriminals who have limited privileges on Web servers inject server-side scripts into sites to compromise them via the use of: JavaScript codes Meta refresh tags Iframe tags Figure 14. JavaScript redirection code Use of meta refresh tags, HTML features that refresh a displayed page after a certain amount of time Figure 15. Meta refresh tag redirection code Use of iframe tags, sometimes with the help of user-agent filtering to prevent access using specific browsers Figure 16. Iframe tag redirection code with a browser-specific payload Note, however, that to make a blackhat SEO attack successful, several redirection methods are employed as stealth mechanisms in order to evade the common URLfiltering technologies different security vendors come up with. 12 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
13 MALICIOUS LANDING PAGES AND DAMAGING PAYLOADS After successfully employing any of the techniques mentioned earlier, cybercriminals then lead users to a page that hosts spoofed content. These include bogus message prompts; scareware pages that urge users to check fake scanning results, which have been designed to scare them into downloading fake antivirus software; and fake videostreaming pages urging users to download fake codecs in order to view fake videos. Cybercriminals lead users to pages that host spoofed content including bogus message prompts, scareware pages, and fake videostreaming pages. Figure 17. Samples of scareware pages Figure 18. Fake video-streaming page that lures users into downloading a fake codec 13 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
14 Some spoofed content comes in the form of prompts to download fake Adobe Flash Player installers. The said pages trick users into clicking a link that supposedly leads to a video, for which they need to install Adobe Flash Player to view. The cybercriminals behind this kind of attack have a keen eye for detail, as they not only craft convincing interfaces but also use URLs that strongly suggest that the sites are indeed Adobe related. Most blackhat SEO attacks result in FAKEAV malware payloads but we have also seen attacks resulting in the download of MONDER, TDSS, and ZBOT variants. Most of these are related to botnets that either steal user information or deliver their final payloads. Most blackhat SEO attacks result in FAKEAV malware payloads but we have also seen attacks resulting in the download of MONDER, TDSS, and ZBOT variants. Figure 19. Botnet business model 14 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
15 CONCLUSION Knowing how SEO works and how blackhat SEO has become a favorite infection vector will help security experts come up with effective countermeasures to protect users from related threats. SEO plays an important role in getting the greatest number of Internet users to access relevant information on popular subjects. Unfortunately, however, it has also been playing an important role in spreading malware to as many unsuspecting user systems as possible. Knowing how SEO works and how blackhat SEO has become a favorite infection vector will help security experts come up with effective countermeasures to protect users from related threats. The following are some of the tried-and-tested best practices that users can keep in mind to protect their systems from blackhat SEO attacks: Practice safe browsing habits. Avoid visiting suspicious-looking sites. Do not download and install software from untrustworthy sources. Stay abreast of the latest threats and threat trends. Familiarizing oneself with the current threat landscape is a great way to stay informed about the latest scams. The most popular malware today tend to prey on unwary users. It is also worthwhile to familiarize oneself with the available security solutions in the market. To know more about the latest threats and threat trends, read the articles on TrendWatch and the latest posts by security experts in the TrendLabs Malware Blog. Download and install the latest patches. Unpatched machines are more prone to malicious attacks. It is a good computing habit to regularly patch systems. Enabling the automatic update feature is also recommended. Trend Micro also posts the latest vulnerability information on the new Threat Encyclopedia. Install an effective security suite. Blackhat SEO is now one of the most common threat infection vectors. As such, installing an effective security solution will mitigate the risks malware pose. Trend Micro products and solutions incorporate the Trend Micro Smart Protection Network infrastructure to stop threats before they can even reach your system. Backed by the Smart Protection Network, Trend Micro security products and services use smarter approaches than conventional solutions. Smart Protection Network is a cloud-client content security infrastructure that automatically blocks threats before they reach systems. It utilizes a global network of threat intelligence sensors that correlates with , Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As threats become more sophisticated, the volume of attacks increases, and the number of endpoints rapidly grows, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud will become critical to protect businesses against data breaches, damage to reputations, and loss of productivity. 15 RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES
16 REFERENCES Loucif Kharouni. (April 8, 2010). TrendLabs Malware Blog. Spotlighting the Botnet Business Model. (Retrieved September 2010). Ryan Flores. (November 2010). TrendWatch. How Blackhat SEO Became Big. trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/how_ blackhat_seo_became_big november_2010_.pdf (Retrieved November 2010). Trend Micro Incorporated. (2010). Threat Encyclopedia. BKDR_TDSS. threatinfo.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=tdss&alt= tdss§=sa (Retrieved September 2010). Trend Micro Incorporated. (2010). Threat Encyclopedia. TROJ_MONDER. threatinfo.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=monder& alt=monder§=sa (Retrieved September 2010). Trend Micro Incorporated. (2010). Threat Encyclopedia. ZBOT. trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=zbot&alt=zbot§= SA (Retrieved September 2010). TREND MICRO Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at TREND MICRO INC N. De Anza Blvd. Cupertino, CA US toll free: Phone: Fax: RESEARCH PAPER I THE DARK SIDE OF TRUSTING WEB SEARCHES 2010 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS
TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS g Maxim Goncharov A 2011 Trend Micro Research Paper Abstract Directing traffic to cash in on referrals is a common and legitimate method of making
More informationMALICIOUS REDIRECTION A Look at DNS-Changing Malware
MALICIOUS REDIRECTION A Look at DNS-Changing Malware What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a
More information[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks
TLP: GREEN Issue Date: 1.12.16 Threat Advisory: Continuous Uptick in SEO Attacks Risk Factor High The Akamai Threat Research Team has identified a highly sophisticated Search Engine Optimization (SEO)
More informationTrend Micro Incorporated Research Paper 2012. Adding Android and Mac OS X Malware to the APT Toolbox
Trend Micro Incorporated Research Paper 2012 Adding Android and Mac OS X Malware to the APT Toolbox Contents Abstract... 1 Introduction... 1 Technical Analysis... 2 Remote Access Trojan Functionality...
More informationBlackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS
Trend Micro Incorporated Research Paper 2012 Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS By: Jon Oliver, Sandra Cheng, Lala Manly, Joey Zhu, Roland
More informationUnmasking FAKEAV. TrendLabs SM. Trend Micro, Incorporated. A Trend Micro White Paper I June 2010
Trend Micro, Incorporated TrendLabs SM TrendLabs is Trend Micro s global network of research, development, and support centers committed to 24 x 7 threat surveillance, attack prevention, and timely and
More informationWEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World
Securing Your Web World WEBTHREATS Constantly Evolving Web Threats Require Revolutionary Security ANTI-SPYWARE ANTI-SPAM WEB REPUTATION ANTI-PHISHING WEB FILTERING Web Threats Are Serious Business Your
More informationA Cybercrime Hub. Trend Micro Threat Research. Trend Micro, Incorporated. A Trend Micro White Paper I August 2009
Trend Micro, Incorporated Trend Micro Threat Research A Trend Micro White Paper I August 2009 TABLE OF CONTENTS INTRODUCTION...3 THE CYBERCRIME COMPANY...4 ROGUE DNS SERVERS...5 INTRANET OF CYBERCRIME...6
More informationRESEARCHBRIEF. Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market
RESEARCHBRIEF Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market Lion Gu After taking a grand tour of the Chinese underground market last year, let s revisit it and see what has
More informationLatest Business Email Compromise Malware Found: Olympic Vision
A TrendLabs Report Latest Business Email Compromise Malware Found: Olympic Vision Technical Brief TrendLabs Security Intelligence Blog Jaaziel Carlos Junestherry Salvador March 2016 Introduction Olympic
More informationAddressing Big Data Security Challenges: The Right Tools for Smart Protection
Addressing Big Data Security Challenges: The Right Tools for Smart Protection Trend Micro, Incorporated A Trend Micro White Paper September 2012 EXECUTIVE SUMMARY Managing big data and navigating today
More informationWeb. Paul Pajares and Max Goncharov. Connection. Edition. ios platform are also at risk, as. numbers via browser-based social.
RESEARCHBRIEF Fake Apps, Russia, and the Mobile Making the SMSS Fraud Connection Paul Pajares and Max Goncharov Web News of an SMS fraud service affecting many countries first broke out in Russia in 2010.
More informationQUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY
QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY EXPLOIT KITS UP 75 PERCENT The Infoblox DNS Threat Index, powered by IID, stood at 122 in the third quarter of 2015, with exploit kits up 75 percent
More informationFrom Russia with Love
A Trend Micro Research Paper From Russia with Love Behind the Trend Micro-NBC News Honeypots Kyle Wilhoit Forward-Looking Threat Research Team Contents Introduction...1 Environment Setup...1 User Activity...2
More informationDID YOU KNOW THAT... Javelin Strategy and Research projects a 78% increase in the U.S. shopper volume by 2014. 43% of owners of Webenabled
DID YOU KNOW THAT... Javelin Strategy and Research projects a 78% increase in the U.S. shopper volume by 2014. 43% of owners of Webenabled smartphones use these to help them shop (e.g., check prices, read
More informationPoisoned search results: How hackers have automated search engine poisoning attacks to distribute malware.
Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware. Fraser Howard & Onur Komili SophosLabs fraser.howard@sophos.com, onur.komili@sophos.com Executive
More informationAnalysis of the Australian Web Threat Landscape Christopher Ke, Jonathan Oliver and Yang Xiang
Analysis of the Australian Web Threat Landscape Christopher Ke, Jonathan Oliver and Yang Xiang Deakin University, 221 Burwood Highway, Burwood, Victoria 3125, Australia Trend Micro 606 St Kilda Road, Melbourne,
More informationHow To Integrate Hosted Email Security With Office 365 And Microsoft Mail Flow Security With Microsoft Email Security (Hes)
A Trend Micro Integration Guide I August 2015 Hosted Email Security Integration with Microsoft Office 365» This document highlights the benefits of Hosted Email Security (HES) for Microsoft Office 365
More informationStreamlining Web and Email Security
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor
More informationFAKEAV The Growing Problem
FAKEAV The Growing Problem July 2010 Attack Symptoms Slow computer performance New desktop shortcuts or switched homepage Annoying pop-ups Blue screens Reboot of computer Adult sites Memory issues Getting
More informationMicrosoft SharePoint Use Models and Security Risks
Microsoft SharePoint Use Models and Security Risks Trend Micro, Incorporated This white paper examines the increasing risks to SharePoint and offers best practices to ensure optimal security. A Trend Micro
More informationMalware B-Z: Inside the Threat From Blackhole to ZeroAccess
Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and
More informationFive Tips to Reduce Risk From Modern Web Threats
Five Tips to Reduce Risk From Modern Web Threats By Chris McCormack, Senior Product Marketing Manager and Chester Wisniewski, Senior Security Advisor Modern web threats can infect your network, subvert
More informationCS 558 Internet Systems and Technologies
CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.
More informationPrimer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS
A Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT EMAIL-BASED THREATS Even with today s breakthroughs in online communication, email is still one of the main ways that most
More informationModern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth
Modern Cyber Threats how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure Axel Wirth Healthcare Solutions Architect Distinguished Systems Engineer AAMI 2013 Conference
More informationThreat Management. Focus on Malicious URLs. Web Threats. A Trend Micro White Paper I October 2008
Threat Management Web Threats Focus on Malicious URLs A Trend Micro White Paper I October 2008 TABLE OF CONTENTS Executive Summary.......................................................................3
More information10 Things Every Web Application Firewall Should Provide Share this ebook
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
More informationWhat Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
More informationThe Underground Economy of the Pay-Per-Install (PPI) Business
The Underground Economy of the Pay-Per-Install (PPI) Business Kevin Stevens, Security Researcher SecureWorks Counter Threat Unit (CTU) History of the PPI Business The Pay-Per-Install business model (PPI)
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationEco and Ego Apps in Japan
Eco and Ego Apps in Japan A special report based on the Trend Micro research paper written by senior threat researcher Noriaki Hayashi 1 Users face various unwanted app routines in the current mobile landscape.
More informationShellshock. Oz Elisyan & Maxim Zavodchik
Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable
More informationWHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware
WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper Trend Micro, Incorporated» A detailed account of why Gartner recognizes Trend Micro as a leader in Virtualization and Cloud
More informationwhite paper Malware Security and the Bottom Line
Malware Security Report: Protecting Your BusineSS, Customers, and the Bottom Line Contents 1 Malware is crawling onto web sites everywhere 1 What is Malware? 2 The anatomy of Malware attacks 3 The Malware
More informationEmail Privacy 101. A Brief Guide
Trend Micro, Incorporated A brief guide to adding encryption as an extra layer of security to protect your company in today s high risk email environment. A Trend Micro White Paper I February 2009 A brief
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper» Trend Micro s portfolio of solutions meets and exceeds Gartner s recommendations on how to devise a server protection strategy.
More informationDETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?
A Special Primer on APTs DETECTING THE ENEMY INSIDE THE NETWORK How Tough Is It to Deal with APTs? What are APTs or targeted attacks? Human weaknesses include the susceptibility of employees to social
More informationTARGETING THE SOURCE FAKEAV AFFILIATE NETWORKS. Nart Villeneuve. A 2011 Trend Micro White Paper
TARGETING THE SOURCE FAKEAV AFFILIATE NETWORKS g Nart Villeneuve A 2011 Trend Micro White Paper Abstract The underground ecosystem provides everything required to set up and to maintain a malware operation
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationT E C H N I C A L S A L E S S O L U T I O N
Trend Micro Email Encryption Gateway 5.0 Deployment Guide January 2009 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 USA T +1.800.228.5651 / +1.408.257.1500 F +1.408.257.2003 www.trendmicro.com
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More information2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security
2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security For 10 years, Microsoft has been studying and analyzing the threat landscape of exploits, vulnerabilities, and malware.
More informationBe Prepared for Java Zero-day Attacks
Threat Report Be Prepared for Java Zero-day Attacks Malware Analysis: Malicious Codes spread via cloud-based data storage services December 19, 2013 Content Overview... 3 Distributing Malicious E-mails
More informationHow To Protect Yourself From A Web Attack
Five Stages of a Web Malware Attack A guide to web attacks plus technology, tools and tactics for effective protection By Chris McCormack, Senior Product Marketing Manager Today s web attacks are extremely
More informationBuyers Guide to Web Protection
Buyers Guide to Web Protection The web is the number one source for malware distribution today. While many organizations have replaced first-generation URL filters with secure web gateways, even these
More informationStop Spam. Save Time.
Stop Spam. Save Time. A Trend Micro White Paper I January 2015 Stop Spam. Save Time. Hosted Email Security: How It Works» A Trend Micro White Paper January 2015 TABLE OF CONTENTS Introduction 3 Solution
More informationWHITE PAPER. Understanding How File Size Affects Malware Detection
WHITE PAPER Understanding How File Size Affects Malware Detection FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through
More informationTespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report
Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence
More informationHACKER INTELLIGENCE INITIATIVE. The Secret Behind CryptoWall s Success
HACKER INTELLIGENCE INITIATIVE The Secret Behind 1 1. Introduction The Imperva Application Defense Center (ADC) is a premier research organization for security analysis, vulnerability discovery, and compliance
More informationAdvanced Persistent Threats
White Paper INTRODUCTION Although most business leaders and IT managers believe their security technologies adequately defend against low-level threats, instances of (APTs) have increased. APTs, which
More informationHow To Protect Your Online Banking From Fraud
DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction
More informationPay-Per-Install The New Malware Distribution Network
Pay-Per-Install The New Malware Distribution Network Nishant Doshi, Ashwin Athalye, and Eric Chien Contents Introduction... 1 Pay-Per-Install Distribution Model... 2 Recruiting Affiliates... 4 The Payload...
More informationWeb site security issues White paper November 2009. Maintaining trust: protecting your Web site users from malware.
Web site security issues White paper November 2009 Maintaining trust: protecting your Page 2 Contents 2 Is your Web site attacking your users? 3 Familiar culprit, new MO 6 A look at how legitimate Web
More informationThe Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director sfrei@secunia.com
The Fundamental Failures of End-Point Security Stefan Frei Research Analyst Director sfrei@secunia.com Agenda The Changing Threat Environment Malware Tools & Services Why Cybercriminals Need No 0-Days
More informationEmail Correlation and Phishing
A Trend Micro Research Paper Email Correlation and Phishing How Big Data Analytics Identifies Malicious Messages RungChi Chen Contents Introduction... 3 Phishing in 2013... 3 The State of Email Authentication...
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationPractical Threat Intelligence. with Bromium LAVA
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
More informationDon DeBolt and Kiran Bandla 29 September 2010
BlackHat SEO: Abusing Google Trends to Serve Malware Don DeBolt and Kiran Bandla 29 September 2010 Agenda BlackHat SEO Logic and Components Background Research Methodology Findings Conclusion Logic flow
More informationMalware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction
More informationWhite paper. Phishing, Vishing and Smishing: Old Threats Present New Risks
White paper Phishing, Vishing and Smishing: Old Threats Present New Risks How much do you really know about phishing, vishing and smishing? Phishing, vishing, and smishing are not new threats. They have
More informationIndian Computer Emergency Response Team (CERT-In) Annual Report (2010)
Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology
More informationRecommended Practice Case Study: Cross-Site Scripting. February 2007
Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber
More informationMalicious Websites uncover vulnerabilities (browser, plugins, webapp, server), initiate attack steal sensitive information, install malware, compromise victim s machine Malicious Websites uncover vulnerabilities
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationRogue DNS servers a case study
Rogue DNS servers a case study Feike Hacquebord Forward Looking Threat Research, Trend Micro Cupertino, CA, USA feikehayo_hacquebord@trendmicro.com Contents Introduction to DNS DNS Changer Trojans Rogue
More informationCommissioned Study. SURVEY: Web Threats Expose Businesses to Data Loss
Commissioned Study SURVEY: Web Threats Expose Businesses to Data Loss Introduction Web-borne attacks are on the rise as cybercriminals and others who do harm to computer systems for profit or malice prey
More informationCross Site Scripting in Joomla Acajoom Component
Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended
More informationIntroduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Internet Security Seminar 2013 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion An overview of the paper In-depth analysis of fake Antivirus companies
More informationENABLING FAST RESPONSES THREAT MONITORING
ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationHTTP Virus Protection in the Enterprise Environment
TREND MICRO INTERSCAN WEBPROTECT TREND MICRO, INC. 10101 N. DE ANZA BLVD. CUPERTINO, CA 95014 T 800.228.5651 / 408.257.1500 F 408.257.2003 WWW.TRENDMICRO.COM HTTP Virus Protection in the Enterprise Environment
More informationManaging Web Security in an Increasingly Challenging Threat Landscape
Managing Web Security in an Increasingly Challenging Threat Landscape Cybercriminals have increasingly turned their attention to the web, which has become by far the predominant area of attack. Small wonder.
More informationLASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
More informationEVILSEED: A Guided Approach to Finding Malicious Web Pages
+ EVILSEED: A Guided Approach to Finding Malicious Web Pages Presented by: Alaa Hassan Supervised by: Dr. Tom Chothia + Outline Introduction Introducing EVILSEED. EVILSEED Architecture. Effectiveness of
More informationSTOP Cybercriminals and. security attacks ControlNow TM Whitepaper
STOP Cybercriminals and security attacks ControlNow TM Whitepaper Table of Contents Introduction 3 What the headlines don t tell you 4 The malware (r)evolution 5 Spear phishing scams 5 Poisoned searches
More informationContinuous Monitoring in a Virtual Environment
Continuous Monitoring in a Virtual Environment By: JD Sherry, Director of Public Technology and Tom Kellermann, Vice President of Cybersecurity Trend Micro, Incorporated» The future of cybersecurity will
More informationNetsweeper Whitepaper
Netsweeper Inc. Corporate Headquarters 104 Dawson Road Suite 100 Guelph, ON, Canada N1H 1A7 CANADA T: +1 (519) 826-5222 F: +1 (519) 826-5228 Netsweeper Whitepaper The Evolution of Web Security June 2010
More informationGlobalSign Malware Monitoring
GLOBALSIGN WHITE PAPER GlobalSign Malware Monitoring Protecting your website from distributing hidden malware GLOBALSIGN WHITE PAPER www.globalsign.com CONTENTS Introduction... 2 Malware Monitoring...
More informationRIA SECURITY TECHNOLOGY
RIA SECURITY TECHNOLOGY Ulysses Wang Security Researcher, Websense Hermes Li Security Researcher, Websense 2009 Websense, Inc. All rights reserved. Agenda RIA Introduction Flash Security Attack Vectors
More informationMicrosoft Windows XP Vulnerabilities and Prevention
Managing Your Legacy Systems: What Will Life Be Like After Windows Server 2003? After Microsoft ended support for Windows XP last April 8, 2014, users and organizations alike that continued to use the
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationCovert Operations: Kill Chain Actions using Security Analytics
Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special
More informationWhen Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling
When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling As spam continues to evolve, Barracuda Networks remains committed to providing the highest level of protection
More informationHow IT Can Enhance User Productivity with Dynamic Web Repair
White Paper How IT Can Enhance User Productivity with Dynamic Web Repair INTRODUCTION We all know that malware is a major concern for organizations worldwide. And with the mainstreaming of interactive
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationCan Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?
ANALYST BRIEF Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities? Author Randy Abrams Tested Products Avast Internet Security 7 AVG Internet Security 2012 Avira Internet Security
More informationSECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal
WHITE PAPER SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM Why Automated Analysis Tools are not Created Equal SECURITY REIMAGINED CONTENTS Executive Summary...3 Introduction: The Rise
More informationEndpoint Business Products Testing Report. Performed by AV-Test GmbH
Business Products Testing Report Performed by AV-Test GmbH January 2011 1 Business Products Testing Report - Performed by AV-Test GmbH Executive Summary Overview During November 2010, AV-Test performed
More informationZeuS: A Persistent Criminal Enterprise
ZeuS: A Persistent Criminal Enterprise Trend Micro, Incorporated Threat Research Team A Trend Micro Research Paper I March 2010 CONTENTS INTRODUCTION...3 WHAT IS ZEUS?...4 SOME TECHNICAL FACTS...5 ZeuS
More informationSecurity Threats to Business, the Digital Lifestyle, and the Cloud. Trend Micro Predictions for 2013 and Beyond
Security Threats to Business, the Digital Lifestyle, and the Cloud Trend Micro Predictions for 2013 and Beyond In 2013, managing the security of devices, small business systems, and large enterprise networks
More informationZNetLive Malware Monitoring
Introduction The criminal ways of distributing malware or malicious software online have gone through a change in past years. In place of using USB drives, attachments or disks to distribute viruses, hackers
More informationMicrosoft Security Intelligence Report volume 7 (January through June 2009)
Microsoft Security Intelligence Report volume 7 (January through June 2009) Key Findings Summary Volume 7 of the Microsoft Security Intelligence Report provides an in-depth perspective on malicious and
More informationBasic Security Considerations for Email and Web Browsing
Basic Security Considerations for Email and Web Browsing There has been a significant increase in spear phishing and other such social engineering attacks via email in the last quarter of 2015, with notable
More informationHow Attackers are Targeting Your Mobile Devices. Wade Williamson
How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best
More informationASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION
ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution
More informationUser Documentation Web Traffic Security. University of Stavanger
User Documentation Web Traffic Security University of Stavanger Table of content User Documentation... 1 Web Traffic Security... 1 University of Stavanger... 1 UiS Web Traffic Security... 3 Background...
More information