June 19, 2013 - By Chris Larsen
Here are a couple of interesting sites:
and
(There are also some variants on the "TJL" initials -- mixing their order -- but these all resolve to the tjlrecruitment.org site. No variants for the knlrecruitment.org domain have shown up, but we'll keep our eyes open.)
June 17, 2013 - By Chris Larsen
A month ago, we advised people to consider blocking the .PW top level domain (TLD). There is still a lot of spam happening there, but there have been some changes recently. In particular, there are more "normal" TLDs mixed in with the .PW ones.
However, even though the TLD may be normal -- like .com -- the domain name itself won't necessarily be...
June 6, 2013 - By Chris Larsen
[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]
June 4, 2013 - By Chris Larsen
Occasionally when I travel, I indulge in reading an old-fashioned paper edition of a newspaper. Last week, in Hong Kong, I happened across an interesting article in the Asia edition of the Wall St. Journal (linked here, so you don't have to go find it on paper).
May 26, 2013 - By Chris Larsen
Last Friday (5/24), as I was packing for a trip, I took a quick look at the in-box for my Blue Coat e-mail account. There was one from a name I didn't recognize, with a subject line of "Successful Business". It was a spam:
(It was interesting that they didn't have the person's name match the e-mail address more closely. Even if the e-mail content wasn't a dead giveaway, this by itself would have raised a yellow flag.)
May 13, 2013 - By Chris Larsen
Out in the Boondocks of DynDNS
I find myself spending a lot of time in the jungles of Dynamic DNS (DynDNS) hosted sites these days -- there is a lot of shady stuff going on in there. (And very little useful content, comparatively speaking, so it's probably a good idea to consider just blocking off this whole area, from a security standpoint...)
May 7, 2013 - By Chris Larsen
It's been a while since we've posted about good old spam (the non-malicious kind, although sometimes the lines blur), so I thought I'd share some findings from last weekend's honeypot traffic.
Recent Trends
First, we're seeing a *lot* of ".PW" domains involved in spam these days. In fact, unless you've got customers in Palau, you should probably consider blocking anything on their TLD (top-level domain).
April 18, 2013 - By Chris Larsen | Co-Authored By An Anonymous Analyst
[Our anonymous analyst is back with another Donovan adventure. As always, the story is fictional, but the events described are true to life. --C.L.]
It started like any other day: gray clouds filling the sky, the rain dripping from the eaves, and not enough hot chocolate in the machine. I sat down at my computer and got to work.
Who am I? The name's Donovan. I'm a Private Eye in the fight against malware.
April 5, 2013 - By Chris Larsen
[Update (4/19/2013): I was in Norway last week, doing a presentation on SEP at HackCon (takk!), which was a lot of fun.
April 4, 2013 - By Chris Larsen | Co-Authored By Adnan Shukor
[Another great post by Adnan in our internal blog. Definitely deserves a wider audience... --C.L.]
Recently, we saw several customer submissions of a particular URL. One thing that caught my attention: the three submitters suggested three different categories for the rating. (The suggestions were: “Malicious Sources”, “Spam”, and “Scam/Questionable/Illegal”.)
The question is, do they really understand the meaning of the category they chose, or was each person seeing different things on the link/page?
