Security Blog

Top Threat Vectors for Mobile Devices

March 6, 2014 - By Tim van der Horst
[With the release yesterday of our Mobile Malware Report for 2014, it's time to highlight some interesting research Tim conducted into the threat vectors involved in mobile malware. We're always very interested in where the Bad Stuff comes from, as we assume that users aren't purposefully trying to infect themselves. (Although sometimes we wonder.) --C.L.]   Mobiles devices have dramatically changed how, when, and where we access online content.

An OpenX Malvertising Attack

February 21, 2014 - By Chris Larsen
[Just enough time to get this out, before I leave for the airport, as I'm heading out to California for the RSA Conference. Tim and I will be presenting on some shady goings-on in the area of Internationalized Domain Names, so if you'll be at RSAC next week, drop by our session on Thursday morning to see what we've been up to in the lab lately! Anyway, this post is from two days ago (2/19) but things were too busy with a development project to roll it out then...]

Facebook Phishing Via Tumblr

February 12, 2014 - By Chris Larsen, Jeff Doty
This one took a while to unravel, and we're  missing a piece or two, but it's still worth writing about. We noticed some odd traffic going to a brand new domain yesterday: Interestingly, the traffic was coming from a bunch of random/junk Tumblr "sites": etc. Here's an example of what the pages looked like:

An Aggressive Chinese Malvertising Network (sort of...)

February 11, 2014 - By Chris Larsen
True Story: As I was researching this network last weekend, I was actually thinking "Cool -- it's been awhile since I did a post that wasn't about malvertising" -- and then I found an advertising trail that led straight to it. Oh well. Sorry if you're tired of reading about malvertising, but this case is different. Keep reading...   The attack trail starts on any of a number of Chinese entertainment sites (movies, TV shows, pop culture stuff), where a visitor encounters an ad like this:

An Unfriendly Scam Network

January 28, 2014 - By Chris Larsen
Taking a quick look at some of our "shady neighborhood" logs last night, I found a promising-looking domain name: Unfortunately, it didn't exactly roll out the Welcome mat for me:

Training Your Family to Spot Malware

January 22, 2014 - By Chris Larsen
Security guys are always on call. Last night, as I'm spending a moment away from hunting for Bad Guys, my daughter says "Hey Dad, come take a look at this -- my browser just opened a new tab, with something about a software upgrade." (Alarm bells go off in head... Looks like the anti-malware crusader is back on the job...) So I look at her browser: she's got a tab open to (she was listening to music as she did her homework), and not one, but two tabs are open to a site called

Technical Foul: ESPN Hit by Malvertising Campaign

January 17, 2014 - By Chris Larsen
A few weeks ago, during the holiday season, a new malvertising server came on line, and was serving traffic on -- relaying victims down into a malware network. And, since we were blocking the malware network, this would have made for an excellent blog post. Unfortunately, I didn't see the ESPN traffic until a week or two later, during a review of traffic into the network, and that server had already stopped serving traffic.  :(

A Look at the Early Stages of the Yahoo Malvertising Attack

January 13, 2014 - By Chris Larsen
There seems to be a lot more continuing interest in the story of the Yahoo malvertising attack than I would have thought. (Maybe I'm just jaded.) I read an update today on the beginning of the attack, and decided to add some color. (I can't comment on what Yahoo may have seen in its logs that leads it to believe the attack may have begun as early as 12/27, but I can certainly comment on what we saw in our logs...)  

Big Malvertising Attack in South Africa

January 8, 2014 - By Chris Larsen
One of the malvertising gangs we track has a track record of showing up in different countries. In checking the logs to see where they're active this week, we found a lot of traffic coming from visitors to a major South African news media site, the Mail and Guardian ( A large number of visitors to the site are being served an ad that sends their browser to a server in The Netherlands (currently at *).

A World-wide Scam Network

January 3, 2014 - By Chris Larsen
A fellow researcher (thanks, Kimberly!) recently asked about an odd domain ( she'd seen show up in a page in her browser as she was visiting a normal web site. It turned out to be worth a look... As background, several months ago, we recommended that people consider blocking the whole .pw domain. (We continue to run into shady .pw domains on a regular basis.) Anyway, back to