Security Blog

Exploring encrypted Skype conversations, in clear-text

January 2, 2014 - By Rob Andrews
Skype is, or was, heralded as one of the most secure IM and VOIP applications available.  This wiki on Skype security goes into some detail for how data is encrypted, but it also mentions their information is outdated with the original research completed years ago.

Monthly Malvertising Update: More Fake Antivirus

December 20, 2013 - By Chris Larsen
When last we looked at this never-say-die malvertising network, it was using IP-based URLs to funnel people to a Fake AV attack.

People, Please Patch WordPress!

December 6, 2013 - By Chris Larsen
First, forgive me as I indulge in a bit of nostalgia... A little over five years ago, the WebPulse malware/threat research team decided to start doing an internal blog at Blue Coat, since a lot of "Bluecoaters" didn't really know what we did. (A year or so after that, we launched the public version, since even fewer outsiders knew about what we did...) Anyway, the very first internal blog post dealt with a hacked web site (belonging to the government of Ghana) which was hosting links to, among other things, some shady pharmaceutical sites.  

How NOT to Cover Your Tracks

December 3, 2013 - By Chris Larsen
While spending some post-Thanksgiving time hunting down exploit kit sites last weekend, I found something interesting. (Yes, that's how security researchers relax on holiday weekends -- and, judging by traffic on some of the researcher mailing lists and forums, I'm not alone...) Smack in the middle of some malvertising traffic leading to exploit kits was an interesting site: href.li

Big Malvertising Network Update, part 2

November 19, 2013 - By Chris Larsen
Continuing to dig into the recent activity of the big malvertising gang we've covered several times in recent months, I decided there's enough material for a "part two" follow-up to last week's post...  

Malvertisers Target Outdoor (and Indoor) People

November 14, 2013 - By Chris Larsen
The malvertising gang we last blogged about here are proving to be reluctant to give up on their network. They have, however, made some changes... Currently, instead of using long-dormant domains, they're using "bare metal" IP addresses to relay their victims to malware.

"Dangerous Celebrities" Not So Dangerous?

November 5, 2013 - By Chris Larsen
[This has been sitting in my "to do" pile for about a month now... I even pulled the relevant data files into a working folder last month, but got busy before I could dig in.]  

Malvertising Quick Look: A Styx Exploit Kit Network

November 1, 2013 - By Chris Larsen
This will be short, since there is a lot going on right now, but I like to acknowledge the Bad Guys when they show some creativity and a sense of humor.   New malvertising domain: adtargetcpm.org registered 3 days ago (10/29), anonymously, of course. Came on line late last night (Halloween): 10 minutes before midnight (UTC), to be precise. Fooled several ad networks into letting it serve ads (yieldmanager.com, media-servers.net, adnetwork.net, xtendmedia.com, media-servers.net, adserverplus.com, xertivemedia.com ...).

Black Holes, Magnitude, and PHP.net

October 28, 2013 - By Chris Larsen, Jeff Doty
Wow. Lots of big news lately. Where do we start? How about with Paunch. He is (or was) the main guy behind the Blackhole & Cool exploit kits. And he was arrested a couple of weeks ago, and people have been wondering what would happen.

CryptoLocker, Kegotip, Medfos Malware Triple-Threat

October 22, 2013 - By Andrew Brandt
Victims of October’s malware infection campaigns (so far) can expect to receive a triple-cocktail of threats: a particularly cavalier ransomware called CryptoLocker; clickfraud on a massive scale; and (it goes almost without saying) the theft of passwords and other personal data.