Security Blog

Unmasking a Halloween-themed SEO/SEP Network

October 10, 2012 - By Chris Larsen
Last Fall, as I was doing an in-depth look at Search Engine Poisoning (SEP) attacks, one of the categories that showed up pretty consistently was "holiday themed" SEP. And just in time for Halloween, this week I came across a good-sized network of Halloween-themed SEP sites... Even though Halloween is still 3 weeks away, people are already searching for "killer" (pun intended) costume ideas. Here are some examples of their searches that led them into this network:

User Education: Warn Friends and Family About Tech-support Scams

October 5, 2012 - By Chris Larsen
[In light of events this week, I thought I should move an internal blog post from a couple of months ago up to the public blog, where it can serve a wider audience.]   Flash Back to August:

Work-at-home Scammers Target Brazil with Spamnet

October 4, 2012 - By Chris Larsen
Background: Spamnet Tracking

When Less is Much More – Introducing the Virtual Web Security Gateway

October 2, 2012 - By John Yun
Virtual security appliances are quickly gaining momentum as the ideal solution to secure remote and branch offices. But what is all the fuss about? Virtualization technology has been around for years if not decades and other virtual security solutions, such as firewalls, have been available for a very long time. A few market drivers are fueling the excitement behind virtual security appliances and, in particular, virtual web security... ...

Finding the "Unified" in Hybrid Security Solutions

September 25, 2012 - By Tim Chiu
Most web security vendors today will tell you they offer a hybrid security solution.  What most of them mean by that (including Blue Coat), is that they offer both an on-premise solution (in Blue Coat's case, web security ProxySG appliances) and a SaaS (Security as a Service) offering in the cloud (Blue Coat Cloud Service).  The benefit of implementing and using a hybrid deployment solution is around offering the right solution for each part of your organization.

Tracking a Big Search Engine Poisoning Network

September 25, 2012 - By Chris Larsen
One nice thing about having lots of traffic flowing through WebPulse, and having lots of modules watching for malicious and suspicious activity, is that it's always easy to find an interesting topic for the blog. (The tricky part is finding time to follow a lead, do the background research, and write the blog post. I still don't have an automated system for that...)

Why is There a Chinese Porn Network in Utah?

September 14, 2012 - By Chris Larsen
WebPulse has a number of modules for detecting new pornographic and "adult" Web sites. The busiest modules are the various DRTR language modules (20 of them), but there are also some porn-focused rules in the heuristics engine, and the Malnet Tracker can also track porn networks, in addition to malnets and spamnets. And that's just for the new sites that come on line; the database already has ratings for sites we've encountered in the past. In any given day, that will be a lot of porn.

Russian Android Gangs Keep Scamming Along

September 6, 2012 - By Chris Larsen
It's been a while since we looked at the Android malware space (I think the last one was here), so when someone asked about it yesterday, I pulled up some log traffic to take a look. It looks like Russia and China continue to be hotbeds for unofficial app download sites, where you're definitely taking your chances. Here's a good example, a nice-looking site offering an Android version of Skype:

Investigating a Site-injection Attack That Wasn't

August 31, 2012 - By Chris Larsen, Tim van der Horst
[This week, we had an interesting e-mail come in from the field, quoting a competitor who was claiming that a certain site was infected, and they were the only ones flagging it, so clearly they were the best filtering solution. They also said that this infection was from an attack described publicly over two years ago -- implying that the rest of the security industry had no excuse for missing an obviously infected site. So the gauntlet was flung down, and Tim couldn't resist picking it up and slapping them with it. Luckily for them, they never made this claim in public, so they get to remain nameless.

Tag-team Takedown of an Attack in China

August 23, 2012 - By Chris Larsen
With the millions of blocking ratings returned by WebPulse on a typical day for dangerous stuff (see the "Number of Daily Threats" graph on -- hover over the data points to see the daily count), there are far too many events to research in depth and write up for the blog. But we try to do one every now and then...   Does anything about domain names like and strike you as unusual? Maybe even weird? Yeah, us too...