June 17, 2013 - By Chris Larsen
A month ago, we advised people to consider blocking the .PW top level domain (TLD). There is still a lot of spam happening there, but there have been some changes recently. In particular, there are more "normal" TLDs mixed in with the .PW ones.
However, even though the TLD may be normal -- like .com -- the domain name itself won't necessarily be...
June 6, 2013 - By Chris Larsen
[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]
June 4, 2013 - By Chris Larsen
Occasionally when I travel, I indulge in reading an old-fashioned paper edition of a newspaper. Last week, in Hong Kong, I happened across an interesting article in the Asia edition of the Wall St. Journal (linked here, so you don't have to go find it on paper).
May 26, 2013 - By Chris Larsen
Last Friday (5/24), as I was packing for a trip, I took a quick look at the in-box for my Blue Coat e-mail account. There was one from a name I didn't recognize, with a subject line of "Successful Business". It was a spam:
(It was interesting that they didn't have the person's name match the e-mail address more closely. Even if the e-mail content wasn't a dead giveaway, this by itself would have raised a yellow flag.)
May 13, 2013 - By Chris Larsen
Out in the Boondocks of DynDNS
I find myself spending a lot of time in the jungles of Dynamic DNS (DynDNS) hosted sites these days -- there is a lot of shady stuff going on in there. (And very little useful content, comparatively speaking, so it's probably a good idea to consider just blocking off this whole area, from a security standpoint...)
May 7, 2013 - By Chris Larsen
It's been a while since we've posted about good old spam (the non-malicious kind, although sometimes the lines blur), so I thought I'd share some findings from last weekend's honeypot traffic.
Recent Trends
First, we're seeing a *lot* of ".PW" domains involved in spam these days. In fact, unless you've got customers in Palau, you should probably consider blocking anything on their TLD (top-level domain).
April 18, 2013 - By Chris Larsen | Co-Authored By An Anonymous Analyst
[Our anonymous analyst is back with another Donovan adventure. As always, the story is fictional, but the events described are true to life. --C.L.]
It started like any other day: gray clouds filling the sky, the rain dripping from the eaves, and not enough hot chocolate in the machine. I sat down at my computer and got to work.
Who am I? The name's Donovan. I'm a Private Eye in the fight against malware.
April 5, 2013 - By Chris Larsen
[Update (4/19/2013): I was in Norway last week, doing a presentation on SEP at HackCon (takk!), which was a lot of fun.
April 4, 2013 - By Chris Larsen | Co-Authored By Adnan Shukor
[Another great post by Adnan in our internal blog. Definitely deserves a wider audience... --C.L.]
Recently, we saw several customer submissions of a particular URL. One thing that caught my attention: the three submitters suggested three different categories for the rating. (The suggestions were: “Malicious Sources”, “Spam”, and “Scam/Questionable/Illegal”.)
The question is, do they really understand the meaning of the category they chose, or was each person seeing different things on the link/page?
March 28, 2013 - By bo.moulton@bluecoat.com
The World Wide Web has become one of the most effective vectors for malware distribution, thanks to its scale (634 million web sites as of Dec. 2012) and ever-changing nature (in 2012 alone, 51 million websites were added to the web and the average web page grew 35%[1]). That’s a lot of places for attackers to hide to try to launch their attacks; it’s one reason we saw a 90% increase in web threats between 2010 and 2011! ... ...
