Cisco Blogs


Cisco Blog > Security > Threat Research

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

This post was authored by Armin Pelkmann.

On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domains sharing the same infrastructure. This is over 9 times the previously mentioned 703 domains.  We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.

img_new_numbers

The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Threat Spotlight: “Kyle and Stan” Malvertising Network Threatens Windows and Mac Users With Mutating Malware

This post was authored by Shaun Hurley, David McDaniel and Armin Pelkmann.

Update 2014-09-22: Updates on this threat can be found here

img_MetricsHave you visited amazon.com, ads.yahoo.com, www.winrar.com, youtube.com, or any of the 74 domains listed below lately? If the answer is yes, then you may have been a victim to the “Kyle and Stan” Malvertising Network that distributes sophisticated, mutating malware for Windows and even Macs.

Table of contents

Attack in a Nutshell
Timeline
Technical Breakdown
Reversing of the Mac Malware
Reversing of the Windows Malware
IOCs
Conclusion
Protecting Users Against These Threats

Malvertising is a short form for “malicious advertising.” The idea is very simple: use online advertising to spread malware. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Filtering Explicit Content

Many web sites provide a setting to reduce the amount of explicit, or objectionable, content returned by the site. The user configures these settings, but many users are unaware such a setting exists, or that it needs to be set for each web site. Additionally, the security administrator cannot audit that users have configured the setting. As a result, users can be exposed to objectionable content or can inadvertently trigger filtering of objectionable content on the Cisco security service (Cisco WSA or CWS), sometimes causing uncomfortable questions from human resources or from management.

An emerging standard defines a new HTTP header, “Prefer: Safe,” which does not require the user to configure each web site. This feature is implemented by Firefox, Internet Explorer 10, and Bing. We anticipate more clients and more content providers will support this emerging standard.

Both Cisco Web Security Appliance (WSA) and Cloud Web Security (CWS) support this emerging standard, and can be configured to insert this header on behalf of HTTP and HTTPS clients. In this way, the security administrator can cause all traffic to default to avoiding explicit or objectionable content, without relying on users to configure their browser or to configure each visited web site.

Tags: , , , , , ,

#IWANWed: Harness the Power of Web Within the Enterprise Branch

Cloud Web Security AAG ImageIn the ever-changing world of enterprise branch environments, a high number of businesses are planning to migrate their WAN to the Internet. To be exact, Nemertes Research (Benchmark 2012–13 Emerging WAN Trends) estimates that number to be close to 50%.  That’s 50% of businesses migrating to Internet for WAN.

And why is that happening? Enterprises are trying to optimize their WAN to increase ROI. Internet has become a much more stable platform, offering significant price-to-performance gains. Thus, the growth of new cloud traffic, high bandwidth applications, and video can be easily load balanced across multiple WAN lines, one of which or both can be Internet links. Some of the enterprises go even further and enable local Internet breakout from the branch. Not only does it eliminate the need to unnecessarily backhaul the traffic to the corporate HQ or data center, but also helps to free up the precious WAN bandwidth for critical business related applications. This enables enterprises to provide guest Internet access within the branch and then slowly offer the same services to corporate users, both for trusted public clouds applications and general Internet access. Read More »

Tags: , , , , , , , , ,

Don’t Click Tired

As the day draws to a close, and especially during the early morning, users become far more likely to click on links that lead to malware. Those responsible for network security need to ensure that users’ awareness of information security continues after work hours, so that users “don’t click tired.”
Read More »

Tags: , , , ,