Company > Blog

News and views from the leading voice in secure digital transformation

More From This Author

Julien Sobrier

Facebook Phishing: Manual Session Hijacking

Security Insights

August 14, 2013 2 Min read

Facebook Phishing: Manual Session Hijacking

We have reported a number of Facebook phishing pages and scams on this blog. Attackers always come up with clever ideas to fool users in order to obtain their credentials. One of these phishing tricks is a "poor-man" ses...

Security Insights

July 10, 2013 1 Min read

Tracking A Botnet Infection

Recently we found several malicious executables with similar characteristics. These files were found on the following six domains: janashfordplumbing.com kalliskallis.com lowes-pianos-and-organs.com co...

Security Insights

June 04, 2013 1 Min read

Phishers Target Yahoo Users

Yahoo Mail introduced two-factor authentication in December 2011. Two-factor authentication can be used to prevent suspicious access to an account (login from a different country, numerous failed login attempts, etc.) an...

Security Insights

May 16, 2013 2 Min read

Fake YouTube Page Targets Chrome Users

Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encoun...

Security Insights

May 03, 2013 1 Min read

Fake Flash Player On DropBox

Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash...

Security Insights

April 30, 2013 1 Min read

More Fake SourceForge Websites Show Up

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week: sourceforgebulgaria.net, registered on ...

Security Insights

April 26, 2013 3 Min read

Bitcoin: Regulations And Security

You have probably heard about Bitcoin, a relatively new virtual currency. It made headlines recently because it is starting to present a real alternative for traditional online payments, and has recently experienced ...

Fake SourceForge Site Distributes Malware

Security Insights

April 17, 2013 1 Min read

Fake SourceForge Site Distributes Malware

We spotted malware hosted on hxxp://sourceforgechile.net/ a couple of days ago. The website is not currently responding, but appears to been set up as a fake and malicious version of the popular open-source hosting site ...

Security Insights

February 22, 2013 1 Min read

The Move to Plugin-Free Browsers

Apple was the first major player to offer a browser with no plugins with Safari for iOS. Even the very popular Flash plugin cannot run in the browser. However, no vendor, including Apple, has had such restrictions on the...

HTTPS Everywhere For IE: Faster, Auto-update Enabled

Security Insights

February 08, 2013 1 Min read

HTTPS Everywhere For IE: Faster, Auto-update Enabled

I've released HTTPS Everywhere for Internet Explorer v0.0.0.3. Additional details about the update can be found in the version history of the PDF documentation.Changes in 0.0.0.3Faster start upThe start up time is now mu...

HTTPS Everywhere For Internet Explorer: Source Code And New Version Available

Security Insights

February 01, 2013 1 Min read

HTTPS Everywhere For Internet Explorer: Source Code And New Version Available

I have released the source code for HTTPS Everywhere for Internet Explorer on GitHub as promised in the last blog post. You need Visual Studio Profession 2010 to compile the project and NSIS to build the installer. Feel ...

Are You Vulnerable To Yet Another Java 0Day Exploit?

Security Insights

January 14, 2013 3 Min read

Are You Vulnerable To Yet Another Java 0Day Exploit?

Test to see if you're vulnerable. Only five months after the last high profile 0-day Java vulnerability, there is new 0-day being exploited through Java plug-ins. This vulnerability is present in Oracle Java 1.7....

Security Insights

January 11, 2013 3 Min read

Preparations for a Spam Campaign

We have discussed a number of spam and malware campaigns on this blog. This time, I'll show what happens in the days and weeks before the campaign starts. I've found two examples that show the steps that are taken by the...

Security Insights

January 03, 2013 1 Min read

Facebook Malware Campaign

We're seeing a massive campaign of malware distribution through Facebook look-a-like pages that started just before the new year. Malicious page distributing malware These pages are...

Fake AV 3 Years Later: Still There, Still Not Blocked

Security Insights

December 21, 2012 3 Min read

Fake AV 3 Years Later: Still There, Still Not Blocked

You may want to open the first blog post we did on Fake AV in December 2009, three years ago, side by side with this post. See if you can spot the differences... fake antivirus pages in 2012 are nearly the same as they w...

Security Insights

December 17, 2012 3 Min read

HTTPS Everywhere For Internet Explorer

We have previously released a number of browser security extensions to protect users against new threats and security issues, which we did not feel were addressed by anything previously available. Now I've focused my att...

Click To Play: The Next Step For Firefox

Security Insights

November 29, 2012 3 Min read

Click To Play: The Next Step For Firefox

Click to Play first appeared in Firefox 14 and it appeared in developer versions of Chrome back in 2010. I described the feature in a post last July. Click to Play disables all plugins by default on all pages. The user t...

Security Insights

November 16, 2012 1 Min read

UPS Phishing Page with Malware

For some time now, attackers have been faking popular websites like YouTube to entice users into downloading and installing malicious software disguised as plugin updates or video codecs. I rcently found a page that is u...

Security Insights

November 08, 2012 1 Min read

Evolution of the "Work from Home" Scam

The "Work at home mum makes $X,000/month" scam has been around forever. In fact, it has been an integral part of various scam campaigns which we've detailed in the past. These scams even appear in the list of the top-20,...

.gov Redirections Leading to Spam: How Did We Get There?

Security Insights

October 30, 2012 3 Min read

.gov Redirections Leading to Spam: How Did We Get There?

You may have seen reports of an increase in .gov websites redirecting to spam or scam sites. This issue is the same as one we reported almost two years ago. Many .gov websites have open redirections that can be exploited...

Security Insights

October 18, 2012 2 Min read

Hijacked Websites by the Numbers

Two weeks ago, I had the chance to give a presentation about the danger of hijacked websites (you can download the presentation in French here). I used the talk to highlight various points which illustrate the extent of ...

How To Install Silently Malicious Extensions For Firefox

Security Insights

September 25, 2012 3 Min read

How To Install Silently Malicious Extensions For Firefox

Recently, I had the pleasure of presenting on malicious browser extensions at SOURCE Seattle. I showed, amongst other things, how a malicious browser extension can be added silently to any Firefox profile. I've reworked ...

Internet Explorer Protected Mode In Windows 8

Security Insights

September 17, 2012 2 Min read

Internet Explorer Protected Mode In Windows 8

Microsoft Introduced Protected Mode in Internet Explorer with Windows Vista in 2006. With Windows 8, Microsoft added Enhanced Protected Mode. Protected Mode aims to keep users safe by restricting what BHOs (Browser Helpe...

Security Insights

September 07, 2012 2 Min read

Abusing ClickOnce

Many web-based attacks try to fool the users into installing a malicious executable by faking a native application: fake AV, fake Flash updates, etc. These pages are well designed, but you can always tell it is not a nat...

Are You Vulnerable To The Latest Java 0-day Exploit? (Updated)

Security Insights

August 28, 2012 3 Min read

Are You Vulnerable To The Latest Java 0-day Exploit? (Updated)

Test to see if you're vulnerable. You may be aware that a 0-day vulnerability in the latest version of Java is presently being exploited on the Web. This vulnerability affects all versions of Java 1.7 (aka Java 7...

Zscaler Safe Shopping 1.1 For Internet Explorer: C++ BHO

Security Insights

August 16, 2012 2 Min read

Zscaler Safe Shopping 1.1 For Internet Explorer: C++ BHO

I released Zscaler Safe Shopping for Internet Explorer in March 2012. This was my first attempt at writing a Browser Helper Object (BHO) and it was written in C#. There are are number of disadvantages to using C#, as I d...

Most Common Threats in Top Blocked Sites

Security Insights

August 07, 2012 1 Min read

Most Common Threats in Top Blocked Sites

The vast majority of the most popular blocked websites contain a piece of malicious JavaScript inline. These sites were mostly hijacked by attackers and the malicious code can usually be linked to the Blackhole exploit k...

80% Of "Olympic" Domains Are Scams And Spam

Security Insights

August 03, 2012 2 Min read

80% Of "Olympic" Domains Are Scams And Spam

Today we looked at all identified domains containing the string "olympics", which had been accessed by our customers over the course of a day. It turns out that 80% of them are scams or spam and they can be classified in...

Security Insights

July 20, 2012 4 Min read

"Click To Play" Arrives In Firefox

Popular browser plugins like Flash and Adobe Reader are part of the typical web browser, with an installation base of 90+% on corporate computers (see the State of the Web report). However, they can also represent big se...

Security Insights

July 11, 2012 2 Min read

Visualize the Top Blocked Sites

In the past month, I've been looking at the websites blocked by Google Safe Browsing from the Alexa top 1,000,000 sites. There are between 300 and 500 of these sites blocked everyday, mostly legitimate websites that have...

Security Insights

June 22, 2012 2 Min read

Fake Flash Update With A Twist

We've seen Fake Flash updates for several years. A webpage claims that the user is running an outdated of version of Flash and they require an upgrade of the plugin to watch a video. The fake Flash update is ac...

Stolen Code Signing Certificates Are Your Worst Nightmare

Security Insights

June 06, 2012 3 Min read

Stolen Code Signing Certificates Are Your Worst Nightmare

Flamer used spoofed code signing certificates from Microsoft. This was done to make it appear that the malicious content was actually software delivered by Microsoft. You have likely seen the use of code signing certi...

Security Insights

May 25, 2012 2 Min read

Spotting Malicious JavaScript in a Page

While large blobs of obfuscated JavaScript at the top of the page are easy to spot, malicious JavaScript can often be hard to spot on hijacked sites. Some attackers go to great lengths to make their malicious code invisi...

Security Insights

May 18, 2012 2 Min read

Follow-Up on the Top Blocked Sites

Earlier this week, I researched the top websites blocked by Google. I've looked at more of these websites over the last three days to better understand the most common attacks. The findings are quite disappointing. Fi...

Security Insights

May 14, 2012 2 Min read

A Look at the Top Blocked Websites

Google Safe Browsing is the most popular security denylist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blocked by Google is a big deal - users of these three browsers are warned not t...

Search Engine Security For Internet Explorer

Security Insights

April 30, 2012 1 Min read

Search Engine Security For Internet Explorer

Search Engine Security (SES), a browser extension designed to protect users against Blackhat SEO links in search engines, is now available for Internet Explorer. You can download it from our website. It is compatible wit...

Security Insights

April 26, 2012 1 Min read

Multiple Hijacking

Vulnerable websites are regularly hijacked to redirect users to malicious domains. The most popular type of of malicious page are Fake AV pages. Attackers commonly increase traffic to these hijacked websites using Blackh...

Security Insights

April 18, 2012 1 Min read

French Budget Minister Website Hijacked

We've seen an increase in hijacked websites in recent months, redirecting users to Fake AV pages, Blackhole exploit kits and other malware. While most websites hacked are personal sites, or University websites, some are ...

Security Insights

April 13, 2012 1 Min read

Details Of A "new" Fake AV Page

As I mentioned last week, more Fake AV pages are once again showing up in popular Google searches. Although these malicious pages look the same as they did 2 years ago, the source code is different. The first thing y...

Security Insights

April 06, 2012 2 Min read

Blackhat SEO Back In Google Searches

In 2011, Blackhat SEO links were pretty much absent from the most popular searches in Google. Instead, Blackhat SEO was used to target more specific searches. The technique heavily used to poison the searches for buying ...

My Experience Wirting An Add-on For Internet Explorer

Security Insights

March 27, 2012 4 Min read

My Experience Wirting An Add-on For Internet Explorer

I've released my first add-on for Internet Explorer and I've almost finished a second one. Developing for Internet Explorer was a very different experience than developing for the other browsers I've worked with before -...

Security Insights

March 14, 2012 1 Min read

Malware Campaign Targeting Opera Mobile

I've stumbled upon hundreds of links targeting Opera Mobile users, to trick them into installing a malware on the device.The links are in the form of:hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08...

Anatomy Of An On-going Malvertising Campaign

Security Insights

March 13, 2012 3 Min read

Anatomy Of An On-going Malvertising Campaign

During the course of investigating an open incident ticket with a customer, we uncovered what is a common occurrence on the web - legitimate sites linking in third-party content (often advertisements or banners) that ult...

Security Insights

March 07, 2012 1 Min read

"Check Who Is Visiting Your Profile" Scam On Russian Social Network Vkontakte

Vkontakte is the Russian equivalent of Facebook and has been criticized for being a direct "clone". Well, scammers are "cloning" the most popular Facebook scams and porting them to this Russian platform as well. One r...

Are Pinterest "Pin It" Going The Way Of Facebook "Like"?

Security Insights

March 05, 2012 1 Min read

Are Pinterest "Pin It" Going The Way Of Facebook "Like"?

Pinterest is a new social network that has been getting a lot of press lately. Basically, Pinterest is a virtual board, where users can pin things they like online. They can share the content with their friends, follow o...

Fake AV: .ru Sites Used For Redirections

Security Insights

February 28, 2012 2 Min read

Fake AV: .ru Sites Used For Redirections

This past month, I've seen an increase in hijacked sites redirecting to a Fake AV page. These attacks typically involves three separate phases: The hijacked website redirects users coming from a Google search to...

Security Insights

February 21, 2012 1 Min read

Groupon Scam Site

groupon500.com was registered in Feb 20, 2012. The home page for the domain claims to offer a free $500 voucher for Groupon or LivingSocial, another popular daily-deal site. groupon500.com ...

Security Insights

February 20, 2012 2 Min read

Analysis Of A Blackhole Exploit Page

The Blackhole Exploit kit is still a very popular attack on the web. They are many variants of the threat. Here is a detailed analysis of one Exploit kit page and the obfuscation technique leveraged by the attack. In ...

Security Insights

February 13, 2012 2 Min read

Follow Up on Russian Scam

Last week, I described how many websites hosted on DreamHost had been hijacked.Since then, I found the same scams on websites hosted with different providers. Often, vulnerable sites are hacked by many groups for vari...

DreamHost: Hijacked Websites Redirect To Russian Scam

Security Insights

February 03, 2012 2 Min read

DreamHost: Hijacked Websites Redirect To Russian Scam

Following the Dreamhost hack, that was revealed this week, many websites hosted by the company have been hijacked to redirect users to a Russian scam page. I've identified hundreds of websites hosted by DreamHost that...

Fake Missing Plugin Warnings Used For Spam/spyware

Security Insights

January 25, 2012 1 Min read

Fake Missing Plugin Warnings Used For Spam/spyware

A key element for a successful spam/malicious page is to establish trust with the visitor so that he will perform the requested actions. Users trust their browser, but not necessarily the content (i.e. web page) that it ...

Zscaler Keygen: Beware Of What You Are Looking For

Security Insights

January 20, 2012 1 Min read

Zscaler Keygen: Beware Of What You Are Looking For

Some searches yield more dangerous results than others, for example, looking to buy software online has a 90% risk of bring you to a fake store and free software might not be free of adware/spyware. Looking for 'warez' i...

An Example Of Likejacking (Facebook Clickjacking)

Security Insights

January 10, 2012 1 Min read

An Example Of Likejacking (Facebook Clickjacking)

Last year, we released Zscaler Likejacking Prevention, a free browser extension to protect users from clickjacking leveraging Facebook widgets. Since then, I've seen many websites using Likejacking as their "business mod...

Security Insights

January 03, 2012 1 Min read

Google Serves Ad For Adware/Spyware

Last year, we wrote about Bing and Yahoo! serving ads leading to malicious websites. This week, it was Google who inserted ads for adware/spyware. I found a suspicious ad in my Google Reader for a free FLV player. I'v...

Security Insights

December 28, 2011 1 Min read

Web Threats: Trends And Statistics

One of the question I often get asked is "What is the most prevalent threat on the Internet for the enterprises?". In terms of the total number of transactions, botnets are the biggest security risk. Once a host gets inf...

Facebook Used To Make Scams Look Legitimate

Security Insights

December 21, 2011 2 Min read

Facebook Used To Make Scams Look Legitimate

One of the recurring web spam themes I saw in 2011, was the "Work from home and make $X,000/month" scam. In some variations of the well-known and well-used scam, websites are set up to look like a well-established newspa...

Security Insights

December 09, 2011 1 Min read

Switch to Google Safe Browsing V2

Google maintains a list of malicious URLs and phishing sites distributed through their Google Safe Browsing API. On December 12, version 1 was deprecated in favor of version 2. The API for version 2 works quite different...

Zscaler Likejacking Prevention For Opera

Security Insights

November 21, 2011 1 Min read

Zscaler Likejacking Prevention For Opera

Along with Firefox, Chrome and Safari, Zscaler Likejacking Prevention is now also available for Opera. You can download it on the official Opera add-on site. Zscaler Likejacking Prevention on...

Security Insights

November 18, 2011 2 Min read

When Scammers Call You At Home

UPDATE: I've updated the post with a second Skype call I received on 1/17. Scammers are always trying new ways to reach their targets to foil them into buying free software, sending credit card information, etc. Yeste...

Security Insights

November 15, 2011 1 Min read

More Free Software Repackaged For Money

In previous posts, I've shown how popular free software programs are repackaged and sold by scammers, while containing spyware, or are outright replaced by malware. The number of web sites offering such repackaged softwa...

Naked Emma Watson Video Used To Spread Malware

Security Insights

October 26, 2011 1 Min read

Naked Emma Watson Video Used To Spread Malware

Fake videos with funny or sexual content, have long been used to entice users to download and install malware. The technique is used by hackers to convince users that they need to install additional codecs, or software, ...

Building Zscaler Likejacking Prevention For Different Browsers

Security Insights

October 06, 2011 7 Min read

Building Zscaler Likejacking Prevention For Different Browsers

Facebook Likejacking Prevention is the second plug-in that I've released for multiple browsers (Google Chrome, Safari and Firefox). It is technically much more complex than the previous one, Zscaler Safe Shopping. Eac...

Protect Your Self Against Facebook Spam: Zscaler Tool for "LikeJacking" Protection

Security Insights

September 26, 2011 3 Min read

Protect Your Self Against Facebook Spam: Zscaler Tool for "LikeJacking" Protection

Facebook widgets, including the "Like" buttons, are often used to spread spam and propagate scams. Typically, the scammer creates a page with a fake video player. Users are tricked into clicking on Facebook Like buttons ...

Security Insights

September 21, 2011 1 Min read

Fake Software Store Imitate Groupon

Fake software stores often claim to offer huge discounts, not unlike the well-known site Groupon. So it should not be a surprise that some of these fake stores look exactly like Groupon in an effort to be more familiar t...

Thousands/Millions Of .tk Sites Created For Fake Online Stores

Security Insights

September 15, 2011 2 Min read

Thousands/Millions Of .tk Sites Created For Fake Online Stores

While I was monitoring hijacked sites leading to fake online stores, I noticed a significant increase in .tk sites redirecting to searchdiscovered.com via domain.dot.tk. There are a number of interesting things going on ...

Firesheep And BlackSheep On Firefox 4.0+

Security Insights

September 09, 2011 3 Min read

Firesheep And BlackSheep On Firefox 4.0+

Firesheep You may have noticed that the downloadable binary of the Firesheep add-on works only with version 3.6 of Firefox. The main branch is still incompatible with Firefox 6, but the latest Firesheep branch, (firef...

Security Insights

August 31, 2011 2 Min read

Fake Stores On Other Search Engines

A few weeks ago, I showed that even search engines focused on eliminating spam from their search results fail to remove spam pages leading to fake online stores. I was curious to get a broader pictures of how different s...

Security Insights

August 17, 2011 1 Min read

Amusing Craigslist Phishing

The best way to double check that the page you are visiting is a legitimate page and not a phishing site, is to verify the domain name in the address bar (obviously, this does not work in case of DNS hijacking). Phishers...

The Web Has Still Not Switched To SSL-only

Security Insights

August 11, 2011 3 Min read

The Web Has Still Not Switched To SSL-only

In November 2010, the release of Firesheep highlighted the dangerous consequences of not using secure HTTPS transactions. Following this, I provided some of the reasons why the web has not switched to SSL-only yet. There...

Blekko Illustrates The Difficulty In Fighting SEO Spam

Security Insights

August 02, 2011 2 Min read

Blekko Illustrates The Difficulty In Fighting SEO Spam

Blekko is the new search engine in the block. It launched in November 2010, raised about $24 million and received a fair bit of press in start-up and tech blogs. Blekko's promise is to provide high quality search resu...

Security Insights

July 25, 2011 1 Min read

Zscaler Safe Shopping For Safari

After Firefox, Firefox Mobile, Opera and Google Chrome, Zscaler Safe Shopping is now available for Safari. You can download it from our website. The features are the same as the other platforms - a warning is displayed w...

Brazilian Bank Targeted by Phishing Site and DNS Poisoning

Security Insights

July 18, 2011 2 Min read

Brazilian Bank Targeted by Phishing Site and DNS Poisoning

Update 7/26: See post on our Scrapbook blog about details surrounding a recently poisoned BR nameserver involved in this fraud. -- Mike Santander, a well-known banking site, has often been the target of phishers....

Zscaler Safe Shopping Available For Opera

Security Insights

June 20, 2011 2 Min read

Zscaler Safe Shopping Available For Opera

Zscaler Safe Shopping is already available for Firefox, Firefox Mobile (aka Fennec) and Google Chrome. Now, you can also download the extension for your Opera 11 browser. A version for Safari will be available soon as we...

The "Dad Walks In On Daughter.. EMBARRASSING!" Facebook Scams

Security Insights

June 17, 2011 3 Min read

The "Dad Walks In On Daughter.. EMBARRASSING!" Facebook Scams

The "Dad walks in on Daughter.. EMBARRASSING!" Facebook scams have become very prevalent. I listed a few examples on our new blog, Zscaler Analyst Scrapbook. I'll go into more detail in this post. A Google search for ...

PasteHtml.com, A Heaven for Phishing Pages

Security Insights

June 15, 2011 1 Min read

PasteHtml.com, A Heaven for Phishing Pages

Phishers, scammers and other attackers love free hosting services. They constantly need to set up plenty of malicious sites as their old ones are taken down or blocked. Fake AV authors loved co.cc, a free DNS service tha...

Blackhat Spam SEO Leading Directly To A Virus Download

Security Insights

June 07, 2011 1 Min read

Blackhat Spam SEO Leading Directly To A Virus Download

Attackers usually use some form of social engineering technique to fool users into downloading and executing a malicious executable - they scare users with a fake antivirus page, they present users with a video that requ...

Buying Software Online Is Getting More And More Risky

Events

June 04, 2011 1 Min read

Buying Software Online Is Getting More And More Risky

Google searches for popular software (Windows, Microsoft Office, etc.) often contain links to fake online stores since at least December 2010. Google has done very little to clean up the search results. ...

Zscaler Safe Shopping Now Available For Google Chrome

Security Insights

May 26, 2011 1 Min read

Zscaler Safe Shopping Now Available For Google Chrome

The number of fake online stores displaying downloadable software at a steep discount remains high. It can be hard to distinguish these sites from legitimate online stores. Therefore, I had previously released Zscaler Sa...

Security Insights

May 18, 2011 1 Min read

Increase In Use Of PDFs For Spam

In recently weeks, I have noticed an increase in the use of PDF files for spam. Instead of uploading an HTML page using a compromised account, as seen shown in a previous post "Hundreds of College and Government websites...

The Most Common Obfuscation Techniques In Fake AV Pages

Security Insights

May 14, 2011 1 Min read

The Most Common Obfuscation Techniques In Fake AV Pages

We have shown some of the heavy JavaScript obfucation techniques used by Fake AV pages, but the vast majority of such pages use lighter, yet effective techniques. Those techniques are aimed at bypassing detection devices...

Zscaler Safe Shopping Available For Firefox 4 Mobile

Security Insights

May 06, 2011 1 Min read

Zscaler Safe Shopping Available For Firefox 4 Mobile

After porting Search Engine Security to Firefox Mobile, I have also made Zscaler Safe Shopping available for smartphones. This add-on warns users when they are browsing a fake or compromised store. If you happen to visit...

Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, HTML Injection, Etc.

Security Insights

April 28, 2011 3 Min read

Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, HTML Injection, Etc.

Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection and HTML Injection are security flaws that have been around for years. They are well-known vulnerabilities with well-known solutions. As we've ...

Search Engine Security Available for Firefox Mobile

Security Insights

April 20, 2011 2 Min read

Search Engine Security Available for Firefox Mobile

While the number of threats targeting mobile devices is increasing, web browsers for mobile devices are still lacking the security features of their Desktop counterparts. For example, Firefox 4 Mobile (also known as Fenn...

Hundreds of College and Government Websites Still Redirecting to Fake Stores

Security Insights

April 13, 2011 1 Min read

Hundreds of College and Government Websites Still Redirecting to Fake Stores

In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web servers on non-stan...

Security Insights

April 05, 2011 2 Min read

Fake AV vs. Zscaler

I've been monitoring Blackhat spam SEO for more than a year now. I frequently have to modify the scripts used to retrieve the fake AV pages in order to deal with obfuscation and other obstacles the perpetrators have put ...

Security Insights

March 22, 2011 2 Min read

Many University Websites Used For Spam

In January, I wrote about many high profile websites, mostly universities, that were hijacked to redirect to fake stores. Many have since been cleaned up, but a few of these University websites are still redirecting user...

Security Insights

March 14, 2011 1 Min read

Facebook Likejacking, Phishing And Spam

Last Thursday, I wrote about Facebook Likejacking. Today, similar pages were brought to my attention. They use Likejacking to spread through user profiles using much more aggressive spam techniques.The pages looks like t...

Zscaler Safe Shopping - Stay Protected Against Compromised Or Fake Stores Online

Security Insights

February 25, 2011 3 Min read

Zscaler Safe Shopping - Stay Protected Against Compromised Or Fake Stores Online

We're happy to release yet another free Firefox plugin to protect consumers online. Introducing Zscaler Safe Shopping This product has been submitted to the official Mozilla Add-ons sites, but will likely t...

Security Insights

February 24, 2011 1 Min read

Facebook Phishing Pages

On 02/13/2011, I found several domains used for Facebook phishing, registered the same day: securedirectsite.com directsecuresite.com securedsitedirect.com highsecuritydirect.com securedsitedirect.com offic...

Browser Plugins And Security Considerations

Security Insights

February 10, 2011 4 Min read

Browser Plugins And Security Considerations

Firefox is an ideal browser platform for creating add-ons. Firefox plugins have access to the entire browser, without any restriction. This allowed me to release two plugins to improve the security of Firefox users (Sear...

Unchecked Redirection + URL Shortener = Spam

Security Insights

February 03, 2011 2 Min read

Unchecked Redirection + URL Shortener = Spam

Recently, I found several legitimate sites, with bad coding practices, used to redirect users to spam sites with the help of URL shorteners. Here is how the scam works: The legitimate sites have a warning page for a...

Blackhat SEO Numbers For December 2010 (Part II)

Security Insights

January 20, 2011 1 Min read

Blackhat SEO Numbers For December 2010 (Part II)

This is a follow up to the numbers I presented in Part I, which discussed malicious spam pages in Google results and the malicious that sites they redirect to.Google warningsThe number of spam pages which are flagged by ...

Security Insights

January 12, 2011 1 Min read

High Profile Websites Hijacked To Lead To Fake Stores

Recently, a lot of high profile .EDU and .GOV were hijacked to redirect users to fake online stores. Google searches related to buying software ("buy windows 7 key", where to buy microsoft, "purchase microsoft word", "bu...

Blackhat SEO Numbers For December 2010 (Part I)

Security Insights

January 05, 2011 2 Min read

Blackhat SEO Numbers For December 2010 (Part I)

Blackhat spam SEO was very prevalent in 2010 and it is not likely to disappear in 2011. I've compiled a few statistics on Blackhat spam SEO pages found in Google search results during December 2010: Number of ...

Google Search Results Warn About Hijacked Sites

Security Insights

December 22, 2010 3 Min read

Google Search Results Warn About Hijacked Sites

Last Friday, Google announced a new warning for hijacked sites displayed within search results. The new warnings say "This site may be compromised". Such results represent legitimate sites that have likely been hijacked ...

Chinese Phishing Sites: Stocks and Government Lottery

Security Insights

December 15, 2010 2 Min read

Chinese Phishing Sites: Stocks and Government Lottery

I find Chinese phishing sites particularly interesting. For starters, they don't seem to attract too many security researchers. I have found that very few Chinese sites are blocked by Phishtank or Google Safe Browsing. A...

Blackhat Spam SEO: Which Sites Get Hijacked?

Security Insights

December 06, 2010 2 Min read

Blackhat Spam SEO: Which Sites Get Hijacked?

I have looked at 1,123 legitimate sites which have been hijacked to host spam pages redirecting users to a fake AV page. I'd assumed that most of them would be running WordPress, Joomla!, OSCommerce and other open source...

Blackhat Spam SEO & Fake AV: They Are Still There

Security Insights

November 30, 2010 1 Min read

Blackhat Spam SEO & Fake AV: They Are Still There

It's quite depressing to see that Google still contains numerous links to spam pages which lead to fake AV sites. While there are fewer of them, they are still there. This, despite the fact that attackers have not signif...

SSL: The Sites Which Don't Want To Protect Their Users

Security Insights

November 24, 2010 2 Min read

SSL: The Sites Which Don't Want To Protect Their Users

Last week I explained some of the challenges that websites face to switch to SSL to protect their users. The main challenge is to send the correct SSL certificate in all cases.Some websites make it very hard, or even imp...

Security Insights

November 17, 2010 1 Min read

BlackSheep 1.5: More Options

The latest version of BlackSheep brings new options and fixes a few bugs. I encourage all users of BlackSheep to upgrade by downloading the latest version. New options Start BlackSheep au...

Why The Web Has Not Switched To SSL-only Yet?

Security Insights

November 15, 2010 5 Min read

Why The Web Has Not Switched To SSL-only Yet?

With the session-sidejacking issue highlighted once more by Firesheep, a many people have asked me why more websites, or at least the major players (Google, Facebook, Amazon, etc.) have not enabled SSL by default for all...

Security Insights

November 09, 2010 3 Min read

BlackSheep For Linux

BlackSheep uses compiled code to listen to HTTP traffic. These executables come straight from Firesheep. Firesheep ships with executables for Windows And MacOSX 10.5 (Intel) only, this is why the first release of BlackSh...

Security Insights

November 09, 2010 2 Min read

Update To BlackSheep

First of all, thank you very much for all your e-mails and comments! I've tried to answer all. I will give the answer to the most common questions in this blog post. BlackSheep 1.1 is available. It fixes one issue:...

Security Insights

November 08, 2010 3 Min read

BlackSheep - A Tool To Detect Firesheep

UPDATE: see the requirements for the extension at the end of the post UPDATE: an new version is available UPDATE: BlackSheep for Linux is available here UPDATE: If you use FileVault on MacOSX, you might be prompted fo...

Security Insights

November 05, 2010 2 Min read

Recent Trends In Blackhat Spam SEO

Blackhat spam SEO is still very present on the web, and there have been more changes in the past few weeks than in the months before. Here are some of the evolutions that began in the past few weeks. More diverse TLDs...

Security Insights

November 02, 2010 2 Min read

The "movie" Rings

If you've recently looked for information on a movie or its trailer, you've probably stumbled upon a website which claims to provide free streaming or downloads. The promise of these sites is rather dubious since this ac...

Another 1.5 Million Twitter Links Scanned

Security Insights

October 28, 2010 2 Min read

Another 1.5 Million Twitter Links Scanned

In March 2010, I analyzed about 1 million links taken from public tweets on Twitter. I showed that the number of malicious links was less than 1%. I have scanned another 1.5 million links in the past 3 months from Twi...

Perl Library for Google Safe Browsing V2

Security Insights

October 26, 2010 2 Min read

Perl Library for Google Safe Browsing V2

Google offers URL denylists to identify malicious websites and phishing sites through the Google Safe Browsing API. It is used in pretty much all browsers (Firefox, Safari, etc.), except Internet Explorer. Version 2 has ...

Security Insights

October 11, 2010 1 Min read

Halloween Tricks: Spammers Are Ready

Halloween is less than a month away and vendors have already set up their stores to sell plenty of candies, pumpkins, decorations, costumes. Halloween represents big business for U.S. retailers. Spammers are clearly n...

Update To The Search Engine Security Plugin

Security Insights

October 06, 2010 1 Min read

Update To The Search Engine Security Plugin

I won't make a new blog post every time I update the Search Engine Security add-on for Firefox, but there have been several changes since the last post. Notification This feature was introduced in version ...

Security Insights

October 04, 2010 1 Min read

PHP Deobfuscation

When I was analyzed the PHP scripts used for the "Hot Video" pages, I had to find a way to deobfuscate the PHP code. There are many tools and online services to obfuscate PHP, but very few to deobfuscate it. ...

Best And Worst Antivirus Against Fake AV Malware

Security Insights

September 30, 2010 1 Min read

Best And Worst Antivirus Against Fake AV Malware

The detection rate for fake antivirus malware amongst antivirus vendors is usually below 25%. I was curious to see which AV engines were the best and worst, when it comes to blocking malicious fake AV executables. In ord...

"Hot Video" Pages: Analysis of a Hijacked Site (Part III)

Security Insights

September 29, 2010 3 Min read

"Hot Video" Pages: Analysis of a Hijacked Site (Part III)

In Part I and II, I analyzed files on a hijacked site that was part of the "Hot Video" campaign. While doing the analysis, I identified other hijacked domains and found additional scripts used to create the "Hot Video" p...

Security Insights

September 23, 2010 1 Min read

Fake AV Moving From .co.cc To .cz.cc

I've mentioned before that most of the fake AV sites were hosted on the sub-domain of co.cc which offers free DNS services. It is certainly true that the domain is still hosting most of the fake AV sites, however, the...

"Hot Video" Pages: Analysis of a Hijacked Site (Part II)

Security Insights

September 22, 2010 2 Min read

"Hot Video" Pages: Analysis of a Hijacked Site (Part II)

In Part I of this series, I analyzed the files used in coordination with news.php to create the malicious spam "Hot Video" pages. In this second post, I'll analyze the rest of the files found on the site: .cch/ - f...

Security Insights

September 20, 2010 5 Min read

"Hot Video" Pages: Analysis of a Hijacked Site (Part I)

I was fortunate enough to find a hijacked site which was being used to host fake "Hot video" pages, which I've blogged about before. However, this time around, the site had directory listings enabled. As such, I could vi...

Phishing Sites Hosted On Google Blogpsot

Security Insights

September 15, 2010 1 Min read

Phishing Sites Hosted On Google Blogpsot

We've previously reported on malware that can be accessed from Google search results and malicious executables hosted on Google Code. Additionally, Google Docs has been used for phishing and spam in the past. Now, Blogsp...

Attackers Re-create An Entire Facebook Site For Phishing

Security Insights

September 14, 2010 1 Min read

Attackers Re-create An Entire Facebook Site For Phishing

Most phishing sites consist of one login page with perhaps a few additional pages. However, I recently stumbled upon a Facebook phishing site which cloned all the facebook pages: About, Developers, Adverting, Sign up, et...

Security Insights

August 24, 2010 2 Min read

A Week Of Research

This post is a little bit different from what I usually write. Rather than explaining one topic, I'd like to provide insight into what we uncover during a typical week of research. Here are some of the malicious pages th...

Security Insights

August 18, 2010 1 Min read

More Chinese Phishing Sites

in a previous post, I talked about the QQ phishing sites targeting chinese users. There is another popular type of Chinese phishing: Yahoo! Auctions lotteries. Yahoo Auctions is more popular than eBay in China. ...

Security Insights

August 16, 2010 1 Min read

QQ Phishing Sites Stay Under The Radar

In April, Mike reported an increase of QQ phishing sites. This does not come as a surprise, QQ is the equivalent of Google + eBay + Paypal in China. QQ first started as an Instant Messaging site and has now evolved as a ...

Security Insights

August 11, 2010 1 Min read

Spam SEO And Adware

It seems that Blackhat spam SEO is getting more and more effective, allowing attackers to spread malware and adware. Spammers can now easily infect thousands of websites in order to rank high in popular searches and tric...

SEO Spam Attacks Are Getting Harder To Spot

Security Insights

August 05, 2010 1 Min read

SEO Spam Attacks Are Getting Harder To Spot

Spam SEO pages used to be very easy to spot: no Javascript, no style sheets, no images, etc. and usually just a single link. They only text on the page relevant to the spam was generally a set of short paragraphs, as sh...

Security Insights

August 02, 2010 1 Min read

SEO Spammers Go After Firefox Users

Most malicious pages used in spam SEO attacks target Windows users, by showing what looks like a Windows Antivirus screen running, or Internet Explorer with pages displaying fake IE warnings about outdated flash versions...

New Firefox Addon to Protect Against Malicious Spam SEO

Security Insights

July 30, 2010 3 Min read

New Firefox Addon to Protect Against Malicious Spam SEO

There are currently no ultimate solutions for end-users to protect themselves against fake AV pages, fake videos and other malicious spam SEO: antivirus have a low detection rate, denylist (such as Google Safe Browsing) ...

Security Insights

July 27, 2010 1 Min read

Fake AV: New Look & Feel

I recently stumbled upon a new type of fake AV page. This one looks like the store front of an anti-virus vendor. New fake AV look & feel The page is animated and displays a fa...

Security Insights

July 19, 2010 1 Min read

"Spyware And Virus Free" - Really?

Most of the non-malicious spam that we see in search results relates to fake search engines. The operators of these sites make money by tricking users into clicking on disguised advertising. Another way they make money i...

Fake Youtube Page Used To Infect Soccer Fans

Security Insights

July 09, 2010 1 Min read

Fake Youtube Page Used To Infect Soccer Fans

Attackers are using the excitement surrounding the World Cup to attack users. As we've shown earlier, they have posted links to fake live streams on social networks, or used BlackHat SEO spam to infect the top soccer-rel...

Comparison of Malware Protections: Google Safe Browsing, Microsoft SmartScreen, Etc.

Security Insights

June 10, 2010 2 Min read

Comparison of Malware Protections: Google Safe Browsing, Microsoft SmartScreen, Etc.

All modern web browsers now include protection from malware. They include a list of known malicious URLs, and compare each address visited by the user against this list. If the URL is recognized as malicious, a warning m...

Fake Video Codecs Replacing Fake AV Pages

Security Insights

June 08, 2010 1 Min read

Fake Video Codecs Replacing Fake AV Pages

We've recently seen fake AV pages being replaced by fake video pages - malicious pages showing a Flash based video player, along with an error telling the user that he has to download a new codec to play the video. Th...

Security Insights

June 04, 2010 1 Min read

New Fake AV Pages

There have been a number of changes in the world of Search Engine Optimization (SEO) poisoning attacks. I reported yesterday that there we're seeing ever more dangerous exploits using Flash and Java.We're now also findin...

Spam SEO: Use Of Java/Flash Leads To More Dangerous Exploits

Security Insights

June 02, 2010 2 Min read

Spam SEO: Use Of Java/Flash Leads To More Dangerous Exploits

Most malicious sites behind spam Search Engine Optimization (SEO) poisoning attacks lead to fake antivirus pages. The malicious sites rely on social engineering, tricking users into thinking their computer is infected an...

Security Insights

June 01, 2010 1 Min read

Infected Javascript File

When legitimate sites are hacked, attackers usually modify the existing HTML pages to add their own code (obfuscated Javascript or invisible IFRAMEs), or add new fake pages to the site. The additional code is commonly fo...

Fake Antivirus: Your Denylist and Antivirus Do Not Protect You

Security Insights

May 25, 2010 2 Min read

Fake Antivirus: Your Denylist and Antivirus Do Not Protect You

We have spent a fair bit of time discussing fake AV pages as they represent approximately 60% of the malicious content associated with Search Engine Optimization (SEO) attacks, according to Google. As shown in past Zscal...

Security Insights

May 25, 2010 1 Min read

Philippine Yellow Pages Hacked

Following on the wave of "iepeers.dll" exploits, we found that the same client IP address involved in the attacks, used an open proxy to reach thousands of pages containing IE6 exploits. These consisted of legitimate si...

Security Insights

May 24, 2010 2 Min read

Fake AV Copycat?

Malicious fake antivirus pages are pretty much all the same, with very straightforward code, which makes them relatively easy to detect. Most of these pages are also found just a few domains (mostly on sub-domains of xor...

Security Insights

May 18, 2010 1 Min read

Spike Of "iepeers.dll" Exploits

We have seen a spike in exploits using the CVE-2010-0806 "iepeers.dll" vulnerability since this past weekend. The vulnerability affects Internet Explorer 6 and 7. We have seen this exploit in the wild since that day,...

Security Insights

May 17, 2010 2 Min read

SEO Spam Research

Hacked sites may have their pages modified with invisible IFRAMES or malicious JavaScript, or new dynamic pages are created to redirect users to a fake anti-virus page or a scam. In some cases, new folders are created, a...

Deep Javascript Obfuscation Can Make Exploits Easier To Detect

Security Insights

May 13, 2010 3 Min read

Deep Javascript Obfuscation Can Make Exploits Easier To Detect

UPDATE: AVG displayed false alerts about the obfuscated Javascript codes samples displayed in the post. These samples are all harmless. I have replaced these codes samples with screenshots. Minification, packing, ob...

Security Insights

May 06, 2010 2 Min read

Elaborate Scam For Mother's Day

Mother's Day is coming soon. As for any big event, attackers and spammers are using Blackhat Search Engine Optimization (SEO) to lure users to their site. I stumbled upon a rather elaborate scam involving tens of site...

How to Use Google to Be the Bad Guy, or Fight the Bad Guys

Security Insights

May 04, 2010 4 Min read

How to Use Google to Be the Bad Guy, or Fight the Bad Guys

Find vulnerable targets When a vulnerability is disclosed in a popular software (such as Wordpress, Joomla!, Drupal, etc.), attackers can use Google to quickly find a list of websites that run the potentially vulnerab...

Remote Downloader ActiveX: Old Exploits, New Malware

Security Insights

April 26, 2010 3 Min read

Remote Downloader ActiveX: Old Exploits, New Malware

ActiveX is a proprietary Microsoft technology, which allows developers to produce reusable software components. The controls are compatible with the Internet Explorer (IE) web browser and over the years have been a frequ...

Video: First Link On Google Leads To A Malware Site

Security Insights

April 16, 2010 1 Min read

Video: First Link On Google Leads To A Malware Site

A video is worth a thousand words. This short clip shows a Google search for "tax day freebies", one of the hottest search terms on 04/14/2010. The first regular search result (below the News and Twitter sections) redire...

Google Search: More Links Are Malicious Than You Realize

Security Insights

April 05, 2010 2 Min read

Google Search: More Links Are Malicious Than You Realize

It is not uncommon to find malicious links in 15% to 20% of the first 100 results returned by Google for any popular search term (according to Google trends). If Google doesn’t take the Blackhat SEO problem more seriousl...

How Google Is (NOT) Tackling the Blackhat SEO Issue

Security Insights

April 05, 2010 3 Min read

How Google Is (NOT) Tackling the Blackhat SEO Issue

Google is widely used by attackers to trick users into going to malicious sites. The attackers hack legitimate sites that rank high on popular searches. The hacked pages display good content to the Google crawlers but wh...

Governmental Website Hacked To Spread Malware

Security Insights

April 01, 2010 1 Min read

Governmental Website Hacked To Spread Malware

Malicious sites are hiding themselves behind hacked legitimate sites. Attackers use these legitimate sites to fool the search engines into showing them as the top results for the most popular searches. These sites are ...

Unlike Popular Belief, Short Links on Twitter Aren't Malicious!

Security Insights

March 29, 2010 2 Min read

Unlike Popular Belief, Short Links on Twitter Aren't Malicious!

Twitter recently announced that it has implemented a new security system to scan all URLs posted in tweets to protect users from malicious sites. This follows a similar announcement from bit.ly in November 2009 T...

Chile Earthquake Tragedy Used To Spread Malware

Security Insights

March 03, 2010 2 Min read

Chile Earthquake Tragedy Used To Spread Malware

As we've discussed multiple times, search engine optimization (SEO) is a favored tool for spreading malware. Along with the Haiti earthquake and the Winter olympics, the recent earthquake in Chile is a top news story. Un...

Zscaler named a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge

Your world, secured

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)

The Zscaler Difference

Zero Trust Fundamentals

Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Products

Solution Areas

Zero Trust Exchange Platform

Transform with Zero Trust Architecture

Secure Your Business Goals

Learn, Connect, and Get Support.

Resource Center

Events & Trainings

Security Research & Services

Tools

Community & Support

Industry & Market Solutions

About Zscaler

Partners

News & Announcements

Leadership Team

Partner Integrations

Investor Relations

Environmental, Social & Governance

Careers

Press Center

Compliance

Zenith Ventures

News and views from the leading voice in secure digital transformation

Menu

Home

Products and Solutions

Customer Stories

News & Announcements

Zscaler Life

Security Research

More From This Author

Julien Sobrier

Security Insights

August 14, 2013 2 Min read

Facebook Phishing: Manual Session Hijacking

We have reported a number of Facebook phishing pages and scams on this blog. Attackers always come up with clever ideas to fool users in order to obtain their credentials. One of these phishing tricks is a "poor-man" ses...

Security Insights

July 10, 2013 1 Min read

Tracking A Botnet Infection

Recently we found several malicious executables with similar characteristics. These files were found on the following six domains: janashfordplumbing.com kalliskallis.com lowes-pianos-and-organs.com co...

Security Insights

June 04, 2013 1 Min read

Phishers Target Yahoo Users

Yahoo Mail introduced two-factor authentication in December 2011. Two-factor authentication can be used to prevent suspicious access to an account (login from a different country, numerous failed login attempts, etc.) an...

Security Insights

May 16, 2013 2 Min read

Fake YouTube Page Targets Chrome Users

Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encoun...

Security Insights

May 03, 2013 1 Min read

Fake Flash Player On DropBox

Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash...

Security Insights

April 30, 2013 1 Min read

More Fake SourceForge Websites Show Up

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week: sourceforgebulgaria.net, registered on ...

Security Insights

April 26, 2013 3 Min read

Bitcoin: Regulations And Security

You have probably heard about Bitcoin, a relatively new virtual currency. It made headlines recently because it is starting to present a real alternative for traditional online payments, and has recently experienced ...

Security Insights

April 17, 2013 1 Min read

Fake SourceForge Site Distributes Malware

We spotted malware hosted on hxxp://sourceforgechile.net/ a couple of days ago. The website is not currently responding, but appears to been set up as a fake and malicious version of the popular open-source hosting site ...

Security Insights

February 22, 2013 1 Min read

The Move to Plugin-Free Browsers

Apple was the first major player to offer a browser with no plugins with Safari for iOS. Even the very popular Flash plugin cannot run in the browser. However, no vendor, including Apple, has had such restrictions on the...

Security Insights

February 08, 2013 1 Min read

HTTPS Everywhere For IE: Faster, Auto-update Enabled