Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

The popular airline travel site yatra[.]com is currently (01 Feb 2016) redirecting users to Angler Exploit Kit (EK) via a compromised advertising script. The millions of users per month browsing to the yatra[.]com homepage are currently exposed to being redirected to code that silently drops and executes malware in the background by exploiting one of the latest Flash Player vulnerabilities.

Compromised Site

The website yatra[.]com is a highly popular Indian travel search engine that is ranked 2,262 globally according to Alexa (4,219 according to SimilarWeb) and receives an estimated 7.5 million visitors per... Read more

Forcepoint Security Labs™ identified this week that a well known transport company's website had been compromised.  We discovered that it was redirecting users to Angler Exploit Kit (EK).  Forcepoint informed the company who were quick to respond and address the issue. Users browsing to the site were exposed to malware being silently dropped onto their system and executed in the background. When we analyzed the infection we saw that users were being redirected to Angler EK which was then exploiting CVE-2015-8651, affecting Adobe Flash Player versions up to and

Compromised Website

The website in question... Read more

It is the beginning of 2016.  Most of us will be building our calendars around the year's public holidays. Many of us would of course use Google search to find these dates. But browsers beware, because one of the top results may result having your credentials and monies stolen by malware. The website in question: officeholidays[.]com, has been compromised and leads users to RIG exploit kit (EK).

Compromised Website

If you were to search for the term "public holidays" on Google UK then the website officeholidays[.]com would currently appear to you in the top three results. This site currently has an estimated 1 million... Read more

For a while now, actors have been distributing the Kovter click-fraud malware in e-mails via JavaScript attachments. Recently however, we noticed a Kovter e-mail campaign that was attempting to download proxy software onto users' machines via a JavaScript downloader. Whilst not malicious by itself, the proxy software (ProxyGate) is silently installed by the malware and automatically registered on the ProxyGate network. This means that the user's machine can be used for subsequent network traffic by anybody using ProxyGate, essentially making the machine a zombie for anybody's use. At the time of writing this blog, the actors were no... Read more

Guest speaker Nicholas Griffin (Sr. Security Researcher) and Carl Leonard (Principal Security Analyst) discuss the malicious email campaign that drops Ursnif, the HTTPS Bicycle attack and look forward to the announcement of our new company name and identity.

On January 5th Raytheon|Websense® researchers noticed an interesting e-mail sample from a recent and ongoing e-mail campaign which contained a malicious document attachment and downloaded malware in a unique way. The Microsoft Office Word document downloaded the malicious payload from a JPG file but, where a normal browsing user would see an image of Kangaroo, the malicious document saw a different file - the Ursnif credential stealer.

fig 1. Actual image hosted on command-and-control server


Executive Summary

There are several interesting aspects to this threat as summarized below:

The... Read more

A paper detailing a new attack vector on TLS was released on December 30. The attack, known as the HTTPS Bicycle Attack, is able to determine the length of specific parts of the plain-text data underneath captured TLS packets using a side-channel attack with already known information. The attack has a few prerequisites but could be applied in a real world scenario, and is completely undetectable due to its passive nature.


Executive Summary

The HTTPS Bicycle attack can result in the length of personal and secret data being exposed from a packet capture of a user's HTTPS traffic... Read more

Today, we came across a website providing free Christmas graphics along with an early but unwanted Christmas present. The website christmas-graphics-plus[.]com is injected with malicious code that leads users on a virtual sleigh ride to Angler Exploit Kit (EK) and drops the new CryptoWall 4.0 ransomware. If you were to visit this grotto, then all of your documents would be encrypted and held to ransom - including your Christmas card address book. The real Nightmare Before Christmas.

Raytheon|Websense® customers are protected against the threat of this Christmas stealing Grinch via real-time analytics in our Advanced... Read more

What are we predicting for the cyber security landscape in 2016? Carl Leonard & Andy Settle discuss our Raytheon|Websense Security Labs team findings and what to expect in the coming year.


At the end of every year Raytheon|Websense Security Labs release our annual security predictions report.  Our global team of researchers, data scientists and thought-leaders are interviewed to give you the most accurate insights into the changing threat landscape.  Using hindsight, insight and foresight we arrive at series of events, situations and behaviors expected to transpire in forthcoming months and years. 

This year's predictions span the following areas:

Attacker Trends Attackers are quick to abuse newly created infrastructure and systems.  The generic Top Level Domain (gTLD) system is no exception.  We analyze... Read more