Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

Recently an actor has been using domains like realstatistics[.]info to direct users to exploit kits. These domains are injected as scripts into compromised websites, resulting in drive-by attacks on browsers. The domains are used as Traffic Direction Systems (TDS) which determine whether or not a target is of interest and should be sent to the malicious site or not.

What is a TDS?

A TDS is a web based gate that is able to redirect users to various content depending on who they are. A TDS is able to make a decision on where to send a user based on criteria such as their geo-location, browser, operating system, and whether or not... Read more

The very popular Russian site Sprashivai[.]ru has been compromised and is silently redirecting users to the RIG Exploit Kit (EK). During our analysis we saw RIG EK drop the SmokeLoader (aka Dofoil) malware.

Image above taken from the Sprashivai homepage

Compromised Site

Sprashivai[.]ru is a popular Russian Q&A and social networking site, receiving an estimated 20 million visitors per month according to SimilarWeb. The Russian word "sprashivai" means "ask" in English.

The site has been compromised by an actor attempting to redirect users to RIG EK via an injected iFrame:

The iFrame... Read more

After the recent outage of the Necurs botnet, the Locky developers have used the break in activity to develop some new features for their ransomware. Locky e-mails came back in full force on 21 June, 2016 and now contain virtual machine (VM) and analysis tool countermeasures.

One of the new tricks involves new encryption of the payload that is downloaded by their Javascript downloaders. This prevents analysis tools from analysing the executable from the network traffic. Once decrypted, Locky now also requires a command line parameter in order to run correctly. This second technique prevents sandbox environments from knowing how to... Read more

On June 20, 2016 the popular anime site Jkanime was injected with malicious code that was silently redirecting users to Neutrino Exploit Kit (EK). During our analysis Neutrino EK dropped and executed the CryptXXX 3.0 crypto-ransomware, and we were requested to pay 1.2 BitCoin (approximately $888 USD) in order to get our files back.

Compromised Website

Jkanime is one of the most popular sites globally for streaming anime episodes online, receiving an estimated 33 million visitors per month. It is particularly popular in South America according to SimilarWeb.

The site itself has been injected with a script... Read more

Angler Exploit Kit (EK), one of the most advanced and prevalent exploit kits, appears to no longer be active. Only this month it was reported that Angler had introduced a new bypass for Microsoft's EMET so the sudden disappearance of the kit is unexpected. However, it could be related to the recent arrests of a "Russian hacker gang" who were using Angler EK to distribute their "Lurk" banking trojan.

Kafeine reported on his blog that actors who had been using Angler for several years had recently moved to Neutrino to spread their malware. He also stated that Neutrino have doubled the price of their exploit kit, similarly to how... Read more

Details of a new vulnerability affecting Google Chrome's default PDF reader "PDFium" have been disclosed. The vulnerability affects Google Chrome versions below 51.0.2704.63 and could allow for arbitrary code execution. Aleksandar Nikolic of Cisco Talos discovered the vulnerability which was reported to Google on May 19, 2016 and fixed just one day later. The CVE number CVE-2016-1681 has been assigned for this vulnerability. A patched version of Chrome (51.0.2704.63) became available in a stable version on May 25, 2016.


The severity of this vulnerability was given as "high" by the Chromium team who paid out 3,000 USD to ... Read more

Last week we tracked an interesting e-mail campaign that was distributing double zipped files with Windows Script Files (WSFs) inside. When executed, these WSFs downloaded the Cerber crypto-ransomware. Cerber has previously been seen distributed via exploit kits and over e-mail using DOC files with macros. This is the first time that we have seen Cerber distributed via the use of WSFs.

E-mail Lure

The e-mail lures followed a convention of "[someone@somewhere.tld] Invoice-or-bill-related-subject-line". For example:

The attacker has used two techniques to try and trick the user into downloading the malware. Firstly... Read more

[UPDATE 05/MAY/2016] A list of Indicators of Compromise is now available to download at this location.

JAKU is the name of the investigation by the Forcepoint™ Security Labs™ Special Investigations team into a botnet campaign.  We have released our technical analysis in the form of a whitepaper.  Download links and other resources are provided below.

JAKU Targets Specific Victims

What makes JAKU unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental... Read more

Forcepoint™ Security Labs™ has released the inaugural Forcepoint 2016 Global Threat Report.

You can follow the buzz on social media using hashtag #ForcepointGTR



The 2016 Global Threat Report analyses the most impactful cybersecurity threats with each section closing with guidance from the Forcepoint team on how best to address the outlined threats.


There are 5 main sections in the report that cover:

Insider Threat

Internal incidents were the leading cause of data breaches in 2015. Accidental insider and employee negligence becoming... Read more

Forcepoint Security Labs has already blogged recently about the JIGSAW crypto-ransomware outbreaks that have been reported in the media.  We decided to perform a little more investigation into the malware and see what we could find.  What we briefly found offers some insight into the economics of JIGSAW, the 'black' marketplace it is traded from and the level (or absence) of sophistication in the author and his/her customers.

Learn to Spell.  Armed with a number of variants of the malware we have been able to perform some very simple static analysis.  For instance, taking a number of the recently seen variants of... Read more