Computer Security Articles

A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook. This one, however, has some interesting twists to it.

The core of the campaign involves a Facebook app that claims to know who your “Top 10 stalkers” are. Our customers are protected from this campaign by ACE, our Advanced Classification Engine.

It works by creating an album – “My Top 10 stalkers” – with the description “Check who views your profile @,” followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user’s friends in the photo.

The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates.

At the time of writing, hackers have switched to using a new app. The first illegitimate app was deleted by the Facebook security team. Both apps use exactly the same mechanism to post spam profile messages in Facebook. Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user’s home address, e-mail address, or phone number.

If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a “SPAM-free market research survey to gain access to this special content.” Special it may sound, but it is definitely not spam-free!

As always, if a page forces you to Like, Share, or install an application in order to view it, DON’T DO IT! Chances are, it’s spam.

Install Defensio, our free security app for Facebook, to prevent scams like this from ever appearing in your news feed.

This winter, the Internet passed a major milestone in its twenty-year-old wunderkind evolution from a small, experimental research network to one of the technical foundations of modern society. In a brief Miami hotel conference room ceremony, ICANN allocated the last five IPv4 address blocks on February 3 – the long anticipated endgame towards eventual Internet address space exhaustion was officially underway [1].

The increasing scarcity of IPv4 address space has motivated renewed interest in IPv6. With billions and billions of possible addresses, IPv6 provides a long-term evolutionary path for the Internet, including the anticipated “Internet of Things” [2,3]. Unfortunately, the IPv6 migration effort has largely been unsuccessful to date [4,5].

Despite fifteen years of IPv6 standards development, vendor releases and advocacy, only a small fraction of the Internet has adopted IPv6. The slow rate of IPv6 adoption stems from equal parts of technical / design hurdles, lack of economic incentives and general dearth of IPv6 content. In response to these IPv6 challenges, an Internet wide consortium of major carriers, vendors and content provider has planned a “World IPv6 Day” [6]. On June 8, 2011 the consortium will conduct the “first global-scale trial” of IPv6 with major content players including Google, Akamai and Limelight enabling native v6 on their servers. A major goal of World IPv6 day is the collection of Internet-wide IPv6 measurements and identifying major v6 connectivity and performance problems. This report continues our efforts to develop a baseline of global IPv6 adoption ahead of World IPv6 Day.

Accurate metrics around IPv6 adoption remain a significant challenge for the industry. Given the relative lack of v6 monitoring capabilities deployed in most backbones, studies to date have generally focused on secondary indicators of IPv6 traffic, including DNS queries, IPv6 registry allocations and BGP announcements [5]. Similarly, we explored estimates of global IPv6 adoption using NetFlow analysis of tunneled IPv6 traffic in a 2007 technical report [4].

Our 2007 findings of only trace levels of IPv6 traffic in the Internet generated some level of controversy. Most notably, reviewers argued that our study ignored native IPv6 traffic, only included a subset of Teredo traffic, and thus, significantly underestimated Internet v6 traffic.

This report revisits our 2007 work with one of the first studies of native IPv6 traffic volumes across multiple large carriers. Beginning in late summer of 2010, a small subset of ATLAS deployments both upgraded their backbone infrastructure (routers and monitoring appliances) and enabled V9 Flow export across the majority of their network. The report analyzes native v6 traffic across six of these large providers in North America and Europe over the last six months. In all, we analyzed aggregate inter-domain traffic volumes of more than 8 terabits per second and a total of more than 10 exabytes over the life of the study. More information our measurement methodology is available in our recent Internet traffic academic research paper [7].

Analysis

During the six month study period, IPv4 inter-domain traffic grew by an average of 40-60%. In marked contrast, IPv6 (both native and tunneled) decreased by an average 12%, though the small volumes of native IPv6 more than doubled.

Before examining native IPv6 growth trends, we first revisit tunneled IPv6 traffic observations from the 110 diverse ATLAS participating providers around the world. The graph shows tunneled IPv6 as a weighted average percent of all inter-domain traffic between July 2007 and February 2011. Given the global media attention and growing availability of IPv6 content, the decline of tunneled IPv6 traffic percentages is unexpected. After peaking at 0.04% of all Internet traffic in August 2010, tunneled v6 declined significantly through February 2011. Possible explanations for this percentage decline in migration of tunneled IPv6 to native traffic and more efficient deployment of tunnels and encapsulation technology.

Figure 1 IPv6 tunneled traffic as a weighted average percentage of all Internet inter-domain traffic across 110 participating ATLAS providers. Includes both Teredo and 6to4.

The next two graphs focus on IPv6 traffic in the six providers which enjoy native IPv6 traffic telemetry capabilities. The first graph shows IPv6 as an average percentage of all inter-domain traffic in these six providers. Given the small sample size and time period, the dataset is fairly noisy. Overall, aggregate v6 volumes remained mostly constant over the study period between 0.1 and 0.2 percent of Internet traffic. This range corresponds with Google and AMS-IX The second graph shows native IPv6 traffic as a percentage of all inter-domain IPv6 traffic in the six providers. On average, native IPv6 grew by ten percentage points suggesting provider infrastructure and end users continue converting tunneled traffic to native v6 infrastructure.

Figure 2 IPv6 native and tunneled traffic as a percentage of all inter-domain traffic in six participating ATLAS providers.

Figure 3 Native IPv6 traffic as a percentage of all IPv6 inter-domain traffic in six participating ATLAS providers.
We look at the top IPv6 applications the six participating ATLAS deployments with native IPv6 telemetry. Figure 4 shows the top applications as an average percentage of all IPv6 traffic (both native and tunneled) in each deployment. Not surprisingly, P2P continues to dominate at more than 60% of all IPv6 traffic [8]. Note that our analysis primarily used well-known port numbers. Unlike IPv4 P2P, the data suggests most IPv6 P2P application makes little effort to encrypt or use randomized ports. This IPv6 P2P behavior may correspond to the relative lack of IPv6 capable firewall and traffic management solutions. At a distant second and third, Web and SSH both average 4.6% of IPv6 traffic.

As a point of comparison, our ongoing analysis of IPv4 application traffic finds video (Netflix, YouTube, Flash) at a combined 40% and P2P representing only 8% of IPv4. We show data from payload analysis of traffic in a small number of collaborating networks in Figure 5.

We validated both IPv4 and IPv6 application these port based application distributions with a payload based classification of traffic in a two large consumer providers which exhibited similar distributions.

Figure 4 Top IPv6 applications based on TCP / UDP port groups in six cooperating ATLAS providers. Limited data validation based on a payload based classification of applications in one provider.

Figure 5 Top IPv4 applications based on payload analysis in a small number of North American consumer providers.

Finally, we analyzed the number and distribution of traffic across IPv6 tunnel end-points. Over a 24 hour period in February, we observed more than 250,000 distinct tunnel end points in the 110 ATLAS participants, including thousands of unique tunnels in the six providers with native IPv6 offerings. The dataset included the maximum five minute traffic rate observed for every tunnel end-point pair for each day. We note that the commercial data collection appliances used in this study only monitor a limited number of tunnels so the actual number of active tunnels was likely significantly higher.

The 250,000 IPv6 tunnel end points exhibit an extremely heavy tailed traffic distribution. The top five tunnel end points contribute more than 90% of all tunneled IPv6 traffic. These top end points include the Anycast address (192.88.99.1) followed by Hurricane Electric tunnel broker ranges and Microsoft’s Teredo (65.55.158.118).

Conclusion

The upcoming “World IPv6 Day” marks a major milestone in the Internet’s evolution. With IPv4 free IANA blocks now exhausted, the next twenty years of the Internet requires new technologies to accommodate the upcoming billions of new devices and Internet services.

In a remarkable, first of a kind global experiment, providers around the world will enable IPv6 by default on most of the major popular Internet web sites this June 8th. Previously, large content providers generally proved reluctant to enable v6 by default over concerns of poor performance and disruptions to customer traffic. In short, content providers feared that unilaterally enabling v6 put their web sites at a competitive disadvantage.

World v6 Day represents the first global experiment in new Internet technologies. What will happen on v6 day? Will the flood of IPv6 traffic result in network failures? Will operators and vendors discover critical bugs in network infrastructure? As an industry, we’re not sure — that is why this V6 day experiment is so crucial.

Vendors and providers have spent years updating technology and testing IPv6 to ensure June 8th will go seamlessly. If all goes well, the vast majority of users will spend the day unaware of this global Internet infrastructure experiment. Arbor is proud to play a role in supporting the measurement and analysis of the World V6 Day experiment.

End Notes

[1] Stephen Lawson, “ICANN assigns its last IPv4 addresses”. Network World. February 3, 2011. http://www.networkworld.com/news/2011/020311-icann-assigns-its-last-ipv4.html

[2] Wikipedia, “Internet of Things”. Retrieved March 1, 2011. http://en.wikipedia.org/wiki/Internet_of_Things

[3] Also see XKCD for a more cautionary analysis of IPv6 address possibilities at http://xkcd.com/865/

[4] Craig Labovitz, “The End is Near, but is IPv6?”. Arbor Networks Blog Post. August 18, 2008. http://asert.arbornetworks.com/2008/08/the-end-is-near-but-is-ipv6/

[5] Elliott Karpilovsky, Alexandre Gerber, Dan Pei, Jennifer Rexford, and Aman Shaikh, “Quantifying the extent of IPv6 deployment,” in Proc. Passive and Active Measurement Conference, April 2009. http://www.cs.princeton.edu/~jrex/papers/ipv6-pam09.pdf

[6] ISOC Press Release, “Major Websites Commit to 24-Hour Test Flight for IPv6″. January 12, 2011. http://isoc.org/wp/newsletter/?p=2902

[7] Craig Labovitz, Scott Iekel-Johnson, Danny McPherson, Jon Oberheide, and Farnam Jahanian, “Internet Inter-Domain Traffic”. Proceedings of ACM SIGCOMM 2010, New Delhi. August, 2010.

[8] Craig Labovitz, “Who Put the IPv6 in My Internet”. Arbor Networks Blog Post, September 8, 2009. http://asert.arbornetworks.com/2009/09/who-put-the-ipv6-in-my-internet.

[9] Lorenzo Colitti, Steinar H. Gunderson, Erik Kline, Tiziana Refice, “IPv6 Adoption in the Internet”, PAM 2010. http://www.google.com/research/pubs/pub36240.html

[10] Amsterdam Internet Exchange web site. http://www.ams-ix.net/sflow-stats. Retrieved March 4, 2010.

Cybercriminals are adopting a new disguise, following last week’s “Facebook password changed” malware attack.

Computer users are discovering malicious code has been sent to their email inboxes, pretending to be a notification from Facebook that their social networking account has been used to send out spam.

A typical message reads:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it's automatic mail notification!

Thank you.
FaceBook Service.

The attack would, perhaps, be a little more successful at fooling more people if it had gone through a grammar check and if the perpetrators had paid more attention to the fact that it’s spelt “Facebook” not “FaceBook”.

Nevertheless, there are doubtless some computer users who might be tempted to open the attached ZIP file and infect their computers with malware.

We’ve seen similar attacks before, of course – and I imagine that cybercriminals will continue to use ruses like this when spreading their malware. Plenty of people are hooked on Facebook, and a message telling them that their password has been reset is likely to send them into palpitations and they may open the unsolicited attachment without thinking.

After all, it’s not as though spam being sent from Facebook accounts is unusual.

If only more people realised that they cannot trust the “from:” address in an email, as it is so easily forged. In this case it presents itself as being from "Facebook Help" <official@facebook.com>, but in reality it could just as easily be a Hungarian hacker, a Finnish fraudster or a Serbian scammer who initiated the widespread spam attack.

Sophos products intercept the attack as Mal/BredoZp-B.

If you are one of those many people who can’t get enough of Facebook in their lives, can stay informed about the latest scams by joining the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

Dear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security

You’ve probably heard by now that the US Department of Homeland Security is working on an overhaul of its terrorist alert system, which would involve, among other things, alerting people through Twitter and Facebook of changes to the threat level.

If you were one of the 140 individuals who took a poll on Internet Evolution last week then you definitely heard about this and even had an opinion on it. Wow!

We posed the following question to readers: “The US government may begin issuing terror alerts via Twitter and Facebook. Are you in favor of this new warning system?” Here’s the response we got:

A near-majority of poll-takers, 48 percent, said “Yes.” And, why not? As some people pointed out on the boards, a site like Twitter or Facebook is just another medium where lots of people gather. It seems like a no-brainer to leverage these widely read and highly trafficked channels in order to alert people to a crisis. Were the government to use Facebook and Twitter alone, that would be a different and more ridiculous story, but that’s not the case. The social networks would only get the alerts after state and local leaders had been directly informed.

So, great. I know I’m excited. But it’s worth considering why 36 percent of our seemingly skeptical respondents said “No,” they are not in favor of such a system, and why 16 percent aren’t sure.

Hmm… Ponder. Ponder.

Well, perhaps some people don’t think this will make much of a difference. Alan Reiter in a video blog on the subject notes that these alerts are all well and good, but they don’t help him feel any safer than he would otherwise (good for you, Alan, stay on guard!).

But, more than that, if we take into account how much misinformation is spread through social networking sites, it’s worth considering that there’s the potential for real disaster here.

Let’s say you see a Tweet or Facebook status saying the alert level is “Imminent.” Sure, any Internet Evolution user would know that we should be looking for the “Verified” Department of Homeland Security Twitter account, or the “Official” DHS Facebook page… but let’s say a very viable impersonator pops up and spreads word of terrorism? And then it spreads from there through many people, channels, trusted sources? The rapid spread of this “information” could cause mass chaos before the government or the social sites themselves even catch on.

Once people are informed that they can and should be looking on Twitter and Facebook for terrorist alerts, they will be looking, and the potential to misinform here is huge.

This is not to say that the government is wrong for looking to the Web’s most populated hangouts in order to constructively frighten people. Rather, it just points to a flaw inherent in the Internet, and the problem with leveraging every social tool for every use.

We’ve lamented before about the perils of using technology in ways such technology wasn’t intended to be used. Despite parties’ best intentions, as we’ve seen with the recent political uprisings, it doesn’t always work out.

Facebook and Twitter are unfortunately not equipped to stop every fake account and fake update in its tracks, and these instances are often not caught until it’s too late. They might be sites where hundreds of thousands of people gather to exchange information, but they are also places where people exchange a lot of wrong information. Factor in widespread terror threats, and the potential for chaos may be Imminent.

- Nicole Ferraro

We’ve already seen spam campaign theme that uses one of the famous Social Networking sites, Facebook. Like, Facebook Password Reset Confirmation, New login system, and Facebook updated account agreement.

CA ISBU came across an active spam email campaign containing a malware as file attachment, as seen on [Figure 1]. The spam mail informs the recipient that their password is not safe and it has been changed automatically by Facebook. It requires recipients to check the attachment containing the new password.

                                                                  [Figure 1 - Fake Facebook email]

The email contains the Subject: Facebook. The new password to your account. N8601

The email contains the Body:

——————————————————————————————————–

Dear user of FaceBook.

Your password is not safe!
To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for attention,
Your Facebook

——————————————————————————————————–

Other emails may contain the following Subjects:

• Facebook password has been changed.
• Facebook Support. Personal data has been changed! ID#####
• Password has been changed. ID####
  

The email contains a malicious zipped file attachment with the filename New_Password_IN#####.zip and New_Password_NU####.zip. This file is detected by CA as a Win32/Bredolab variant.

***where ##### is 4 or 5 random number.

Again, we advise users to beware of these kinds of emails, avoid executing attachments coming from unsolicited emails and ensure that your CA Security Products are updated with the latest signatures.

Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video – LOL" (example screen shot below). Websense customers are protected with by ACE, Advanced Classification Engine. During the 15 minutes it took to write this post over 7,000 new users liked the page so it's clear this is a successful campaign.

This latest scam is very much like a lot of others we see on a regular basis on the world's most popular social networking site. But this one seems to be especially popular for some reason.

When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs.

The page that you are tricked into liking has been liked by over 272,000 users and doesn't really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote "<name>, are you scared? Of course I'm scared. I'm not Superman" is a quote by the actor Jackie Chan. 

After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all. Note that the attackers haven't even bothered to change the title of the last payload site. The title still says "Look What Happens When a Father Catches her Daughter on Webcam" which is another scam that went around Facebook months ago.

As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT! And of course, install Defensio, our free security app for Facebook. It will keep scams like this from ever appearing on your news feed in the first place.

We’re monitoring an on-going Facebook scam campaign that seems to be spreading faster than any campaign we’ve come across before.

What did this girl do on her webcam?

The scam starts with a user being tagged in a photo such as the one above. The photograph is posted in an album called “BBC News” to give it authenticity. It typically has over 100+ people tagged in it and it contains the following text: “Everyone do check what she did on cam …. — [URL]”

An example of what it would look like to see your friends tagged in this photo

The short URL typically redirects the users to a .info domain, which then takes the user to a Facebook Application Installation page.

Short URL redirects to the following Application Install Page

When a user allows the application, the scam continues with that user posting the same photo, tagging over 100 users in it and helping it propagate.

Over 100 Friends tagged in this scam

Users are also redirected to another .info domain, which contains a video that is gated by another form of a survey scam:

Facebook Verification Spam Bot – Freudian Slip?

The scammers have managed to be nimble enough to switch the campaign from one Short URL service to another. At first, this was spreading via Bit.ly:

Bit.ly Stats as this scam was first spreading

Over the course of an hour, this particular URL received over 80,000 clicks.  However, the scam has since shifted to the Goo.gl Short URL service:

Goo.gl Short URL Statistics for this scam

In less than an hour, the goo.gl version of the scam has reached over 125,000 clicks.

Recommendations: First and foremost, don’t click on the link included in the description of the photograph. One of the things you can do to prevent your friends/family members from falling for this is to untag yourself from the photograph:

You can untag yourself from any photo

Additionally, you can report the image so that Facebook can take action against it (this is an important step):

You can help prevent this scam from spreading by reporting it

If you’ve been tricked into installing the application, visit the Privacy Settings page and click on ‘Edit Your Settings’ under Apps and Websites.  Locate the Rogue Application under the Apps and Websites section (typically has the word “news” in it). Once you’ve located it under the  ‘Apps You Use’ section, click on ‘Edit Settings’ in order to remove the application.

Scammers are finding new ways to trick users. The key here is to be aware and to keep your friends and family members in the loop about scams like this one.  We can’t stress that enough.

Update: The goo.gl short URL has now logged over 220,000 clicks.

Over 220,000 clicks on the goo.gl short URL

Additionally, the scammers have also moved to TinyURL:

Scammers are also using tinyurl to lead users to the scam application

For sometime now we’ve been reporting threats targeting Facebook users, most of which result in users unknowingly spreading spammy links to their networks. We’ve seen different social engineering techniques used such as stalker tracker tools, news involving celebrities, and even footages of the recent Japan tragedy.

The said threats usually involve links accompanied by inviting text posted in affected users’ walls. Other users who get tricked into clicking the said links unknowingly execute a script, which lead to posting the very same spammy content.

Recently, however, we saw a different version of this scheme, which leverages a commonly used feature in Facebook—Events.

Instead of posting the spam links in users’ walls where it can easily get lost in the news feed, cybercriminals now use the Events feature to really grab their targets’ attention.

In this scheme, spammers create an event that will be enticing to many users. For example, we saw one event in a post that said ”How to Find Out Who’s Viewing Your Profile.“ 

In the post’s More Info field, the spammer puts instructions that invited users must follow to be able to “view” or to “enjoy the service” the post promises—in this case, the ability to find out who viewed their profiles. You can see that most of the instructions contain ways to promote the event with the last step being to click a certain shortened link.

Needless to say, users tricked into following the given instructions end up promoting the spam event and making money for the spammer. Visiting the page the shortened link points to also executes a script that publishes the same link on the affected users’ walls.

This scheme seems to work fairly well for spammers, as we’ve seen spam events to which tens of thousands of users registered as attendees. We also observed that similar spam event posts are frequently updated by their posters, usually only modifying the provided links to avoid blockage.

As such, users are warned to ignore invitations of a similar nature. We are continuously monitoring for similar spam and blocking related URLs with the help of our Web Reputation Technology.

Post from: TrendLabs | Malware Blog – by Trend Micro

Facebook Users Get Invited to a Spam Event

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed email addresses in the format that Facebook is using on the domain facebookmail.com. Some examples:

update+bscts2qxhedj@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
…

This is the body of the email:

Notice that the Facebook looks are used to disguise the real purpose of the message.

4 different URLs are used in each message with the format: http://www.domainhere.tld/s/h/o/p/ that will redirect you to the Canadian Pharmacy at hxxp://midiclxic.ru/.

We’ve been monitoring a new Facebook scam that is spreading via Facebook Chat messages.  This particular scam usually begins with a chat message from a friend like the one below:

Example of the Facebook Chat message

Once a user clicks on the link, they are redirected via the site used in this campaign (hxxp://millium.co.cc) to a Facebook Application installation window.

Facebook App asks for access to Facebook Chat

The reason this is spreading so quickly is because the Rogue application is asking for access to Facebook Chat. Once the application is installed, it begins spamming your Facebook friends/family members with the same message seen above.

After the application is installed, the user is redirected back to the site above and presented with the following image:

Click on the picture to see yourself in a sexy photoshop!

Your attention needs to be diverted long enough to allow the message to spread to your friends and family. Clicking on the photograph takes you to a Graphic Design blog entry that contains 45 Strange and Funny Photoshop Manipulations – none of which feature a photograph of you.

This scam is spreading rapidly.  Over 88,000 clicks per hour, currently sitting at over 500,000 clicks today.

88,888 Clicks Per Hour

Over 500,000 Clicks Today

At this point, we do not know what the end game is for the scammers here. The destination site results in no malicious infection and does not lead to a survey scam. Having access to a users’ Facebook Chat could allow the scam application to be used to send out other messages.

If you or anyone you know have been tricked into installing this application, you can start by removing the application from your Facebook profile.  Visit the Privacy Settings page and click on ‘Edit Your Settings’ under Apps and Websites.

Find the Rogue Application under the Apps and Websites section

Once you’ve located the application (named ‘millium’) in the ‘Apps You Use’ section, click on ‘Edit Settings’ in order to remove the application.

Remove 'millium' Rogue Facebook Application

Removing the application is one thing. We encourage users, those who have been tricked into installing this application and those who haven’t to reach out to family and friends on Facebook and inform them that this scam is spreading.  Knowing is half the battle.

Our February 23rd post noted that Facebook’s SSL “Secure Browsing” preferences had some issues remaining persistent.

There’s been some encouraging progress since then, and this is now what happens when a non-HTTPS application is accessed:

So at least the setting is persistent. Hopefully the feature will be more dynamic in the near future.

If you have a Facebook account, and want to update your settings for HTTPS, you’ll find the option under Account Security.

The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be is propagated, and the attacker is sure to get some response.

In this example a Facebook click-jacking attack jumped on the bandwagon of Italian model Marika Fruscio's unfortunate incident with a wardrobe malfunction on live TV.  The title of the scam on Facebook was "The beautiful Marika Fruscio shows her breasts on Italian TV!", which almost sounds like it was staged as opposed to an accident.  Whatever the theory, the interesting part of this attack is what happens when someone clicks on the provided link to watch the embedded video.

The example seems harmless as upon clicking the link, the user is directed to another page where they can view the video.  While this is happening, the user's account is being exploited to post the video on their homepage to distribute.  The user is also added to the list of those who like the video, consequently encouraging others to view this.  The series of steps involved is shown below.

An infected account shows the advert as being liked either by a friend or contact within your Facebook account:

The user is then directed to the page below to view the video.  Unknown to the user, there are hidden elements and iframes within the HTML code, located at the Play button, which directly access the user's 'like' option within Facebook .  These hidden elements are where the magic of click-jacking, or shall we say like-jacking, happens.

Innocent-looking page as seen by the user:

Riddled page with hidden elements and iframe superimposed on the Play button and various parts of the page:

On clicking the Play button, two events take place. The first is that the user's Facebook account accepts 'liking' the video, with the video being posted on their wall as a result. The second is that the video plays Marika Fruscio's wardrobe malfunction on live TV. 

Below is the screen the user is presented with if they are not already logged in to Facebook:

The compromised account then displays a video link on the user's wall encouraging others to view this. 

There are several reasons for this type of attack and in this instance although there is nothing apparently malicious, it brings to mind the elaborate ploy where an attacker uses this means to earn some money.  Pay-per-click springs to mind, as attackers for these scams usually get the user to click on hidden links in order to get many hits, which then rewards the attacker with money.

Further analysis using our in-house tools on spontour.net shows the various links and how they are interconnected.

To protect yourself from attacks such as these, and also from posts like this being posted on your wall, try our free Defensio Facebook app.

Below we have a rather fetching page located at helpjapan(dot)co(dot)tv:

Click to Enlarge

“Japan Earthquake Relief: Help raise money for disaster relief in Japan with a few clicks of your mouse”.

That’s great, except hitting the Connect with Facebook button reveals an app called “your age pic” located at apps(dot)facebook(dot)com/youwilllooklike – at least, it would if it wasn’t currently offline due to an “issue with its third party developer”.

Click to Enlarge

Check out the reviews, which mention friend spamming. Here’s someone having problems with rapid fire messages being sent out.

The message posted to Facebook pages looks like this:

Click to Enlarge

“YOUR 1 click = $ 0.5 for Japan Relief Fund !!  Guys ! Japan needs ur help real bad !! People are suffering,lost their homes,friends,family and more  Please Support the earthquake victims @ helpjapan(dot)co(dot)tv/”

There’s quite a few off those knocking around in public Facebook searches right now. Given that the whois info for the website looks fake (“the almsn ddsfg Afghanistan”?) and it is hosted alongside what look like Call of Duty Facebook scam sites I doubt we’ll be seeing this app reactivated.

Below, you can see a continuation of the popular “girl commits suicide on cam” scam, sitting on a Facebook app page located at apps(dot)facebook(dot)com/hollevideo.

 Click to Enlarge

Click to Enlarge

The app for this one is currently offline, but alongside the surveys and profile editor pages you could also allow the app to “access your basic info, post to your wall and access your data anytime”.

You know, if you really wanted to…

Christopher Boyd (Thanks to Wendy for the webcam app link)

Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines.  

Websense customers are protected from this attack with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Here is an example of a malicious email in Spanish:

The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection.

The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today – the Blackhole exploit kit. Any successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine.

Here is an example iframe from the Facebook attack page that points to Blackhole exploit kit:

Facebook recently announced a major overall of their comments system. The new changes will allow Facebook users to comment on third-party websites using their profiles. Supporters of the new system hope that it will help in combating Internet trolls and comment spam because Facebook accounts typically use real names. Critics of the system argue that it’s a threat to free speech.

A number of critics have cited this quote by Mark Zuckerberg, from The Facebook Effect: “You have one identity. The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly … Having two identities for yourself is an example of a lack of integrity.“

Reactions among social activists have not been positive. But really, why? Is having only one identity really such a strange concept?

Other than The Batman, who really needs more than one identity?

I only have one identity. I also have an alias on Twitter, @FSLabsAdvisor, and you can probably tell based on its name, it’s a work related account and primarily reflects my work persona as a public spokesperson of F-Secure. It’s directly connected to my identity, but only represents a particular side of my personality.

I have multiple aliases on the Internet, a couple of them are anonymous, but I only need one identity.

Maintaining identity, privacy and integrity on the Internet can be a tricky thing — take Sarah Palin for example. About three weeks ago, Jack Stuef at Wonkette wrote that Palin maintained a personal Facebook account using the name “Lou Sarah”. (Palin’s middle name is Louise.) Stuef’s take on the story was that Palin had a “secret” account to praise her “Sarah Palin” account. And he doesn’t seem to take her Lou Sarah account as a sign of great integrity.

It was quite a good catch, but Stuef didn’t get it entirely right. The Sarah Palin account is not a “profile”. It is a special type of hybrid “page” for celebrities that behaves as a profile. But it’s really just a page and part of Sarah Palin’s personal brand. It’s very likely that the page is entirely administered by her public relations team.

A lot of people wanting to manage their privacy create anonymous Facebook accounts. Many people clearly want aliases. I suspect that a great deal of the backlash directed at Zuckerberg is due to the fact that having multiple accounts per individual is a violation of Facebook’s Terms of Service, and Zuck says stuff that makes them sound like criminals.

I think some of the backlash is deserved.

Facebook’s corporate line is that you should only friend people that you actually know. But Facebook makes a lot of money from partnerships with social game companies such as Zynga. Social gaming is a form of casual gaming, and casual gaming encourages the formation of casual friendships. Facebook profits are in part driven by the formation of casual friendships.

You can’t have your cake and eat it too.

I’ve seen lots of examples where people have created secondary accounts to play Facebook games with “virtual” friends. As long as Facebook profits from casual friendships, they need to find a way to better protect their users’ privacy. Facebook needs to step up and offer users some sort of aliases, or else they need adjust their TOS.

I’m not holding my breath.

But how about Facebook’s new commenting system?

Is it the death of anonymity and free speech?

Probably not. There’s a “backdoor” method which is already being used to comment anonymously.

Pages.

TechCrunch buried this lead in their initial story: “Incidentally, it’s also now possible to leave a comment on an external site as a Facebook Page, which means we could see brands use Facebook to leave ‘official’ comments on blog posts.“

So here’s an example of what you can do — create a fictional character.

My character is named “Jaajo Jantteri”. And I hold the copyright so I’m in full compliance with Facebook’s Page Terms.

Next, visit a site testing the new comments, such as TechCrunch. Select the alias of your choice.

And comment.

Now we just need to hope that trolls and spammers won’t want to do the same.

But hey, if Facebook wants to move the battleground within their walled garden, I say, let them.

Regards,
####

On 16/03/11 At 06:38 PM

Last Thursday, I wrote about Facebook Likejacking. Today, similar pages were brought to my attention. They use Likejacking to spread through user profiles using much more aggressive spam techniques.

The pages looks like they come from Facebook. The teaser is a video that should be watched “only if you are 16 or older”. The play button hides a Facebook Like widget.

Spam page looking like Facebook

Before the user can play the video, he must either verify that he is at least 18, or that he is a human … by filling out surveys, trying games, etc.! The spammers are paid for each action taken by the user (PTC campaign).

“Security check”: the user must fill out a survey

If you stay on these pages long enough, they will attempt to send a form on your behalf. Fortunately, Firefox throws a warning.

Firefox prevent the automatic POST

acidattacker.com shows a Facebook page and a Youtube page with the same content.

Fake Youtube page from spammers

These spam pages can be found at:

• hxxp://bnltwo.info/video2/
• hxxp://acidattacker.com/

– Julien

Let’s take a look at the latest in long line of fake stalker apps on Facebook.

This one is called “Profile Update”, and makes a number of claims in relation to tracking vistors while changing your profile background. “Change your background and see your stalkers”, they claim – installing their update will let you see who is stalking you.

Click to Enlarge

Click to Enlarge

If you agree to their terms of service (which are rather long and mention Singapore as being the base of operations for this one) you’ll be prompted to install the rogue application when logging in, giving access to your basic information, granting wall posting rights and letting it “access your data anytime”.

Click to Enlarge|

You’ll also be prompted to fill in the inevitable survey, which randomly decides to talk about “Profile Peekers 2.0″ instead of “Profile Update”. It’s almost like they’re making it up as they go along.

Click to Enlarge

While you’re busy signing your life away to coupons, fruit snack offers and fabric conditioner trials your wall will start to look like this:

Click to Enlarge

Before the police come and take me away for questioning, I should mention that some of the URLs involved are foksrox21(dot)info and wurstbrota(dot)info. Please don’t be fooled by these stalker apps – scams such as these have been around since the days of Myspace, and they didn’t work then either. Wurstbrota is still live, but the foxrox URL currently redirects to a Formspring page. The rogue application seems to be currently unavailable too, so hopefully this is in the process of being shut down.

Christopher Boyd

A friend who is new to Facebook asked, “How is it possible? I just created a Facebook account a few days ago, but my profile has been visited more than 15,000 times. I feel like a celebrity!”

“wow, i just found out that i had total 15158 visits to my profile and among these my ex was one that visited my profile the most with 121 visits just for last 7 days. You can check also your visits here http://apps.facebook.com/XXXXXXXXstalkers/”

My friend then realized that he visited one Facebook application that claimed to be able to know who and how many people visited your profile. This scam application is known as “List your stalkers”. Previously, similar applications have also been closed by Facebook. But the bad guys out there never cease creating the same application under different names.

When users want to visit an application page on Facebook, normally the application will ask for permission from the user. When the user allows it, it can then access all the information about you, from biographical data, to allowing the application to be able to post on your wall.

Before being able to use these applications, users are asked to fill out surveys, which they say is a verification method called “Facebook Verification Spam Bot”, which is of course nonsense. Because, they just want to get money from every survey that are successfully completed by visitors.

After a user visits the application, there will be a post on the wall, with a link that leads to the application. If your friend sees this and is curious, he will also visit the application and follow the same prompts that you just followed. This is one reason why this kind of application spreads so quickly.

It can’t be denied, until now there are still many people who still wonder, “Is it true?”

Is it true that it can be done? Facebook has the answer here:

“Facebook does not provide applications or groups with the technical means to allow people to track profile views or see statistics on how often a particular piece of content has been viewed and by whom. If an application claims to provide this functionality, please report the application by going to the application’s About page and clicking “Report Application” at the bottom of the page, or by clicking “Report” at the bottom of any canvas page within the application.

Applications you use may ask for permission to access content from your News Feed and Wall. Granting this permission does not allow applications to see who has viewed your profile. It simply allows applications to see which friends have interacted with posts, such as which friends liked or engaged with a particular wall post.”

Most of them believe what they read or see on the wall of their friends. Be careful, it’s not entirely true! And remember – if it looks suspect, it probably is.

Join Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.

Spammers love to use hidden Facebook “Like” buttons to spread their spam quickly, a technique called Likejacking. Recently, I was forwarded a few German Likejacking pages:

• hxxp://www.ksmp3.de/Guten-Morgen-Schatz-geht-daneben/ (live)
• hxxp://www.mir-gefaellts.eu/erwischt/webcam-girl1/index.html (down)
• hxxp://respectmiley.info/ (down)

Spam page with hidden Facebook “Like” button

The spam pages contain a lot of ads (of course!), a video and an hidden iframe. The hidden iframe contains the Facebook “Like” button. It follows the mouse as the user hovers over the video to click on the Play button. The user’s click triggers both the Facebook “Like” widget and starts the video. The spam page then appears in the user’s Facebook news feed, spreading the spam to more people.

Source code of the hidden iframe

To hide the iframe, it is reduced to 2×2 pixels and has a black background (same as the video background).

Bookmarklet to uncover hidden iframes

A simple way to uncover the hidden iframe is to make the parent iframe bigger. I removed the “width: 2px” and “height: 2px” attributes for the “hidden” iframe, and the “Like” button became apparent.

The Facebook “Like” widget uncovered. Notice the black background.

All browsers allow users to run Javascript in the context of the page through a bookmarklet. I’ve transformed the JavaScript I used in the example above into a bookmarklet. Drag and drop the link below to your bookmarks. This will create a new bookmark “Uncover Facebook Likejacking 1.0(Zscaler)”. If you browse to a suspicious page and suspect an hidden “Like” widget, click on this bookmark to uncover any potential Likejacking.

0){alert(‘Sorry,%20this%20script%20does%20not%20work%20with%20frames.%20Please%20load%20each%20frame%20in%20in%20a%20different%20tab%20or%20window.’);}$ (‘*’).each(function(){try{if($ (this).contents().find(‘iframe[src*="http://www.facebook.com/plugins/like.php"]‘).length>0){$ (this).contents().find(‘iframe[src*="http://www.facebook.com/plugins/like.php"]‘).show().css({‘width’:”,’height’:”}).parents().show().css({‘width’:”,’height’:”});$ (this).show().css({‘width’:”,’height’:”}).parents().show().css({‘width’:”,’height’:”});}}catch(ex){}})});}})();” style=”background: none repeat scroll 0% 0% yellow; padding: 5px;”>Uncover Facebook Likejacking 1.0 (Zscaler)

You can find the original JavaScript here.

Here is short video of how it works.

Same origin policy

Because the Javascript from the bookmarklet is running in the context of the page, it is subjected to the Same origin policy. This means the JavaScript cannot access frames or iframes loaded from a domain different from the main page. The script shows a warning if a page contains frames. You can load each frame in a different tab and run the bookmarklet on each of them.

Warnings on pages using frames

If you’re ever victim of Likejacking, you can always remove the spam from your news feed and mark it as spam. But Facebook does seem pretty slow at reacting to Likejacking, as this web page is still being shown in users news feeds after several days of spamming people.

– Julien

Recently we reported about a scam that targeted Facebook users which turned users who are curious about stalkers into unwilling spammers. Now we are seeing newly created domains that are related to yet another scam targeting Facebook users, this time using social engineering lures already seen in the past.

The said domains were seen linked with certain Facebook posts, bearing messages such as the following:

• ”This Guy Took A Picture Of His Face Every Day For 8 Years”
• “Look What Happens When Father And Daughter Meet On Chat Roulette”
• “I can’t believe a GIRL did this because of Justin Bieber”
• “SICK! I lost all respect for Miley Cyrus when I watched this video!”

The domains created have similarities of keywords, all bearing words such as: daddy, busted, guy, face, pic, miley and bieber.

Once a user visits a Facebook post bearing the a link to the said domains, the user will get redirected to a YouTube-like webpage, a technique typically utilized by the infamous KOOBFACE gang. The page in actuality contains nothing more than an image which resembles a page from the video-sharing site.

When the user clicks on anywhere within the page, this opens a prompt for the user to answer a certain survey, placed supposedly to confirm the viewer’s age.

However, what happens really is that a malicious script detected by Trend Micro as PHP_FBJACK.A accesses the user’s Facebook account and posts a link to the same malicious page along with a message similar to the ones listed above.

Facebook was named the most dangerous social networking site in 2010, and it still is, considering the numerous attacks that target Facebook users every day. Thus it is important for Facebook users to be extremely cautious when navigating through the network, especially in clicking shared links, even those posted by trusted contacts.

The Trend Micro™ Smart Protection Network™ already protects users from this attack as related URLs and scripts are now blocked and detected respectively.

Post from: TrendLabs | Malware Blog – by Trend Micro

Miley Cyrus, Justin Bieber Facebook Spam Reemerges

Thanks to Matthew for sending this one over.

There’s a nasty round of Facebook app pages dabbling in Javascript shenanigans to spam Acai Berry diet pages on your profile walls. Simply visiting these pages while logged in is enough to post some spam, most of the pages involved promising (surprise, surprise) a video to watch:

Click to Enlarge

If you try to navigate away from the above app page, a message will pop up claiming you’re about to “corrupt the Flash install”. Total nonsense, but it’s just enough to result in something like the below being posted to your profile:

Click to Enlarge

“I am living proof that this works”, claims the “facebook sponsored weight loss product”. No sign of anyone yelling “Beefcake, Beefcake” but let’s dispense with the South Park references and see where the spam link leads to:

Click to Enlarge

Oh look, a fake news site touting logos from various news sources. Needless to say, you don’t want to be handing over any money for the above. Though the code in the below screenshot may look like a load of tech related jibber-jabber, you can still see many pieces of text used for the various spam messages:

Spam messages will also be sent out in both wall postings and facebook chat that look like this:

“Hey, What the hell are you doing in this video? Is this dancing or what?? Bahahah”

You can see that in the above screenshot, too (look near the bottom of the code). If you don’t want to strain your eyes, here it is in action:

There appears to be one main domain for this, franebook(dot)com (although it’s currently serving up 404 errors) and many of the related application pages also appear to have been taken down by facebook. apps(dot)facebook(dot)com/bergamoleyra/ and apps(dot)facebook(dot)com/hellenismkpmga/ are both giving “page not found” messages, although there seems to be a number of app pages still live and redirecting to the Acai berry spam sites.

As always, be careful what you’re clicking on in facebook – random messages promising junk will usually give you just that (and perhaps a little more besides).

Christopher Boyd

People have started getting the following email claiming that “Facebook Copyrights Department” has detected unusual Copyrights activity linked to your Facebook account , please follow the link bellow to fill the Copyright Law form.

http://www.facebook.com/application_form

When we click on this URL “http://www.facebook.com/application_form”,
it redirects to below URL and the “bot.exe” malicious binary gets downloaded.

http://bon[xxxxx]elersport.nl/facebook/bot.exe

After installation of this file it drop a copy of itself,

%system%sdra64.exe

It also create the following files once it is active,

%system%/lowsec/local.ds – configuration file
%system%/lowsec/lowsec/user.ds - stolen data

It may steal the user’s account information as they are entered in the browser.
The stolen information is then stored in its dropped file %system%/lowsec/lowsec/user.ds.

Quick Heal detects this malware as “Win32.Trojan-Spy.Zbot.gen.3″.