Tag Archives: facebook

Massive Spam Campaign Impersonates Social Networks

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Spammers are the source of a flood of messages that appear to originate from various social networks, including Facebook and Myspace, as well as popular sites like iTunes.

The spam messages usually just contain a link, and possibly a few words. Their subject matter falls into three general categories common to most contemporary spam: Pill vendors, Russian bride “vendors,” and drive-by download sites hosting Zbot password-stealer installers.

It’s not unusual for spammers to forge the return addresses, but the sheer volume of spam that has been forged so it appears to originate from MySpace, Facebook, or iTunes is notable.

Continue reading

Friends, Followers, Fans: Be On Guard in 2010

Posted on by

By Mike Kronenberg

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Do you use a social networking site? Be prepared, because I predict in 2010 it’ll be a major target for cyber criminals. Among the threat experts here at Webroot, we’ve discussed the ROI opportunity that social networks present an enterprising hacker who strings together the personal information people choose to share on social networks, or who creates a program to infect PCs with one click of a malicious link.

I’ve also discussed the issue with my colleagues in the security industry. Each of us acknowledges that users of all kinds – be it individuals, public figures, nonprofits, or corporations – assume a certain level of risk when signing on to one. But we all agree social networks are pretty much essential in today’s networked society and economy.

Given that, I’d like to share my take on the top five reasons why social networks hold such great appeal for cybercriminals so you can begin thinking about how you’ll use them in 2010. Continue reading

Facebook Phishing Campaign Wants Your Passwords

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091102_fbphish_cropYet another new phishing campaign targeting users of Facebook struck over the Halloween holiday weekend. After scammers began filling inboxes last week with bogus “Facebook update” attachments, this weekend we saw a different group at work. Employing URLs with random domain names registered under the .eu top-level domain, the campaign looks similar to messages distributed in a recent series of phishing campaigns that attempt to convince the user that the mail comes from a legitimate source, such as the FDIC, IRS, HMRC (the UK’s tax authority), your IT department, or any of several well-known banks.

The email messages, which use a forged From: address that makes the message appear to originate from the legitimate facebookmail.com domain, and were timed for just after Facebook’s highly publicized changes to its homepage had just gone live, clearly indicate that the phishers were going for the jugular. When you follow the link, you’re presented with a login dialog identical to that used by Facebook. Once you enter your password into that form, you’re presented with a page titled “Account Update” where you’re prompted to download and execute something called the Facebook Update Tool.

The messages read, in part:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.

…followed by the typical tease to “click here” and a link-that-doesn’t-lead-where-you-think-it-will. The URLs in the message begin with “www.facebook.com” but that’s part of the ruse: The full URL is http://www.facebook.com.(some random letters).eu followed by a query string that includes a long string of numbers and the recipient’s email address (see example).20091102_fbphish_download_crop

In the past, links formatted in precisely the same way led directly to pages hosting versions of the Trojan-Backdoor-Progdav (aka Zbot) keylogger. That’s also true in this case. So the bad guys don’t just want your Facebook password. They want all of your passwords.

We’ve seen a lot of this style of phishing campaign just in the past few weeks and if history serves as a guide, the small number of links in the spam messages we received over the weekend will likely be followed by dozens more versions, each with a distinct URL. Facebook users would be well advised to refrain from following the links in the message; If you suspect that you’ve inadvertently fallen victim to this dirty trick, change your Facebook password immediately — from another computer.
wordpress blog stats

Koobface: Not Just for Facebook, Anymore

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

smalltweet_obsThe latest generation of Koobface targets its particularly effective brand of social engineering at more social networks than ever. As the worm has evolved, we’ve seen it grow to encompass a pantheon of services, targeting more than just the widely publicized Facebook, MySpace, and Twitter, but a host of other Web sites where people meet and (apparently) post links of funny videos for one another to watch.

To illustrate how pervasive the worm has become at propagation, we put together the video below. (And no, you don’t need to download some random codec to watch it, just Flash.) If you’ve got two minutes, check it out, but to get the best view, maximize the video window first (click the little “X” next to “vimeo” in the lower-right corner):

For our test, several members of Webroot’s Threat Research team created profiles on the social networks Koobface attempts to infiltrate, logged into those accounts on test computers, then executed the worm’s main installer application.

The worm checks to see which sites among the ones it targets that you’ve logged in to, and downloads specific payloads for each social networking site it targets. That makes sense: Each of those social networks has its own distinct user interface, which the payload targeting that site interacts with. But the sites all have one thing in common: They all permit members to send one another messages containing hotlinked URLs. And that’s what Koobface is best at: Propagating itself by sending links. Nothing surprised us more than finding that we could actually watch the worm interacting with the interface, filling in forms and clicking buttons, as we stared at the screen. Continue reading

Facebook Miscreants Dealt a Temporary Smackdown

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

After more than a week of harassment by goofballs spamming links, Facebook users can breathe a sigh of relief that, for now, at least one source of trouble has been eradicated.

20090508-mygener_variablenamesLast week’s worm-like spread of links to the mygener.im domain, and this week’s use of the ponbon.im and hunro.im domains to phish Facebook users’ credentials, have been a puzzling diversion from my normal malware analysis tasks. The mygener.im link that was spammed into Facebook accounts redirected users to a page hosted elsewhere that contained nothing but perplexingly obfuscated Javascript (with variables — shown at left — that appear to be comprised mostly of words in Latin) that, as far as I and other researchers here can tell, didn’t do anything at all.

But yesterday I decided that enough was enough, so I emailed the source of the .IM top-level domains — the Isle of Man domain name registry, nic.im — to ask what the heck was going on with all these .IM domains being used for malicious purposes. After all, as a result of the metric tons of malicious code and browser exploits I see that originate on Web sites registered in the .biz and .info top-level domains (TLD), I personally no longer have any confidence in a site registered under either of those TLDs. The big question in my mind was, is .IM on its way to becoming another lost cause?

As it turns out, .IM’s operators really jumped on the problem. The registry’s representative promptly replied to my messages, and the registry has suspended not only the three domains I’ve named, but twelve others I hadn’t heard of that were registered in the .IM TLD through the same intermediary and, in his words, “which we suspect were being used for malicious purposes.”

“We take the reputation of the IM registry seriously and police it to try and prevent events like this from arising,” he continues. “Where we can, we block users from registering via a variety of means and, in the main, this has to date been succesful [but] from time to time we have to make changes to our processes, and these events will act as a prompt to review them to see where we can tighten things up.”

So for now, Facebook users, breathe easy — until the bad guys find a domain registry willing to look the other way. And thank you, .IM, for showing us all how a responsible (and responsive) top-level domain NIC deals with criminals — by swiftly shutting them down.