Facebook Drive-By Malware

Trend Micro reports that it has detected a drive-by download attack on Facebook that uses malicious advertisements to silently infect visitors with malware related to Java and ActiveX exploits dating from 2006 to 2010.  The user is led from a Facebook page to a couple of ad sites, and finally to a page that hosts the exploits.  The ad providers were found to be affiliated with a Facebook application that it is ad-supported.

“Malvertising” attacks are generally the result of poor background screening practices by ad networks or sales teams.  Attackers impersonate legitimate advertisers to get their ads approved and then swap them with ads that contain malicious code.  Big ad networks and popular mainstream websites including Facebook have hosted these attacks over the years.  Drive-by download exploits attacking popular browsers or plug-ins are very dangerous since they don’t require any user interaction and take place silently.

Unfortunately, Facebook’s platform is designed to allow thousands of third-party app developers to work with any advertisers they choose.  There’s not much Facebook can do about policing the problem, so users must protect themselves.

Keep your anti-virus on and updated, use virtual machines and sandboxes when surfing, and be selective in what you click on.  Use web-content filters like WebSense, BlueCoat or the free for home use K9 product to stop access to known malicious sites.

Facebook Fake AV Malware Again

On the topic of social media and Facebook in particular, a very complex and effective fake Anti-Virus campaign is targeting Facebook users.  Like most of the cruft that targets Facebook users, it starts with contact by a Facebook friend using the social network’s chat feature.  “Hi. How are you? It is you on the video? Want to see?” asks the “friend” offering a link to a YouTube page.  Intrigued, the target follows the link, and sees that the video with the target’s name in the title, has apparently been commented on both positively and negatively by a bunch of their Facebook friends.

Of course, the target cannot view the video because they appear to be “missing an Adobe Flash Player update”, according to a message written over the blank space where the video is supposed to be displayed.   The file offered for download is Trojan.FakeAV.LVT.   This little miscreant copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware. It then adds a registry key in %SYSTEM% and the malicious code is either added to the list of authorized applications for the software firewall, or it disables the firewall altogether.  Finally it disables all notifications generated by the firewall, the update module, and whatever antivirus it finds installed on the PC, according to BitDefender.

This malware makes the effort to detect which legitimate AV solution the user has installed, and displays customized warning messages that mimic what the legitimate solution would present.  So clever, and so deviant.  Someone deserves a beating.  Of course it “scans and finds” a virus on the system, and asks the user to reboot so that it can clean up the mess.  Unfortunately, the reboot triggers the system to boot into safe mode, allowing the malware to uninstall the legitimate AV solution, and then the system is rebooted into normal mode.  The system is now completely vulnerable, and a downloader component launches to quietly download additional malware from an array of URLs.

The malware agent contains a list of IPs of other infected systems which will be used for exchanging malware, creating a fully-fledged malware distribution system with peer-to-peer update capabilities.  These IP lists are updated regularly so infected systems are always in contact, and constantly exchanging malicious code.

Once a system is compromised by such a viscious malware agent, it should never be fully trusted again.  If you are the unlucky recipient of this insidious and devastating attack, my recommendation to you is to backup ONLY your most important data to SACRIFICIAL MEDIA, and to nuke the system to bare metal.  Because your AV was compromised and the malware causes reboots and loadpoints to be activated, there is no telling what the additional payloads may have done.  Assume the worst; root-kits, password captures, and keystroke logging.  Reformat your hard drives, including the Master Boot Records (MBR), and the same for any removable media that you have used on that system.  Media that can’t be sanitized should simply be destroyed.  Otherwise you are taking chances that malware will still exist on your computer, and be able to load before your Operating System and any defensive software that you install.  That means, you might as well not install it at all.

Now you know why I’m not real fond of malware or its authors.  Stay thirsty my friends…

Beware ‘News Of The Minute” Facebook Scams

Websense has found an alarming Facebook scam taking advantage of yesterday’s tragedy in Oslo, Norway, infecting an estimated one user every second.  The scam is a form of ‘clickjacking’ that replicates itself on users’ walls after they click on fake posts within their news feed.  I could not find details of what the payload is from this attack, but rest assured, these types of attacks generally look to infect your computer, and your friends’ computers with financially motivated malware.

Use caution when seeking news items.  Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%), including pornography.


What Is Facebook Doing About Scams?

It is important that each of us remain aware of scams.  Social Networking sites like Facebook are target rich environments for malicious parasites who would do you harm.  Facebook is now taking action on several fronts to warn users when a link they are clicking appears to lead to malware or malicious trickery.

From now on, Facebook will display a warning to users if it detects that suspicious activity is going on behind those mouse clicks.  A scam was circulating recently where Facebook users were inadvertently commenting on what looked like a news site providing details of the iPhone 5.  Clicking on the link led to a page with a “captcha” window where distorted numbers and letters are presented for the user to type to prove they are real users and not an automated script.  If the submit button was clicked, the spam message was spread onto the user’s Facebook page.   Another scam was spreading today that urged people to click some web element to “verify their accounts”.  Facebook was quick to remove those posts.

In many cross-site scripting (XSS) attacks, people are asked to copy and paste Javascript or another type of code into their browser’s address bar with the lure of seeing a video, or getting something for free.  The code ends up infecting their machine with malware, or doing something unexpected.

Clickjacking attacks involve tricking people into revealing personal information, or taking control of their web session when they click on a seemingly innocuous web element.  Clickjacking and XSS attacks take advantage of a vulnerability common across a variety of browsers in the form of embedded script that can execute without the user’s knowledge.

To block these attacks, the site will ask users to confirm their “like” before posting a story to their profile and their friends’ News Feeds.  Facebook is also offering a form of two-factor authentication called “Login Approvals,” which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device.  The code is sent via text message to the user’s mobile phone to reduce the chances of it being intercepted or spoofed by the attacker.  Facebook has also started performing “Login Tracking” where you are asked to identify the system you are logging in from with a unique name, and that information is sent to your registered email account.

Facebook is also partnering with the free Web of Trust safe surfing service to give its users more information about the sites they are going to from within the social network.  When a user clicks on a potentially malicious link, a warning box will appear, and provide more information about why the site might be dangerous.  The user can either ignore the warning or go back to the previous page.  Web of Trust has rated more than 31 million sites.  Facebook also maintains its own internal black list of sites that it blocks users from sharing.

They have also recently tightened up their programming APIs, and are migrating to OAUTH 2.0 in an attempt to bring security into the developers’ environment.  OAuth is now a mature standard with broad participation across the development industry.  They have also been working with Symantec to identify issues in their authentication flows to ensure that they are more secure.

It looks to me like Facebook is at least aware of the risks that these attacks pose to its reputation and continued existance as a trusted medium for collaboration and social interaction.  They are doing the right things, and I believe will eventually provide a more secure environment and continued popularity.

Don’t Fall For Facebook Scams

Have you seen these Facebook wall postings?    “WOAH!!…You really have to see this,finally a simple way to see who views your facebook profile.” 

Are you curious?  This is a classic social engineering scam luring users into signing up for premium mobile services and spamming their friends, promising to show a list of profile visitors.  It even instructs users to disable ad-blocking programs.

It all starts with a little spam message or wall posting from one of the victims;  “WOAH!!…You really have to see this,finally a simple way to see who views your facebook profile.” –> [URL]”  Following the URL link takes the new victim to a site on an external domain (like ilikefacebook.in).  The site displays fake Facebook-style notifications claiming to be example of alerts users will receive whenever someone views their profile.  The logo for a well-known malicious app called Profile Spy is also present on the page.

Users are also told that in order to sign-up for the Profile Spy application they need to like and share the application.  After the victims have heavily spammed their profile with messages promoting this scam, they are taken to a window claiming that they also need to take a survey.  “Then the ‘verification’ launches you into one of those endless surveys (you get a choice of 6) the point of which is to collect your cell phone number so you can be billed $9.99 per month,” GFI Labs warns.

This scam has been seen on Facebook as far back as mid 2010, and around 29,000 users clicked the “Like” button and 27,000 the “Share” button in its first month.  This scam has spread to other social media outlets and pops up in Twitter fairly often as well.  There is no feature on Facebook which allows viewing profile visitors, and considering the privacy implications, it will probably never be allowed.  Any message or application that claims otherwise is most definitely a scam.

Beware Facebook Twilight Scam

Fans of the “Twilight” vampire series and movie franchises are falling prey to a scam that spreads to Facebook friends, tags them and their friends with malicious links in their online photo albums, and could end up hijacking their Facebook accounts.

Facebook updates are circulating that look like game promotions related to the teen vampire movie, “Twilight, Breaking Dawn,” according to Sophos.  The link leads to what looks like a Facebook page with a “play now” button that once clicked, quietly “likes” the link and spreads it on the visitor’s Facebook account.  A dialog box then pops up asking for permission for a third-party application to access the victim’s Facebook account to post messages and photos.  Since this is common behavior for an application that you have clicked on and want to explore, unsuspecting users are clicking the buttons and passing the app to friends.  Next, the victim is asked to fill out a survey to “verify” their account information.  The scammers are making money off every survey completed.

Facebook is currently tracking this scam, working to shut down the spammy vectors, and remediate any users who have been affected.

Stay secure on Facebook and other community sites.

  • Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious.
  • Don’t click on friend requests from people that you don’t actually know.
  • Don’t provide personal informatino in online surveys.
  • Review your Facebook security settings and consider enabling log-in notifications.  Look in the drop-down box under Account on the upper right-hand corner of your Facebook home page.
  • If you come across a scam, report it to Facebook’s admin team so that it can be taken down.
  • Don’t download any applications or allow permissions to your Facebook site, if you are not 100% certain about.
  • For using Facebook from places like hotels and airports, text “otp” to 32665 for a one-time password to your account.


Roll Your Own Facebook Malware

Malware distributors are selling a $25 toolkit to anyone interested in creating and distributing malicious Facebook apps, according to Websense Security Labs.

You don’t even have to have development experience, you just need to follow the instructions and a working malicious Facebook application is at your disposal.  The do-it-yourself toolkit offers a malware template for distributing the app, directs users to click-fraud accounts, and pushes Facebook users to fake surveys to steal their personal information.  This commoditization of Facebook targeted malware is further evidence that social networks are a target rich environment for criminals bent on identity theft and personal information attacks.

 Websense researchers have linked the toolkit, called TinieApp, to 2 recent rogue app attacks that appeared on Facebook over the past week.

Cisco – Reporting & Investing

SAN JOSE, Calif. – Jan. 20, 2011 – In a major online crime turning point, scammers are shifting their focus away from Windows-based PCs to other operating systems and platforms, including smart phones, tablet computers, and other mobile platforms, according to the Cisco 2010 Annual Security Report.  The report finds that 2010 was the first year in the history of the Internet that spam volume decreased, that criminals are investing heavily in “money muling,” and that people continue to fall prey to trust exploitation.

Cisco has also announced in an unrelated story, that it has invested in Tilera, a developer of multicore processors for cloud computing and communications.  Tilera is operating “near break-even” and expects to reach profitability later this year.  The $45 million round of investments will accelerate development of its 4th-generation processor line, expand sales and marketing, and develop new products.


Continue reading

Spear Phishing Attacks Climbing

Symantec is reporting that “Spear Phishing” attacks have climbed dramatically over the last 4-5 years.  The number of targeted phishing attacks against individuals has risen from one or two a week in 2005 to more than 70 a day.  Symantec is muddying the waters a bit, explaining targeted attacks and Advanced Persistent Threats, and Spear Phishing attacks as one and the same.  They are not necessarily so.

Continue reading

Facebook, Fak-A/V, G-Mail Scams

Sophos sent out these little nuggets this week.  Looks like Apple and Facebook are getting some serious recognition, as a brand and as an attack vector…

iPad and iPhone 4 tester scams hit Facebook
It sounds too good to be true – Can you really get a free iPad 3G or iPhone 4 by signing up just to be a tester?  It’s just the latest scam spreading rapidly between compromised Facebook accounts in the last few days.  Discover more, and ensure that you and your employees are practising safe computing.

Malicious spammers launch major fake anti-virus attack
SophosLabs’s worldwide network of email-monitoring stations has seen a tidalwave of malicious messages being spammed out with an attachment that redirects users’ web browsers to a fake anti-virus attack.  Once installed, Fake-A/V is responsible for a wide array of additional malware infections, from spyware and keyloggers to full remote control and Denial of Service attack software installation.  The emails have subject names such as:

  • Parking Permit and/or Benefit Card Order Receipt - <random number>
  • You're invited to view my photos!
  • Appointment Confirmation
  • Your Bell e-bill is ready
  • Your Vistaprint Order Is Confirmed
  • Vistaprint Canadian Tax Invoice (<random number>)

Did Gmail make you look like a spammer last week?
How mortified would you feel if you found that you had been spamming someone through no fault of your own?  Well, up to 4 million Gmail users found out last week.  Find out how a problem with the Gmail service meant up to four million users were couldn’t stop the system sending out multiple messages.