Nishant Doshi's blog

Over the last few months we have been trying to look deeper into how Web-based malware gets distributed. A lot has been written about the underground economy and how one can buy exploit kits, such as Blackhole, from underground websites. But once the attacker has bought the exploit kit, how do they infect computers?

In the last few months we have seen a variety of spam campaigns propagating on social networking websites. Most of these attacks use some flavor of social engineering tactics. Every now and then, we see some innovative social engineering techniques used by attackers. Here is one such technique that tricks the victim into revealing their all-important Facebook Anti-CSRF token.

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information.

Even before a user accepts the installation of a Facebook application, Facebook will send a limited amount of user data to the application’s website in order to help personalize your experience. Unfortunately, this user data includes information that users may not want to share without consent.

If a hacker managed to hack into your blog or website, what could they possibly do? They could insert malicious iframes or JavaScript code into your Web pages. Probably even attempt to steal some data. But most likely they would "search engine optimize" your website. Can this be true? Well, let me explain more.

Did I just say that? Usually security researchers hate obfuscation. But I say, let them obfuscate more!