Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with facebook
Showing posts in English
Nishant Doshi | 27 Oct 2011 11:06:12 GMT

In the last few months we have seen a variety of spam campaigns propagating on social networking websites. Most of these attacks use some flavor of social engineering tactics. Every now and then, we see some innovative social engineering techniques used by attackers. Here is one such technique that tricks the victim into revealing their all-important Facebook Anti-CSRF token.

Cross-site Request Forgery attacks
A Cross-site Request Forgery (CSRF) is a type of attack in which attackers can re-use an already authenticated session to a website to perform unwanted actions on that website without the user’s knowledge or consent. For example, let’s say that a user is logged into his or her banking website. If this bank’s website suffers from a CSRF weakness, then another malicious website (say, can instruct the user’s browser to navigate to...

Candid Wueest | 15 Jul 2011 14:13:27 GMT

The scam waves in Facebook continue, as expected. For example the recent “brother raped his sister” theme has been changed a bit and sent along for a new run on the social network.

It’s the same content that has been used with similar themes over the last few weeks, only the scammers have just added a level of randomization to it. Not only does the text of the message vary a bit each time, but they also add random sub-domains. They are using a combination of words like www, wtf, video, show, play, movie, killer, insane, crazy, or brother in combination with other random parts. A link could for example look like this: http://video.ng4o.[REMOVED].info/watch?v=s4vo4o

For this particular scam we have already seen more than 70 different domains in use. Given the randomization, it’s no surprise that none of the tested links where blocked by Facebook’s redirector, with more than 200,000 people already clicking the links.

To make it even...

Joji Hamada | 13 Jul 2011 15:35:59 GMT

W32.Gammima.AG, an infostealer best known for targeting massively multiplayer online role-playing games, is now also going after a game on Facebook. This is the first time we have encountered the malware going after an app on Facebook.

This particular malware doesn't just target any Facebook user. It’s only interested in collecting login credentials from those who use the Perfect Poker app, which is a game that allows you to play online poker with other Facebook users. The inclusion of Perfect Poker to the list of targeted games in W32.Gammima.AG appears to have taken place around December 2010.

As with other variants of W32.Gammima.AG, which attempt to gather login credentials and steal online coins from the accounts in order to profit, the variant targeting Perfect Poker seeks the same...

Candid Wueest | 06 Jul 2011 10:23:38 GMT

As is the case with every long weekend, the 4th of July weekend brought quite a lot of scams spreading through Facebook. Besides the usual click-jacking, hoaxes, and phishing attacks, one particular scam was discovered that showed the imminent evolution of this type of attack.

As always, the scam commences with a bait message – this time referencing a must-see video of some ex-girlfriend. Interestingly enough, most of the themes that we encounter have been used many times before, but unfortunately people still fall for them.

[Video] - This is what Happend to his Ex Girl Friend!
Play Video! She was Hurting for days, and could not walk!

Once the link is clicked, the user is re-directed to a remote site. Google’s statistics page for that specific link showed that about 15,000 users have clicked on it. Of course, there were multiple links involved, so this figure only indicates an average estimate of...

Samir_Patil | 29 Jun 2011 19:17:08 GMT

Exploiting the popularity of social networks for the purposes of distributing spam, malware, and phishing attacks is quite a common technique these days. Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites—Facebook, Twitter, and YouTube.

The Trend

The graph below demonstrates the volume spikes for social network spam from April 1 to June 15:

One of the obvious patterns seen in the graph above is the rise in the number of attacks on one social networking site, then an abrupt fall, and then a shift to the next social site, as if following a cyclical pattern. We observed a sudden surge in the number of attacks on Facebook, then a peak, and then a drastic decline. While the attacks on Facebook declined, we...

Stephen Doherty | 16 May 2011 20:42:02 GMT

There is currently a new spam campaign spreading across Facebook. The spam has an appearance similar to the following:

It is worth mentioning that the app_id in the requests is “6628568379”, which may cause the post to look as though it was sent from an iPhone when this is not the case. This is done to give an appearance of further credibility to the scam.

The message may vary slightly as it is randomly generated by using a combination of the following three options:

Part one:

  • hey
  • HEY
  • OMG
  • omg
  • omg!
  • OMG!!
  • WTF
  • wtf
  • wtf!!
  • WTF!!
  • YO
  • yo
  • YO!

Part two:

  • I can't believe you're
  • i cant believe youre tagged
  • what are you doing
  • why are you
  • why are you tagged
  • you...
Nishant Doshi | 10 May 2011 17:19:06 GMT

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to...

Candid Wueest | 04 May 2011 22:25:31 GMT

We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.

The user is lured with a message as bait to a prepared site. The all time favourite “See who viewed your profile” is used a lot these days, but we have seen others with free credits for social games and the like. This landing page could be a Facebook page, a Facebook application page, or a remote site on some domain. It asks the user to copy some simple looking Javascript to the browser address bar and to click the ‘Enter’ key.

The scammers want to ensure sure that the users are not strained by...

Nishant Doshi | 04 May 2011 12:48:33 GMT

Even before a user accepts the installation of a Facebook application, Facebook will send a limited amount of user data to the application’s website in order to help personalize your experience. Unfortunately, this user data includes information that users may not want to share without consent.

Facebook uses OAUTH2.0 as an authentication mechanism for its applications. When a user visits an iframe-based Facebook application ( prior to installation, a POST request is sent to the third-party website hosting the application with the following data:

The ‘age object’ does not provide access to the specific age of the user, but it does provide a specific bracket. Three brackets are provided:

    13-17 (minage-13 or minage-13 and maxage-17)
    18-21 (minage-18)...

Hardik Shah | 07 Apr 2011 08:45:19 GMT

Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:

Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:

When the user clicks on the “Login” button, it will show the login form:

When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to, and the other to the malicious server. The request sent to the malicious server has the...