Video Screencast Help
Security Response
Showing posts tagged with facebook
Showing posts in English
Joji Hamada | 13 Jul 2011 15:35:59 GMT

W32.Gammima.AG, an infostealer best known for targeting massively multiplayer online role-playing games, is now also going after a game on Facebook. This is the first time we have encountered the malware going after an app on Facebook.

This particular malware doesn't just target any Facebook user. It’s only interested in collecting login credentials from those who use the Perfect Poker app, which is a game that allows you to play online poker with other Facebook users. The inclusion of Perfect Poker to the list of targeted games in W32.Gammima.AG appears to have taken place around December 2010.

As with other variants of W32.Gammima.AG, which attempt to gather login credentials and steal online coins from the accounts in order to profit, the variant targeting Perfect Poker seeks the same...

Candid Wueest | 06 Jul 2011 10:23:38 GMT

As is the case with every long weekend, the 4th of July weekend brought quite a lot of scams spreading through Facebook. Besides the usual click-jacking, hoaxes, and phishing attacks, one particular scam was discovered that showed the imminent evolution of this type of attack.

As always, the scam commences with a bait message – this time referencing a must-see video of some ex-girlfriend. Interestingly enough, most of the themes that we encounter have been used many times before, but unfortunately people still fall for them.

[Video] - This is what Happend to his Ex Girl Friend!
Play Video! She was Hurting for days, and could not walk!

Once the link is clicked, the user is re-directed to a remote site. Google’s statistics page for that specific link showed that about 15,000 users have clicked on it. Of course, there were multiple links involved, so this figure only indicates an average estimate of...

Samir_Patil | 29 Jun 2011 19:17:08 GMT

Exploiting the popularity of social networks for the purposes of distributing spam, malware, and phishing attacks is quite a common technique these days. Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites—Facebook, Twitter, and YouTube.

The Trend

The graph below demonstrates the volume spikes for social network spam from April 1 to June 15:

One of the obvious patterns seen in the graph above is the rise in the number of attacks on one social networking site, then an abrupt fall, and then a shift to the next social site, as if following a cyclical pattern. We observed a sudden surge in the number of attacks on Facebook, then a peak, and then a drastic decline. While the attacks on Facebook declined, we...

Stephen Doherty | 16 May 2011 20:42:02 GMT

There is currently a new spam campaign spreading across Facebook. The spam has an appearance similar to the following:

It is worth mentioning that the app_id in the requests is “6628568379”, which may cause the post to look as though it was sent from an iPhone when this is not the case. This is done to give an appearance of further credibility to the scam.

The message may vary slightly as it is randomly generated by using a combination of the following three options:

Part one:

  • hey
  • HEY
  • OMG
  • omg
  • omg!
  • OMG!!
  • WTF
  • wtf
  • wtf!!
  • WTF!!
  • YO
  • yo
  • YO!

Part two:

  • I can't believe you're
  • i cant believe youre tagged
  • what are you doing
  • why are you
  • why are you tagged
  • you...
Nishant Doshi | 10 May 2011 17:19:06 GMT

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day.

Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to...

Candid Wueest | 04 May 2011 22:25:31 GMT

We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.

The user is lured with a message as bait to a prepared site. The all time favourite “See who viewed your profile” is used a lot these days, but we have seen others with free credits for social games and the like. This landing page could be a Facebook page, a Facebook application page, or a remote site on some domain. It asks the user to copy some simple looking Javascript to the browser address bar and to click the ‘Enter’ key.

The scammers want to ensure sure that the users are not strained by...

Nishant Doshi | 04 May 2011 12:48:33 GMT

Even before a user accepts the installation of a Facebook application, Facebook will send a limited amount of user data to the application’s website in order to help personalize your experience. Unfortunately, this user data includes information that users may not want to share without consent.

Facebook uses OAUTH2.0 as an authentication mechanism for its applications. When a user visits an iframe-based Facebook application ( prior to installation, a POST request is sent to the third-party website hosting the application with the following data:

The ‘age object’ does not provide access to the specific age of the user, but it does provide a specific bracket. Three brackets are provided:

    13-17 (minage-13 or minage-13 and maxage-17)
    18-21 (minage-18)...

Hardik Shah | 07 Apr 2011 08:45:19 GMT

Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:

Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:

When the user clicks on the “Login” button, it will show the login form:

When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to, and the other to the malicious server. The request sent to the malicious server has the...

Candid Wueest | 21 Mar 2011 21:41:51 GMT

Not only Facebook is adding new and interesting features to its toolbox; spammers and scammers in Facebook are, too. Currently there is a scam making rounds using a classic “who is viewing your profile” themed bait.

So far - nothing new. After the user grants the application the requested privileges, which of course will send out the above mentioned spam posts to all his or her friends, the user gets redirected to a download instruction site. There he or she is asked to download the Firefox browser and then install a popular Firefox extension which allegedly gets downloaded over 27,000 times per week. This simple tweak should generate a new menu entry in Facebook which would then show user statistics.

Of course this “Facebook Connect” Firefox extension is not found on the official Mozilla...

Candid Wueest | 02 Feb 2011 18:03:39 GMT

It’s nothing new: a Facebook scam message about an application that appears to come from friends, such as something that can show you who has viewed your profile. However, this scam nags the user to fill out surveys  and quietly sends the same message to all his or her friends.

Unfortunately, we see them every day.

Another fake application.

This week, I stumbled across a new level of automation with these scams.

The variations in the bait messages are nothing unusual, a quick message followed by a URL:

·         I've just seen who CREEPS around my pics the most here on Facebook! You can see who stalks you too! http://www.redire[REMOVED]com/stalker

·         I just saw who checks me out the most on Facebook! You can see who stalks you too! http://...