Security Response

The scam waves in Facebook continue, as expected. For example the recent “brother raped his sister” theme has been changed a bit and sent along for a new run on the social network.

It’s the same content that has been used with similar themes over the last few weeks, only the scammers have just added a level of randomization to it. Not only does the text of the message vary a bit each time, but they also add random sub-domains. They are using a combination of words like www, wtf, video, show, play, movie, killer, insane, crazy, or brother in combination with other random parts. A link could for example look like this: http://video.ng4o.[REMOVED].info/watch?v=s4vo4o

For this particular scam we have already seen more than 70 different domains in use. Given the randomization, it’s no surprise that none of the tested links where blocked by Facebook’s redirector, with more than 200,000 people already clicking the links.

To make it even...

As is the case with every long weekend, the 4th of July weekend brought quite a lot of scams spreading through Facebook. Besides the usual click-jacking, hoaxes, and phishing attacks, one particular scam was discovered that showed the imminent evolution of this type of attack.

As always, the scam commences with a bait message – this time referencing a must-see video of some ex-girlfriend. Interestingly enough, most of the themes that we encounter have been used many times before, but unfortunately people still fall for them.

[Video] - This is what Happend to his Ex Girl Friend!
vidoea[REMOVED].blogspot.com
Play Video! She was Hurting for days, and could not walk!

Once the goo.gl link is clicked, the user is re-directed to a remote site. Google’s statistics page for that specific link showed that about 15,000 users have clicked on it. Of course, there were multiple links involved, so this figure only indicates an average estimate of...

We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.

The user is lured with a message as bait to a prepared site. The all time favourite “See who viewed your profile” is used a lot these days, but we have seen others with free credits for social games and the like. This landing page could be a Facebook page, a Facebook application page, or a remote site on some domain. It asks the user to copy some simple looking Javascript to the browser address bar and to click the ‘Enter’ key.

The scammers want to ensure sure that the users are not strained by...

Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.

The vulnerability exists in the mobile API version of Facebook due to insufficient JavaScript filtering. It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript. Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are...