Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts by Candid Wueest remove filter
Showing posts in English remove filter
Just Click No—On Facebook Scams
Candid Wueest | 15 Jul 2011 | 0 comments

The scam waves in Facebook continue, as expected. For example the recent “brother raped his sister” theme has been changed a bit and sent along for a new run on the social network.

It’s the same content that has been used with similar themes over the last few weeks, only the scammers have just added a level of randomization to it. Not only does the text of the message vary a bit each time, but they also add random sub-domains. They are using a combination of words like www, wtf, video, show, play, movie, killer, insane, crazy, or brother in combination with other random parts. A link could for example look like this: http://video.ng4o.[REMOVED].info/watch?v=s4vo4o

For this particular scam we have already seen more than 70 different domains in use. Given the randomization, it’s no surprise that none of the tested links where blocked by Facebook’s redirector, with more than 200,000 people already clicking the links.

To make it even...

Read more
An Aquarium of Blowfish on Facebook
Candid Wueest | 06 Jul 2011 | 0 comments

As is the case with every long weekend, the 4th of July weekend brought quite a lot of scams spreading through Facebook. Besides the usual click-jacking, hoaxes, and phishing attacks, one particular scam was discovered that showed the imminent evolution of this type of attack.

As always, the scam commences with a bait message – this time referencing a must-see video of some ex-girlfriend. Interestingly enough, most of the themes that we encounter have been used many times before, but unfortunately people still fall for them.

[Video] - This is what Happend to his Ex Girl Friend!
vidoea[REMOVED].blogspot.com
Play Video! She was Hurting for days, and could not walk!

Once the goo.gl link is clicked, the user is re-directed to a remote site. Google’s statistics page for that specific link showed that about 15,000 users have clicked on it. Of course, there were multiple links involved, so this figure only indicates an average estimate of...

Read more
Manual Script Scams on Facebook Generating Event Invitations
Candid Wueest | 04 May 2011 | 0 comments

We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.

The user is lured with a message as bait to a prepared site. The all time favourite “See who viewed your profile” is used a lot these days, but we have seen others with free credits for social games and the like. This landing page could be a Facebook page, a Facebook application page, or a remote site on some domain. It asks the user to copy some simple looking Javascript to the browser address bar and to click the ‘Enter’ key.

The scammers want to ensure sure that the users are not strained by...

Read more
New XSS Facebook Worm Allows Automatic Wall Posts
Candid Wueest | 29 Mar 2011 | 0 comments

Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.

The vulnerability exists in the mobile API version of Facebook due to insufficient JavaScript filtering. It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript. Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are...

Read more
Firefox Extension Used in Facebook Scam
Candid Wueest | 21 Mar 2011 | 0 comments

Not only Facebook is adding new and interesting features to its toolbox; spammers and scammers in Facebook are, too. Currently there is a scam making rounds using a classic “who is viewing your profile” themed bait.

So far - nothing new. After the user grants the application the requested privileges, which of course will send out the above mentioned spam posts to all his or her friends, the user gets redirected to a download instruction site. There he or she is asked to download the Firefox browser and then install a popular Firefox extension which allegedly gets downloaded over 27,000 times per week. This simple tweak should generate a new menu entry in Facebook which would then show user statistics.

Of course this “Facebook Connect” Firefox extension is not found on the official Mozilla...

Read more
Counting Facebook Scam Applications
Candid Wueest | 15 Mar 2011 | 0 comments

In order to see what is happening in social networks, I sat down and analysed about half a million wall posts from people who have their profile public and visible to everyone over the last month. Obviously this represents only a portion of all the messages posted by all the different users, for example the private posts only visible to friends were, of course, not monitored. Still, it is a good representation.

My first finding was that 21% of all the messages that contained a link pointed to a Facebook application, either through a URL-shortening service or by a direct link. Of those, 73% were actually scams or malicious applications.

Applying this to all the posts assessed reveals that around 15.6% or 1 out of 6 messages with a link that points to a malicious application. Therefore the chances that you may stumble upon such a message are relatively high.

While most...

Read more
Persistent XSS Vulnerability in Facebook
Candid Wueest | 09 Mar 2011 | 0 comments

There is a Javascript spam trick on Facebook resulting in spam messages being posted on many user accounts. First mentioned yesterday by our colleagues at GFI Software, the persistent cross-site scripting vulnerability still remains unpatched as of this writing. So, what happened? Some attacker has discovered a new method to inject Javascript through specially crafted Facebook application pages. Normally the script would be removed by filters before the page is shown to the user, but in this case, it is able to slip through. The malicious script will then be executed in the context of Facebook.com, allowing it to perform requests under the user’s session. Keep in mind this happens before the application asks for any permissions. Visiting the page while being logged into Facebook is enough to get it started, which is normally the case when a user is viewing new messages.

...

Read more
A Toolkit for Fast Facebook Scams
Candid Wueest | 09 Feb 2011 | 0 comments

Last week we talked about fast-flux attacks that were created by a Facebook toolkit. That particular scam wave was able to be active for more than a week, referencing more than 250 different malicious Facebook applications. There are many of these toolkits being used to spam Facebook such as Tinie, Arber, fbexpert, and NeoApp.

Toolkits and scripts are exchanged in underground forums, freshly generated accounts are traded, and tips are posted on how to lead users into clicking ads or filling out commissioned surveys. Of course this is not new—automated Facebook “Like” scripts have been around for a while. However, we have observed that the toolkits used are getting more sophisticated and easier to use.

Take a currently popular viral Facebook application toolkit called NeoApp as an example. It is being sold for $50, but can be found for much less in specific places...

Read more
Fast-Flux Facebook Application Scams
Candid Wueest | 02 Feb 2011 | 0 comments

It’s nothing new: a Facebook scam message about an application that appears to come from friends, such as something that can show you who has viewed your profile. However, this scam nags the user to fill out surveys  and quietly sends the same message to all his or her friends.

Unfortunately, we see them every day.

Another fake application.

This week, I stumbled across a new level of automation with these scams.

The variations in the bait messages are nothing unusual, a quick message followed by a URL:

·         I've just seen who CREEPS around my pics the most here on Facebook! You can see who stalks you too! http://www.redire[REMOVED]com/stalker

·         I just saw who checks me out the most on Facebook! You can see who stalks you too! http://...

Read more
The Facebook Scam Invasion Can Now Phone Home
Candid Wueest | 24 Jan 2011 | 0 comments

We have frequently reported on rogue Facebook applications - these appear with such regularity that it nearly does not make sense anymore to alert you individually about every enticing message used.  New ones are popping up like mushrooms every day...actually even faster than mushrooms.

Here is a selection of some of the scam messages active right now:

  • My total facebook views are: 4367  Find out your total profile views @ http://goo.gl/*****
  • My 1st Status was:  'hmmm... let's see what i can do here'. This was posted on 10/04/2009   Find your 1st Status @ http://bit.ly/*****
  • AMAZING ! I've just seen who STALKS me on Facebook!   You can TOO! http://apps.facebook.com/*********
  • Check if a friend has deleted you...
Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,794