Thoughts on Privacy and Security

Scammers usually have no shame when it comes to pouncing on natural disasters like the Japanese Earthquake, tragic events like the Oslo bombing and celebrity deaths. Troubled pop-star, Amy Winehouse died this morning and it didnt' take very long before scammers leveraged her death to make money off of Facebook users.

SHOCKING - Amy Winehouse's Final Minutes A video has surfaced of Amy Winehouse's final minutes.

There are multiple different campaigns spreading. All of them follow similar lures: videos of her death or videos of her partying the night before her death:

The reason why Amy Winehouse is dead See the video of death Warning: Mature Content!

Amy Winehouse Night Before Death Video Warning : 18+ 

  Leaked Video!! Amy Winehouse On Crack hours before death Amy Winehouse getting high on crack just hours before she died

Video leaked of amy winehouse's death!!! Warning: Graphical Content. Amy Winehouse OVERDOSE VIDEO LEAKED! - RIP AMY 

It's shameless just how low these scammers will go to make money off of the death of another human being. Think back a few months ago, when scammers were using Osama Bin Laden's death as a lure. And what makes this worse is that Facebook users will click on these links because the headlines are so sensational and because most people are inquisitive.

Ultimately, all of these Amy Winehouse Facebook scam links require users to share the page (or "jaa") before they can view the supposed content.

  After coercing the users into sharing the scam page, the content remains blocked until users fill out a survey, which is how scammers monetize all of their scams on Facebook.

  If you see these scams appearing in your news feed, please report them as spam. If you clicked through one of these links, you can also report them as spam from your own page.

Facebook has rolled out a new feature for comments, allowing content to be directly embedded in the comments themselves.

Today we are launching a commenting feature that allows you to embed videos, photos, or web sites in comments just by including a URL. Your comment will include a video player, a thumbnail of a photo, or a brief overview of the web site being linked to. If you prefer your comment without the preview, you can remove the preview with one click.

My first thought upon reading this announcement was that current Facebook scammers will find this new feature extremely useful. A new tool in their arsenal, so to speak. I've already noticed some Facebook scams where compromised accounts post comments on other status updates saying, "Is this video of you?" with a link to a Facebook phishing site. This new feature will likely extend the usage of that scam, along with bringing in new types of comment scams and spam.

While this feature is brand new and has not been tapped just yet by scammers, I have created an example of what Facebook users might expect to see in the coming weeks using a Facebook scam that's currently in circulation:

In the last few days, I've posted about the compromise of the Facebook pages of Walmart Careers and Pfizer. These have been noted as two separate incidents, the latter being attributed to a group called Script Kiddies. Today, an arm of the collective known as Anonymous compromised the Twitter account of former Colombian President, Alvaro Uribe and the Facebook page of current Colombian President, Juan Manuel Santos.

Twitter page of Former President Alvaro Uribe's Twitter: 

Facebook page of President Juan Manuel Santos:  

(image courtesy of 24-7 Reviews)

Yesterday, I blogged about the Walmart Careers page being compromised and subsequently taken down. Today, pharmaceutical giant Pfizer saw its Facebook page compromised and taken down as well.

While no individual or group has taken credit for the Walmart Careers page incident, a group called Script Kiddies let it be known that they were the ones behind the takedown of the Pfizer Facebook page.

Context: This post is a follow-up to my previous post: Twitter Phishing Scam: FIND OUT WHO STALKS YOUR TWITTER! THIS NEW APP ROCKS!

The following is an interview I conducted with Andrey Petrov, the creator of the Twitter application called Tweepsect. According to Petrov, his application was abused by scammers in the “StalkTrak” phishing scam on Twitter. The recent version of the “StalkTrak” application has copied the results page from Tweepsect to give it enough authenticity to fool unsuspecting Twitter users.

Satnam: You mentioned you encountered this scam a few weeks ago. How were you alerted to it?

Andrey:

I received a bunch of @mentions telling me that my app is sending people DMs. This wasn’t true, my app doesn’t do this, but it prompted me to investigate further.

I received an alert on SocialGrapple (another service I created after Tweepsect) that Tweepsect is being mentioned *a lot* more than usual on Twitter.

I received an alert on Google Analytics that I had unusually high amount of incoming traffic. The traffic increase began on the night of June 25th (it was in full throttle on the 26th).

Satnam: You mentioned that you alerted your users after they were proxying through TweepSect. Did you alert Twitter’s Trust and Safety team?

Andrey: Yes. First I made sure that he wasn’t exploiting something in Tweepsect. At first I didn’t know there was a fake OAuth page somewhere redirecting traffic, so I thought there might be an exploit in Tweepsect to spam DMs. As soon as I was sure it wasn’t my fault and I couldn’t do something about it, I contacted @twitter and @twitterapi. https://twitter.com/shazow/status/85382389525774336

While waiting for a response, I noticed that the phishing scam was using Tweepsect as an endpoint exit to increase credibility (instead of showing a static results page like it does now), so I put up a big fat warning telling people that if they came in through StalkTrak that their login information was compromised and they should immediately change their password and revoke access to suspicious applications. The warning was up until yesterday.

I never heard back from Twitter, so later that night I emailed [redacted] personally. He replied to me within 7 minutes saying he forwarded my email to the appropriate team.

Satnam: How long did this last before the scammers got the hint?

Andrey: I noticed the first change in the attack after about 3 days since the beginning, that’s when he put up a static snapshot instead of redirecting to Tweepsect to circumvent my warning (which I put up on day 2 of the attack, as soon as I noticed it).

Satnam: Did you know about the newest version of the scam that’s using a static HTML page instead?

Andrey: Yes, this version has been active since Day 3 of the attack.

Satnam: Do you have any advice to Twitter application developers on how to detect scammers trying to proxy through their applications?

Andrey: Monitor your analytics (I use intelligence alerts for Google Analytics).

Satnam: Any additional thoughts you’d like to add?

Andrey: I wish Twitter would get back to me about their efforts on this. I’m still seeing spikes in traffic based on these attacks and I don’t know if they’re doing anything about it or not.

Here are some things I think Twitter should do:

Block all outgoing links to [redacted phishing url], especially in DMs

Check all accounts who sent DMs with links to that site, force password resets on those accounts (they’re probably compromised)

Revoke access to any suspicious apps that may have been granted in compromised accounts (no idea if this is the case)

Earlier this evening, Walmart's Careers page on Facebook was compromised.

Two suspicious posts appeared on the Walmart Careers page.

The first:

Walmart will no longer be accepting applications from anyone of African-American decent, read more here: http://walmartstores.com/careers

The second:

In regards to our last update, our studies in the past have shown that "African-Americans" tend to steal more often and have a significantly worse work ethic than those of Mexican, and Caucasian ethnicity's. 

In addition to these posts, Walmart's main profile image for their careers page was defaced with an "X" mark over the face of an African-American employee featured in the photograph.

Walmart employees and loyal devotees to the brand became suspicious and reported the activity.

Within a short amount of time, the images disappeared, but the offending posts remained. Not long after the images were taken down, the Walmart careers page was taken down entirely. It is uncertain whether Walmart employees were involved in the takedown or if those behind the compromise removed the page themselves. Facebook Pages and Admins

Over the last few years, big brands and small businesses have adopted social media into their marketing strategy. One of the key features that Facebook pages offer these brands is ability to have multiple administrators for a page. These administrators are granted access through their personal Facebook accounts. Therefore, it is likely that whomever obtained access to the Walmart Careers page did so by compromising an administrator's Facebook account.

Whether to Phish or to FireSheep?

Uncertain as it may be to determine the exact method used to compromise an admin account, there are a few likely suspects (note: this is my own speculation):

Phishing - This method requires a little more work but, if a Walmart employee that was an administrator for this page was phished on their personal account, the scammers would gain access to the Facebook page with relative ease.

FireSheep - This is a free Firefox extension that gives users the ability to hijack unencrypted sessions on public WiFi networks. It is possible that an administrator of this page was browsing Facebook without HTTPS enabled on a public WiFi network, such as a Starbucks. A scammer may have been sitting on the network and discovered this account was tied to the Walmart careers page.

Don't forget to Enable HTTPS

This incident should serve as a reminder to many marketing employees as well as Facebook users in general. If you haven't done so already, enable HTTPS for all of your social networking accounts.

There is an on-going phishing scam targeting Twitter users. This scam follows a similar lure: profile/page stalking.

FIND OUT WHO STALKS YOUR TWITTER! THIS NEW APP ROCKS! http://[redacted] 

The link that's included in the tweet directs the user to what looks like a legitimate Twitter Application.

This page borrows the same template that is used to authorize Twitter applications legitimately. The scammers have made a few changes here, such as inserting a bullet point for "View Who Is Stalking Your Twitter" as well as informing the user that this application will no longer be able to access direct messages after June 30th, 2012. Legitimate Twitter applications recently lost permission to access direct messages on June 30th, 2011, which required users to re-authenticate these apps.

Users who enter their Twitter logins will have their credentials phished and the same tweet posted above will be seen by their followers.

  The scam continues by redirecting users to a fake page to give it some authenticity. The usernames associated are made up and do not represent any type of stalking activity. 

Upon further investigation, I was able to determine that the scammers are using the same user interface elements of a legitimate Twitter application called tweetspect.  

Here is an example of TweepSect analyzing a Twitter profile:

REMEDIATION

If you or someone you know fell for this scam, the most important thing to do is change your Twitter password: http://twitter.com/settings/password

This is a funny comic with a serious message in it that might not have been intended by the author. Notice the Windows user's reaction about there being a new update. This is one of the problems facing consumers and businesses alike. Patching has become a severe problem, especially when it comes to Adobe applications or Java updates. These are some of the most popular applications exploited in the wild today by exploit kits.

What are the most successful exploits? Ones that have already been patched.

I might sound like a broken record when I say that another Facebook scam is spreading across the social network. This one lures users in with a video of a woman that "exposes" herself on live television. It should be noted that this particular video lure has been used in previous likejacking campaigns.

This girl must be Out of her Mind to do this on live Television! [redacted].de  It is really embarassing.! 

This version of the scam leads users to a page with an embedded YouTube video. When a user clicks on the play button, their click is hijacked and their Facebook news feed displays the same post seen above, indicating that they've "liked" this page. This is called "likejacking" and it has been a problem for quite some time.

This wasn't the only version of the scam campaign appearing in Facebook news feeds. Another version of it led users to a similar page, only this time, asking users to "confirm" their age by liking the page before continuing. 

To ensure that this scam continues, the scammers are using Tumblr sites to redirect users to the same Fake YouTube page: 

By redirecting users via Tumblr, the scammers can evade Facebook filters as well as stay off the radar of Facebook's recent Web of Trust integration.

This particular version of the scam mixes things up, randomly serving 14 different Tumblr sites, while another version is using 46 Tumblr sites to redirect users.

As with most Facebook scams, the payoff comes from users that fill out surveys:

If you or a friend has been tricked into "liking" one of these pages, be sure to report the post as spam. You can do so by clicking on the "x" next to the post, then select "Report Post / spam" to report it to Facebook's Security team.

The web has been buzzing over Google's newest entry into the social networking space, Google Plus. Google's social network has seen an increase in demand for invites to the service, similar to the wave of users that were trying to gain access to Google's webmail service, GMail. So it comes as no surprise that Facebook scammers have chosen to take advantage of this demand by duping users into another scam.

Users will see an update like the one above in their news feeds. It shows that nearly 9,000 users have liked this page.

Users are encouraged to click on the "Get Direct Access" link on the wall for this page.

While Likejacking scams have been on the rise recently, Facebook Application scams have been declining for months. However, this instance shows that rogue applications are not quite dead yet.

Note that this application is requesting access to a user's email address. This leads me to believe that the goal here for scammers is to build a list of fresh e-mail accounts that may either be sold or used in future scams.

Before users are given "direct access" to Google+, they are asked to "like" the scam page.

Most Facebook scams need staying power and the best way to achieve that is to reach as many eyeballs as possible. So the best way to achieve this by also encouraging users to invite their friends to install this application.

The next time a friend logs into their Facebook account, they will be greeted with this Facebook notification:

After all of the run around, the application redirects users to the plus.google.com homepage, where they are asked to sign-in. Once they do, they are greeted with the notice that Google Plus has exceeded capacity. So much for getting direct access after all.

REMOVE GOOGLE PLUS - DIRECT ACCESS APP

1. Users should start by removing the rogue application from their Facebook profile. It will appear at the top of your list:

2. Once the application is removed, users should go back to the fake Google+ invite page and select "report page" from the menu below.

3. Users should check their own profile page to be sure there aren't any traces of the fake application left on their walls.

I came across this post in my Facebook news feed earlier tonight. Looks like scammers are trying to build up a large following for these random Facebook pages.

The post says: "First 750,000 Get a Free Smiley Hat To Help Promote Our New Clothing Line." Sound fishy to you? It does to me. Yet, I noticed friends of mine falling for it, anyway.

The instructions for this page tell you that not only do you have to (1) "like" the page, you have to (2) "share" it on your Facebook wall as well as (3) comment on the page with whatever color hat you're looking for.

I found an interesting post on the wall for this page shortly after I "liked" it tonight:

Same script as the last one: First 1,000,000 Get a Free Hat To Help Promote Our New Clothing Line (ANOTHER page)? Is this some viral marketing scheme by some brand? I doubt it. All signs point to just another ruse to get Facebook users to like these pages. And so far, scammers are finding success with it, which might explain why someone decided to play the role of a copycat with this new page.

DO YOUR PART

There has been a resurgence of 'like' or 'likejacking' scams appearing on Facebook over the last month. The latest scam is riding the coat tails of one of the most well known pop stars out there - Justin Bieber.  This isn't the first time Bieber has been used in a Facebook scam campaign. I blogged about a likejacking campaign: "I can't believe a GIRL did this because of Justin Bieber," which made its way through Facebook news feeds earlier this year. 

This scam shows a thumbnail of Justin Bieber in handcuffs:

Justin Bieber Goes To Jail (VIDEO)

WOW this really has to be an awkward moment for justin bieber and all of his loyal fans across the globe.

If a user clicks on the link, they are redirected to a page that looks just like YouTube:

There is no video thumbnail shown on this page. Instead, what looks like a YouTube video is visible to the end user. In the early stages of this scam, once a user clicked on the play button, their click would be hijacked (or "likejacked") and a post in their news feed would appear, indicating that they've "liked" this page.

The photo is legitimate, as Bieber himself tweeted it out. It was taken on the set of CSI, where he made a cameo appearance.

The people behind this scam have been fairly active. Above was this Facebook Page that was associated with this scam. At one point, over 4,000 people were tricked into 'liking' this video. However, the latest version of it is showing less than 100 people have been tricked. It's quite possible that the scammers are rotating these pages out to keep this scam going and prevent Facebook from catching on.

  Now if a user clicks on the video thumbnail, they will be prompted to confirm that they did want to "like" the page. Interesting to note that the confirmation dialog above did not appear when I was testing this page earlier today. 

REMOVE JUSTIN BIEBER GOES TO JAIL "LIKE" FROM MY PAGE

If you or someone you know has fallen for this scam, you can remove and report this post by visiting the affected profile and clicking on the "x" next to the news story. From the drop down menu, select "Report post / spam" - that's all there is to it.

Ever wonder just how much money is being made by cybercriminals pushing Fake Antivirus? Me, too. Now thanks to the FBI and other law enforcement around the world, we have a round number: $72 million dollars.

  Co-ordinated by the FBI, the raids were carried out in the US, UK and six other countries.

The money was made by selling software that claimed to find security risks on PCs and then asked for cash to fix the non-existent problems.

The raids seized 40 computers used to do fake scans and host webpages that tricked people into using the software.

Close to 1 million people (960,000) fell victim to the fake antivirus scams, going so far as to cough up $129 for the phony security product. Scareware typically succeeds by socially engineering the user, or in some cases, pure annoyance by bombarding them with pop-up messages about their systems being infected.

Another interesting piece to this story is the discovery that one of the groups used malvertising (malicious advertising) in order to peddle their fake antivirus through a legitimate news site.

The second gang used booby-trapped adverts to trick victims. 

[...]

According to the FBI, the pair worked their scam by pretending to be an advertising agency that wanted to put ads on the website of the Minneapolis Star Tribune newspaper.

Once the ads started running, the pair are alleged to have changed them to install fake security software on victims' machines that mimicked infection by a virus. On payment of a fee the so-called infection was cured. Those that did not pay found their machine was unusable until they handed over cash.

This ruse is believed to have generated a return of about $2m

SPOTTING FAKE TWITTER ACCOUNTS 

There are a few observations you can make to determine whether you're being followed or engaged by a Twitter spammer:

- They respond to your tweet offering a free product via a link The example I posted about Duke Nukem Forever highlights the prominence of this method. However, it's not the only instance. There are some cases where the spammers won't even include a message to you, they'll merely target certain keywords and respond back with just a link.

- The users' avatar is an attractive female

The majority of the fake twitter accounts I've come across typically have an avatar of an attractive woman (or in this case, women) associated with them. They may or may not be scantily clad (in this case, they are). This shouldn't be the only factor used in determining whether or not you're dealing with a spam account, but it really helps build the case.

- Observe the Following/Followers Ratio In the past, the discrepancy was fairly obvious; a twitter account that's following 1,000 users but is being followed by 10 users was a good indicator of spam activity. This has changed recently, as I've noticed certain spam accounts follow no-one but have a few followers (usually other spam accounts), while others have amassed over 1,000 followers. This is another factor that can be taken into consideration.

- Examine The Account's Timeline

You'll often find your smoking gun while observing an account's timeline. This account for GreatTechDeals is a fitting example of that. Do beware that some spam accounts will inject "fake tweets" (fweets) into their timeline to make themselves seem like legitimate users.

REPORT FAKE/SPAM TWITTER ACCOUNTS

If you spot a spammy Twitter account, you should report it immediately. If you're using Twitter through the browser, you can report users by visiting their Twitter profile and clicking on the person icon. From there, select the menu option to "Report [@username] for spam."

If you use an application like TweetDeck, you can report spam users by hovering over their avatar and clicking the gear icon. From there, navigate through the drop-down menu User and select "Block & report spam" from the menu.

While many of my blog entries have focused on the latest flavor of Facebook scams and spam, the underlying theme has been that social networks have become the preferred nest for a lot of scammers and spammers, which also includes Twitter.

TRENDING TOPICS Facebook scams may piggyback on certain items of interest in the news. However, most of the subjects of these scams vary. From made up stories about celebrities like Justin Bieber, YouTube videos chosen at random and new features ("facebook digits") or feature enhancements (like the "dislike button"), these subjects are designed to entice users to click through. On the other hand, Twitter provides an easy way to know what people are conversing about in real-time through the feature known as Trending Topics: 

Above is a list of trending topics that Twitter users were posting about yesterday. The # sign before certain topics are known as hashtags. These are used to help separate the conversation and make it easy to follow certain topics on Twitter. This is also useful for spammers and scammers:

These spam accounts are utilizing some of the latest trending topics, such as #vacationwishlist and Ryan Dunn along with some older trending topics, like #missusa, #replacewomanwithwolfman and Rory McIlroy.

In order to maximize visibility to a larger subset of the Twitter population, these spam accounts are incorporating multiple trending topics in each tweet. Along with these trending topics, each tweet contains the same link that has been masked behind a tiny.cc short URL:

This link directs users to a fake pharmaceutical site, Ultra-Pharma. Fake Pharmacy spam has been staple in most e-mail spam over the last few years, driven by affiliate programs like Canadian Pharmacy. So, it's no surprise to see this type of spam appearing on social networks like Twitter. TARGETED KEYWORDS

Another way that Twitter spammers and scammers leverage the service is by targeting certain keywords in tweets and replying to those users directly.

I responded to a tweet from fellow security researcher Chris Boyd (@paperghost) and within a few minutes, I was met with not one but two spam replies. Both of these tweets were pushing a link that promised me a free copy of Duke Nukem Forever:

Duke Nukem Forever AND a free game console? That sounds too good to be true, right? Well, that's because it is.

SHOW ME THE MONEY

These spammers are making money through affiliate programs. After users fill in their e-mail address, they are redirected to another site, which requests more personal information. After collecting this information, users are asked more questions until they reach the "final" page. However, In order to receive the gifts as promised, users are asked to complete a minimum of two offers from various services like Netflix and GameFly. After going through all of these hoops, I have yet to hear of any users actually receiving these "free" gifts.

TWITTER'S TRUST AND SAFETY TEAM

I would like to tip my hat to the folks at Twitter's Trust and Safety team. They have been very proactive over the last year, adding in automation to deal with a lot of these spam tweets, particularly the Trending Topic spam. Of the fake twitter profiles I found that were involved in trending topic spam, 9 out of 10 had already been suspended.

However, Targeted Keyword spam remains a problem.