You are currently browsing the monthly archive for December 2010.

We are continuing with our weekly “Top 10” lists of the most dangerous and spamiest Facebook Pages.  If you would like to read how we come up with the lists, check out our initial post here but here is how we define each category…

Most Dangerous Category: This category could be a post or comment containing a dangerous link.  These links can lead to malware, phishing, or suspicious/dangerous Facebook applications that gather personal information and use people’s accounts for spam.

Spamiest Category: The spam noted could be Wall spam or comment spam.  All the spam messages included in the tally contain at least one URL and have been posted multiple times across different pages and post comments.

Here is this week’s Top 10 lists.

Most Dangerous

Rank Last Week’s Ranking Facebook Page Threat Count Last Week’s Threat Count
1 1 Justin Beiber 2580 1808
2 10 Machinima.com 470 214
3 3 Texas Hold’em Poker 401 325
4 6 YoVille 395 258
5 8 EL SECRETO DE LOS SIMPSONS 361 216
6 54 South Park 227 56
7 7 Wikileaks 224 221
8 13 Lil Wayne 223 157
9 YO NO FUIII !! 185
10 2 Farmville 185 539



Spamiest

Rank Last Week’s Ranking Facebook Page Threat Count Last Week’s Spam Count
1 5 Turkce rap 2476 939
2 24 Wikileaks 2347 456
3 1 Texas Hold’em Poker 1441 3582
4 3 FarmVille Sheep 1437 1201
5 2 FarmVille Cows 1425 1425
6 13 FC Barcelona 1297 606
7 19 678 1280 532
8 17 Michael Jackson 1050 549
9 8 Arabesk Rap 1029 726
10 23 KopTuq mu? xDe..! 935 465



A few notes about this week’s list:

Looking at the Dangerous rankings, we are seeing the same pages every week. They seem to be cycling in and out of the Top 10.  Also, our undisputed king of the Dangerous Top 10 is Justin Beiber.  This will be three weeks holding the #1 spot.  A reminder: these pages appear due to dangerous links in the comments or wall spam.

The Spamiest rankings have seen social games holding steady.  Of special interest are three Turkish pages: Turkce rap, Arabesk Rap, and KopTuq mu? xDe..!.  These pages seem to be connected through the same sponsor and have been targeted with general spam.

Advertisements

A new attack campaign seems to be surfacing on Facebook.  This one focuses on the user directly activating a spam program.  An app will try to get users to copy a snippet of JavaScript into their browser’s location bar.  The app uses bait tactics, such as promises of “Themes for your Facebook wall” or “See who has viewed your Facebook profile”.

By the way, any app that claims to able to do such things is lying.

Here is an example of one such site.

This particular one claims to provide Facebook themes. There is a short tutorial video that simply tells the user to copy that snippet of code to the browser address bar and hit enter. While most of the time the browser will protect the user from a website trying to run code like this, there is nothing a browser can do if the user is the one who runs the code.

This code will pop up a little box that looks like this:

Of course it is not really setting up themes, it is actually getting the user’s email address (to send spam to?).  It also posts itself to the user’s Facebook wall to lure more victims.  This last part doesn’t exactly work due to a bug in the JavaScript code.

Bottom line, don’t paste unknown JavaScript into your browser. Ever.

Those of you who want a more technical explanation of what this does, read on.

The code pasted into the browser adds a <script> tag to whatever page is open at the time. The src attribute points to a site controlled by the bad guys. Every app we have seen so far had a different site. Normally, a browser will only let a script read a cookie if it comes from the same site that wrote the cookie. When the user embeds this foreign script tag into Facebook, the browser sees the script as coming from Facebook, and allows it access to the Facebook cookies.

The script that gets pulled in from the bad guy’s site is obfuscated by turning each letter in the code to a number and then translating them back into letters right before execution. The unscrambled code in turn grabs the next line of even further obfuscated code and unscrambles that by subtracting some amount (23 in this case) from each number before translating it back to a letter to get the final payload.

There seems to be a bug in the final payload where a faulty regex fails to parse a user id out of the page source.

We are continuing with our weekly “Top 10” lists of the most dangerous and spamiest Facebook Pages.  If you would like to read how we come up with the lists, check out our initial post here but here is how we define each category…

Most Dangerous Category: This category could be a post or comment containing a dangerous link.  These links can lead to malware, phishing, or suspicious/dangerous Facebook applications that gather personal information and use people’s accounts for spam.

Spamiest Category: The spam noted could be Wall spam or comment spam.  All the spam messages included in the tally contain at least one URL and have been posted multiple times across different pages and post comments.

Here is this week’s Top 10 lists.

Most Dangerous

Rank Last Week’s Ranking Facebook Page Threat Count Last Week’s Threat Count
1 1 Justin Beiber 1808 1437
2 5 Farmville 539 345
3 7 Texas Hold’em Poker 325 324
4 22 FarmVille Cows 319 181
5 28 FarmVille Sheep 308 165
6 19 YoVille 258 185
7 Wikileaks 221
8 26 EL SECRETO DE LOS SIMPSONS 216 171
9 2 Harry Potter 215 379
10 856 Machinima.com 214 10

.

Spamiest

Rank Last Week’s Ranking Facebook Page Threat Count Last Week’s Spam Count
1 2 Texas Hold’em Poker 3582 2116
2 5 FarmVille Cows 1425 1325
3 6 FarmVille Sheep 1201 1188
4 8 Justin Beiber 1156 1133
5 14 Turkce rap 939 658
6 25 Komik Ve liginc Videolar 907 468
7 27 Pet Society 760 435
8 15 Arabesk Rap 726 641
9 37 FarmVille 712 351
10 26 Miley Cyrus 679 454

.

A few notes about this week’s list:

Justin Beiber and the social games continue to hold the top spots on the “Dangerous” list.  We expect to see this trend continue. On the Spamiest ranking, social games hold most of the spots.  We don’t expect to see any real change in the coming weeks. As ever, be vigilant about links posted on Facebook pages.  Verify the link’s identity before clicking to avoid any problems.

Koobface is one of the better known botnets that leverages Facebook as a propagation medium (way to spread media).  The recent New York Times article and a report by Nart Villeneuve from Information Warfare Monitor provide an in-depth view on Koobface’s operating components and monetization strategy.  What stands out is the contrast of the newness of leveraging the social network for propagation and the usage of well-established malware monetization schemes, like the affiliate networks for pay-per-click (PPC) fraud or the sale of fake security products.  Both of those schemes have been around for years.  The new trend seems to be using the old methods, but pushing them through social networks, specifically Facebook.

To propagate, Koobface uses a large number of fake accounts to distribute its messages.  These fake accounts act as a screen hiding the real sources.  Some of the Facebook accounts targeted have a large number of friends.  Looking at the statistics, here is the detailed breakdown:

  • 21,790 Facebook accounts attacked with a total of 935,000 friends
  • 350,854 total Blogger accounts
  • 522,633 total Google accounts
  • 4,842 total Google Reader accounts

In addition to distributing content, the fake accounts are used to create intermediate pages where the actual attack is embedded, such as a blog post with a fake video.  Two parts of this are interesting:

  1. A fake account can be viewed as as much of a threat as a malicious URL.  Security companies in general don’t focus on “fake” accounts as threats.  As users we tend to trust people. Once you’ve made a friend, they have the ability to continue to send you messages until you unfriend them.  When we get a message with malicious content, we tend to think that it’s not the friends’ fault – they’ve been duped.  In addition, a friend of a friend always seems safer then a stranger somehow.  So once connected, the accounts seem to be able to propagate undetected, as evidenced by the large number of friends.
  2. By posting content through blogs, the links don’t look malicious to the user until you get to the attack itself.

We are probably at the early stage of development of social media malware.  Other attackers are focusing on monetization through social gaming and other means.  The threat ecosystem will evolve and become more sophisticated over time.