You are currently browsing Vlad’s articles.

Koobface is one of the better known botnets that leverages Facebook as a propagation medium (way to spread media).  The recent New York Times article and a report by Nart Villeneuve from Information Warfare Monitor provide an in-depth view on Koobface’s operating components and monetization strategy.  What stands out is the contrast of the newness of leveraging the social network for propagation and the usage of well-established malware monetization schemes, like the affiliate networks for pay-per-click (PPC) fraud or the sale of fake security products.  Both of those schemes have been around for years.  The new trend seems to be using the old methods, but pushing them through social networks, specifically Facebook.

To propagate, Koobface uses a large number of fake accounts to distribute its messages.  These fake accounts act as a screen hiding the real sources.  Some of the Facebook accounts targeted have a large number of friends.  Looking at the statistics, here is the detailed breakdown:

  • 21,790 Facebook accounts attacked with a total of 935,000 friends
  • 350,854 total Blogger accounts
  • 522,633 total Google accounts
  • 4,842 total Google Reader accounts

In addition to distributing content, the fake accounts are used to create intermediate pages where the actual attack is embedded, such as a blog post with a fake video.  Two parts of this are interesting:

  1. A fake account can be viewed as as much of a threat as a malicious URL.  Security companies in general don’t focus on “fake” accounts as threats.  As users we tend to trust people. Once you’ve made a friend, they have the ability to continue to send you messages until you unfriend them.  When we get a message with malicious content, we tend to think that it’s not the friends’ fault – they’ve been duped.  In addition, a friend of a friend always seems safer then a stranger somehow.  So once connected, the accounts seem to be able to propagate undetected, as evidenced by the large number of friends.
  2. By posting content through blogs, the links don’t look malicious to the user until you get to the attack itself.

We are probably at the early stage of development of social media malware.  Other attackers are focusing on monetization through social gaming and other means.  The threat ecosystem will evolve and become more sophisticated over time.


Last week, we published the first of our weekly “Top 10” lists on the most dangerous and spamiest Facebook Pages.  If you would like to see last week’s lists and understand how we come up with the lists, check out our initial post here.

Here are this week’s Top 10 lists…

Most Dangerous

Rank Last Week’s Ranking Facebook Page Threat Count Last Week’s Threat Count
1 1 Justin Bieber 1236 670
2 34 Twilight 701 43
3 2 Texas Hold’em Poker 503 239
4 23 Dirty Dancing 483 55
5 101 Harry Potter 465 25
6 117 Usher 437 22
7 Mama Mary 418
8 22 Michael Jackson 407 55
9 48 Lil Wayne 405 38
10 37 YouTube 402 42


Rank Last Week’s Ranking Facebook Page Threat Count Last Week’s Spam Count
1 Lil Wayne 2150
2 Texas Hold’em Poker 2047
3 3 FrontierVille 1926 1155
4 Drake 1706
5 1 FarmVille 1622 1489
6 42 Underground & Gangsta Rap 1598 167
7 Justin Bieber 1512
8 2 Wiz Khalifa 1402 1477
9 63 Mafia Wars 1329 120
10 63 Fikra ve Espiri Dünyasi 1243 120

A few notes about this week’s lists:

Last week our “Top 10” included many social games.  This week we are seeing more celebrity pages included.  Perhaps this is tied to current events.  For example, Lil Wayne was just released from jail and has had a resurgence in news exposure this past week.  It will be interesting to continue tracking this trend in the coming weeks.

A lot of the activity related to the “most dangerous” list was due to a malicious application outbreak on November 17.  The app enticed the user with “See the shocking video of the 1-year-old girl who CARRIES TWIN SISTER inside belly.”  To see the video, the user had to authorize the application.  Once authorized, the app proceeded to spam the user and possibly the user’s fan pages to propagate, or spread.

A point of interest is the inclusion of Mama Mary, a Facebook page dedicated to Mary, the Mother of Jesus.  We don’t usually see religious-centered pages enter into the Top 10.  This one seems to be an instance of collateral damage.  The same malware application spammed to most of the rest of the Top 10 ended up covering this page.

SafeToBe.Me was created to help monitor and inform consumers of privacy and security issues in Facebook.  The application looks for spam, malware, phishing scams, automatic file downloads, and strong language.  SafeToBe.Me scans Facebook Pages, status updates, comments to statuses, and application posts, and notifies users of any potential spam or danger.  To better inform consumers, today we are releasing our first weekly “Top 10” list of the Facebook Pages containing the most dangerous content and the most spam.

Overall we monitor the Top 5000 popular Facebook Pages and any pages “liked” by our users.  We scan those pages for instances of spam or potentially dangerous links.  Even if a page falls out of the Top 5000 Facebook Pages, we keep it in our monitoring rotation.  Threats are typically found in posts by users on the Wall of a page or in comments made to a status update posted on a page.  We’ve broken done the categories into “Most Dangerous” and “Spamiest”.  Below are descriptions of these categories.

Most Dangerous Category: This category could be a post or comment containing a dangerous link. These links can lead to malware, phishing, or suspicious/dangerous Facebook applications that gather personal information and use people’s accounts for spam.

Spamiest Category: The spam noted could be Wall spam or comment spam. All the spam messages included in the tally contain at least one URL and have been posted multiple times across different pages and post comments.

Thus we present this week’s Top 10 lists.

Most Dangerous
Rank Facebook Page Threat Count
1 Justin Bieber 670
2 Texas Hold’em Poker 239
3 Social City 228
4 YoVille 210
5 FarmVille 187
6 FarmVille Cows 157
7 Cafe World 136
8 Restaurant City 112
9 FarmVille Sheep 100
Rank Facebook Page Spam Count
1 FarmVille 1489
2 Wiz Khalifa 1477
3 FrontierVille 1155
4 Michael Jackson 900
5 FarmVille Cows 616
6 KopTuq mu xDe..! 596
7 FarmVille Sheep 533
8 FC Barcelona 530
9 Amr Khaled 526
10 T.I. 479

Notice that many of the Facebook Pages in our rankings are social games.  We know that social games are very popular on Facebook so it is not a surprise that malware and spam pushers are focusing on this category.

Even though this is our second post (we anxiously got our first post out when we found a phishing scam on Facebook), we would like to welcome you to the SafeToBe.Me blog.  We will be using this blog to give updates on the SafeToBe.Me service, to communicate security threats as we find them, and to communicate our perspectives on staying safe in the social world.  To get things started, we thought it would be useful if we provided some background on why we started SafeToBe.Me…

The Social Web, which includes services like Facebook and Twitter, has changed the way people interact.  It has also changed the way cyber crooks work.  Historically, cyber crooks went after computers and networks.  So security tools were traditionally geared towards protecting those resources.  Your router/firewall is protecting your home network and your anti-virus software is protecting your computer from being infected.  Now, cyber crooks are focusing directly on You.  They are not going after you physically; they are going after you where you spend your time online, which for many of us today are in social networks like Facebook.

Social networks are great.  They let us keep in touch with friends, even when they are not physically close to us.  We can easily see what our friends are doing and we can share our thoughts with them.  Social networks, like Twitter, also let us find people with similar interests, as well as explore new interests.  They are also great communication networks because when we share something interesting, our friends can share it with their friends and so on. Social networks also give us a feeling of security because we are familiar with most people we are communicating with and when we are talking to strangers, we are out of their direct physical reach.  And, a nice aspect of using social networks today is that we don’t have to be at our own computer to participate.  We can use smart phones and devices like the iPad.  All of these factors that make social networks great, however, are also the same reasons why social networks are an ideal attack ground for a new generation of cyber attacks.  These attacks are everything from simple SPAM and scams, to various forms of social abuse, to more complex identity theft type attacks that try to gain access to your account.

We started SafeToBe.Me to fight off this new social form of cyber attacks.  So that you can enjoy participating in the Social Web.  So that you can be you, safely.