You are currently browsing Yossi’s articles.

A popular and heavily pushed scam this week focuses on using people to propagate the spam.  The tactic results from scammers trying to get around the normal spam blockers.  What better way to spread spam than using human subjects?

The bait is usually some free in-game cash or some other unfair advantage in popular Facebook games.  We have seen many examples of these promises across the social games.

Here is one promising “Free Farmville Cash”:

The way the scam works is they promise to deliver something that they obviously cannot. In exchange, they claim, all you need to do is: 1. like their page, 2. share it, and 3. spam some message (almost always with a link back to the site) to some arbitrary amount of pages.

Like this:

Of course the end result of all this is you don’t get what was promised, and the spammer now has you broadcasting his garbage everywhere.

Here are some more examples:

This one targets Minecraft:

Keep in mind that there are a great deal more of these out there using all sorts of bait. The base scam is the same though, trying to get regular Facebook users to do the spamming for them.

Advertisements

A new attack campaign seems to be surfacing on Facebook.  This one focuses on the user directly activating a spam program.  An app will try to get users to copy a snippet of JavaScript into their browser’s location bar.  The app uses bait tactics, such as promises of “Themes for your Facebook wall” or “See who has viewed your Facebook profile”.

By the way, any app that claims to able to do such things is lying.

Here is an example of one such site.

This particular one claims to provide Facebook themes. There is a short tutorial video that simply tells the user to copy that snippet of code to the browser address bar and hit enter. While most of the time the browser will protect the user from a website trying to run code like this, there is nothing a browser can do if the user is the one who runs the code.

This code will pop up a little box that looks like this:

Of course it is not really setting up themes, it is actually getting the user’s email address (to send spam to?).  It also posts itself to the user’s Facebook wall to lure more victims.  This last part doesn’t exactly work due to a bug in the JavaScript code.

Bottom line, don’t paste unknown JavaScript into your browser. Ever.

Those of you who want a more technical explanation of what this does, read on.

The code pasted into the browser adds a <script> tag to whatever page is open at the time. The src attribute points to a site controlled by the bad guys. Every app we have seen so far had a different site. Normally, a browser will only let a script read a cookie if it comes from the same site that wrote the cookie. When the user embeds this foreign script tag into Facebook, the browser sees the script as coming from Facebook, and allows it access to the Facebook cookies.

The script that gets pulled in from the bad guy’s site is obfuscated by turning each letter in the code to a number and then translating them back into letters right before execution. The unscrambled code in turn grabs the next line of even further obfuscated code and unscrambles that by subtracting some amount (23 in this case) from each number before translating it back to a letter to get the final payload.

There seems to be a bug in the final payload where a faulty regex fails to parse a user id out of the page source.

In keeping with our policy of vigilance, we recently have found another attack targeting Justin Bieber’s Facebook page.  If you recall from last week’s Top 10 list, Justin Beiber’s Facebook page achieved the top spot in the Dangerous category and the seventh spot in the Spamiest category.  To better acquaint you with the threat, we’ve broken down what happens.

Here we see some “Breaking News”:

Apparently, Justin Beiber has been caught red-handed! Quick, click “subscribe.”

Uh, that’s not what we were expecting, but never mind that right now. Onwards!

There we go! Now we can watch our video.

Wait a minute! Does that say YouTube? We could have seen this (shaky) video by simply going directly to YouTube. What was all that messing around with permissions?

And just look at what this app has done to our wall.

Spam. In our name. Bad app, no treat.

The moral of this story is, never allow an app more permission than it should logically need. All this app claimed it was going to do was show us a video, so why would it need permission to post to our wall, access our data anytime, or manage our pages?

If you or someone you know has fallen victim to this app or one of the many others like it, you should revoke the app’s permissions. To do this, go to “Account>Privacy Settings”. Under “Applications and Websites,” click “Edit your settings.” Then click “Remove unwanted or spammy applications.” Finally, click the little “x” by the app you want to remove and confirm your desire to remove it by clicking the blue “Remove” button in the box that pops up.

And if you really must see that video of Justin Beiber kissing some girl…

http://www.youtube.com/watch?v=qyRA2xyK1e8

Knock yourself out.

We have found another phishing scam targeting Texas HoldEm Poker players. This one is more sophisticated than the previous one in that it uses a slightly modified real Zynga email and webpage.

Starting on the bait app’s page, we see this:

This looks almost exactly like the real Zynga welcome email you receive when you join the game. In fact, the links in the fine print at the bottom are real links to Zynga.

The green Claim Chips box and the “click here to claim up to 10 million chips!” link both lead to http://zyngateam-specialbonus.t35.com/zyngateam/specialbonus/freechip/online/zynga-poker/register2.php .

It looks like this:

Oh wow! 10 million dollars! Never mind that the second sentence makes no sense at all.

The other link leads to http://zyngateam-specialbonus.t35.com/zyngateam/specialbonus/freechip/online/zynga-poker5m/register2.php where you only “win” $5 million.

Too bad.

Aside from the toxic input fields in the center, everything else on these pages is a direct copy of a legitimate Zynga page.

Anything you enter in the two boxes in the middle is sent to the scammers when you click Submit and the browser is then redirected to this real Zynga page.

This page contains a warning from Zynga that you should not get chips from any third-party source.

These scammers sure have an interesting sense of humor.

At around 1:28 am on October 26, our crawlers first detected a new phishing scheme targeting Texas HoldEm Poker players.  The scammers registered an app with the URL http://apps.facebook.com/texas_hold_poker (note that the real URL for Texas HoldEm is http://www.facebook.com/TexasHoldEmPoker or http://www.facebook.com/TexasHoldEm).  When users click on what they think is a link to TexasHoldEm, they are confronted with this page:

Both of those buttons link to http://vgjyikui.001webs.com/banned/zyngawarning.php, where this is displayed:

Interestingly, that customer support link seems to actually go to the real Zynga contact page at http://www.zynga.com/about/contact.php.  Of course, anything entered into those two boxes is delivered directly to the scammers.   Clicking Submit points the browser back the the real Texas HoldEm Poker page, while clicking Cancel redirects to http://warmingaccount.do.am/zyngapoker/zyngawarning.html that presumably was another scare page to get users to give up their credentials but now looks like this: