You are currently browsing the category archive for the ‘Phishing’ category.

A new attack campaign seems to be surfacing on Facebook.  This one focuses on the user directly activating a spam program.  An app will try to get users to copy a snippet of JavaScript into their browser’s location bar.  The app uses bait tactics, such as promises of “Themes for your Facebook wall” or “See who has viewed your Facebook profile”.

By the way, any app that claims to able to do such things is lying.

Here is an example of one such site.

This particular one claims to provide Facebook themes. There is a short tutorial video that simply tells the user to copy that snippet of code to the browser address bar and hit enter. While most of the time the browser will protect the user from a website trying to run code like this, there is nothing a browser can do if the user is the one who runs the code.

This code will pop up a little box that looks like this:

Of course it is not really setting up themes, it is actually getting the user’s email address (to send spam to?).  It also posts itself to the user’s Facebook wall to lure more victims.  This last part doesn’t exactly work due to a bug in the JavaScript code.

Bottom line, don’t paste unknown JavaScript into your browser. Ever.

Those of you who want a more technical explanation of what this does, read on.

The code pasted into the browser adds a <script> tag to whatever page is open at the time. The src attribute points to a site controlled by the bad guys. Every app we have seen so far had a different site. Normally, a browser will only let a script read a cookie if it comes from the same site that wrote the cookie. When the user embeds this foreign script tag into Facebook, the browser sees the script as coming from Facebook, and allows it access to the Facebook cookies.

The script that gets pulled in from the bad guy’s site is obfuscated by turning each letter in the code to a number and then translating them back into letters right before execution. The unscrambled code in turn grabs the next line of even further obfuscated code and unscrambles that by subtracting some amount (23 in this case) from each number before translating it back to a letter to get the final payload.

There seems to be a bug in the final payload where a faulty regex fails to parse a user id out of the page source.

Advertisements

Here is another phishing scam. This one is aimed at getting your Facebook username and password.

This is what you see when you visit http://apps.facebook.com/celebrities_sexparty/

The app promises to provide “live sex” after logging in through the application box. Note that I am already logged in to Facebook (top right of the page). See the dilemma?

Taking a closer look, the login box is a rather good replica of the real Facebook login form. However, the junk surrounding it is a dead giveaway. After entering something into the boxes, it tells you that the Email/Password combo is wrong (even if it was correct) and asks for your information again.

For many, the logical response is to click and reset their password. By doing that, the “reset your password here” link leads to http://www.portalsat.net/reset.php, but whatever was there seems to have been removed and we are given a 404 error page.

Clicking the login button on this second page will initiate a download of a 33MB .zip file that actually turns out to be in .rar format (go figure). It contains 9 porn clips in .3gp format. These porn clips are not what was requested, but are now on the computer. Like all porn pop-ups, these will inevitably keep popping up at the most inopportune times.

Interesting side note: These guys might have actually left pictures of themselves on their site, too. http://www.portalsat.net

We have found another phishing scam targeting Texas HoldEm Poker players. This one is more sophisticated than the previous one in that it uses a slightly modified real Zynga email and webpage.

Starting on the bait app’s page, we see this:

This looks almost exactly like the real Zynga welcome email you receive when you join the game. In fact, the links in the fine print at the bottom are real links to Zynga.

The green Claim Chips box and the “click here to claim up to 10 million chips!” link both lead to http://zyngateam-specialbonus.t35.com/zyngateam/specialbonus/freechip/online/zynga-poker/register2.php .

It looks like this:

Oh wow! 10 million dollars! Never mind that the second sentence makes no sense at all.

The other link leads to http://zyngateam-specialbonus.t35.com/zyngateam/specialbonus/freechip/online/zynga-poker5m/register2.php where you only “win” $5 million.

Too bad.

Aside from the toxic input fields in the center, everything else on these pages is a direct copy of a legitimate Zynga page.

Anything you enter in the two boxes in the middle is sent to the scammers when you click Submit and the browser is then redirected to this real Zynga page.

This page contains a warning from Zynga that you should not get chips from any third-party source.

These scammers sure have an interesting sense of humor.

At around 1:28 am on October 26, our crawlers first detected a new phishing scheme targeting Texas HoldEm Poker players.  The scammers registered an app with the URL http://apps.facebook.com/texas_hold_poker (note that the real URL for Texas HoldEm is http://www.facebook.com/TexasHoldEmPoker or http://www.facebook.com/TexasHoldEm).  When users click on what they think is a link to TexasHoldEm, they are confronted with this page:

Both of those buttons link to http://vgjyikui.001webs.com/banned/zyngawarning.php, where this is displayed:

Interestingly, that customer support link seems to actually go to the real Zynga contact page at http://www.zynga.com/about/contact.php.  Of course, anything entered into those two boxes is delivered directly to the scammers.   Clicking Submit points the browser back the the real Texas HoldEm Poker page, while clicking Cancel redirects to http://warmingaccount.do.am/zyngapoker/zyngawarning.html that presumably was another scare page to get users to give up their credentials but now looks like this: