Top 10 Most Dangerous and Spamiest Facebook Pages

SafeToBe.Me was created to help monitor and inform consumers of privacy and security issues in Facebook.  The application looks for spam, malware, phishing scams, automatic file downloads, and strong language.  SafeToBe.Me scans Facebook Pages, status updates, comments to statuses, and application posts, and notifies users of any potential spam or danger.  To better inform consumers, today we are releasing our first weekly “Top 10” list of the Facebook Pages containing the most dangerous content and the most spam.

Overall we monitor the Top 5000 popular Facebook Pages and any pages “liked” by our users.  We scan those pages for instances of spam or potentially dangerous links.  Even if a page falls out of the Top 5000 Facebook Pages, we keep it in our monitoring rotation.  Threats are typically found in posts by users on the Wall of a page or in comments made to a status update posted on a page.  We’ve broken done the categories into “Most Dangerous” and “Spamiest”.  Below are descriptions of these categories.

Most Dangerous Category: This category could be a post or comment containing a dangerous link. These links can lead to malware, phishing, or suspicious/dangerous Facebook applications that gather personal information and use people’s accounts for spam.

Spamiest Category: The spam noted could be Wall spam or comment spam. All the spam messages included in the tally contain at least one URL and have been posted multiple times across different pages and post comments.

Thus we present this week’s Top 10 lists.

Most Dangerous
Rank	Facebook Page	Threat Count
1	Justin Bieber	670
2	Texas Hold’em Poker	239
3	Social City	228
4	YoVille	210
5	FarmVille	187
6	FarmVille Cows	157
7	Cafe World	136
8	Restaurant City	112
9	FarmVille Sheep	100
10	SOY ARGENTINO	96

Spamiest
Rank	Facebook Page	Spam Count
1	FarmVille	1489
2	Wiz Khalifa	1477
3	FrontierVille	1155
4	Michael Jackson	900
5	FarmVille Cows	616
6	KopTuq mu xDe..!	596
7	FarmVille Sheep	533
8	FC Barcelona	530
9	Amr Khaled	526
10	T.I.	479

Notice that many of the Facebook Pages in our rankings are social games.  We know that social games are very popular on Facebook so it is not a surprise that malware and spam pushers are focusing on this category.

Facebook Threat Alert – Celebrity Sex Still Sells

Here is another phishing scam. This one is aimed at getting your Facebook username and password.

This is what you see when you visit http://apps.facebook.com/celebrities_sexparty/

The app promises to provide “live sex” after logging in through the application box. Note that I am already logged in to Facebook (top right of the page). See the dilemma?

Taking a closer look, the login box is a rather good replica of the real Facebook login form. However, the junk surrounding it is a dead giveaway. After entering something into the boxes, it tells you that the Email/Password combo is wrong (even if it was correct) and asks for your information again.

For many, the logical response is to click and reset their password. By doing that, the “reset your password here” link leads to http://www.portalsat.net/reset.php, but whatever was there seems to have been removed and we are given a 404 error page.

Clicking the login button on this second page will initiate a download of a 33MB .zip file that actually turns out to be in .rar format (go figure). It contains 9 porn clips in .3gp format. These porn clips are not what was requested, but are now on the computer. Like all porn pop-ups, these will inevitably keep popping up at the most inopportune times.

Interesting side note: These guys might have actually left pictures of themselves on their site, too. http://www.portalsat.net

Facebook Threat Alert – More Texas HoldEm Phishing

We have found another phishing scam targeting Texas HoldEm Poker players. This one is more sophisticated than the previous one in that it uses a slightly modified real Zynga email and webpage.

Starting on the bait app’s page, we see this:

This looks almost exactly like the real Zynga welcome email you receive when you join the game. In fact, the links in the fine print at the bottom are real links to Zynga.

The green Claim Chips box and the “click here to claim up to 10 million chips!” link both lead to http://zyngateam-specialbonus.t35.com/zyngateam/specialbonus/freechip/online/zynga-poker/register2.php .

It looks like this:

Oh wow! 10 million dollars! Never mind that the second sentence makes no sense at all.

The other link leads to http://zyngateam-specialbonus.t35.com/zyngateam/specialbonus/freechip/online/zynga-poker5m/register2.php where you only “win” $5 million.

Too bad.

Aside from the toxic input fields in the center, everything else on these pages is a direct copy of a legitimate Zynga page.

Anything you enter in the two boxes in the middle is sent to the scammers when you click Submit and the browser is then redirected to this real Zynga page.

This page contains a warning from Zynga that you should not get chips from any third-party source.

These scammers sure have an interesting sense of humor.

Why We Started SafeToBe.Me

Even though this is our second post (we anxiously got our first post out when we found a phishing scam on Facebook), we would like to welcome you to the SafeToBe.Me blog.  We will be using this blog to give updates on the SafeToBe.Me service, to communicate security threats as we find them, and to communicate our perspectives on staying safe in the social world.  To get things started, we thought it would be useful if we provided some background on why we started SafeToBe.Me…

The Social Web, which includes services like Facebook and Twitter, has changed the way people interact.  It has also changed the way cyber crooks work.  Historically, cyber crooks went after computers and networks.  So security tools were traditionally geared towards protecting those resources.  Your router/firewall is protecting your home network and your anti-virus software is protecting your computer from being infected.  Now, cyber crooks are focusing directly on You.  They are not going after you physically; they are going after you where you spend your time online, which for many of us today are in social networks like Facebook.

Social networks are great.  They let us keep in touch with friends, even when they are not physically close to us.  We can easily see what our friends are doing and we can share our thoughts with them.  Social networks, like Twitter, also let us find people with similar interests, as well as explore new interests.  They are also great communication networks because when we share something interesting, our friends can share it with their friends and so on. Social networks also give us a feeling of security because we are familiar with most people we are communicating with and when we are talking to strangers, we are out of their direct physical reach.  And, a nice aspect of using social networks today is that we don’t have to be at our own computer to participate.  We can use smart phones and devices like the iPad.  All of these factors that make social networks great, however, are also the same reasons why social networks are an ideal attack ground for a new generation of cyber attacks.  These attacks are everything from simple SPAM and scams, to various forms of social abuse, to more complex identity theft type attacks that try to gain access to your account.

We started SafeToBe.Me to fight off this new social form of cyber attacks.  So that you can enjoy participating in the Social Web.  So that you can be you, safely.

Facebook Threat Alert – Texas HoldEm Poker Phishing App Found

At around 1:28 am on October 26, our crawlers first detected a new phishing scheme targeting Texas HoldEm Poker players.  The scammers registered an app with the URL http://apps.facebook.com/texas_hold_poker (note that the real URL for Texas HoldEm is http://www.facebook.com/TexasHoldEmPoker or http://www.facebook.com/TexasHoldEm).  When users click on what they think is a link to TexasHoldEm, they are confronted with this page:

Both of those buttons link to http://vgjyikui.001webs.com/banned/zyngawarning.php, where this is displayed:

Interestingly, that customer support link seems to actually go to the real Zynga contact page at http://www.zynga.com/about/contact.php.  Of course, anything entered into those two boxes is delivered directly to the scammers.   Clicking Submit points the browser back the the real Texas HoldEm Poker page, while clicking Cancel redirects to http://warmingaccount.do.am/zyngapoker/zyngawarning.html that presumably was another scare page to get users to give up their credentials but now looks like this: