Today we came across an extremely slick tool designed purely to annoy and confound users of popular Social Networking sites such as Facebook. While it also allows the attacker to target other sites and services such as Youtube and Windows Live, it seems to cause the most problems on Facebook.
What is it?
A malicious program designed to repeatedly lock you out of your various accounts. In time honoured tradition, here it is on the desktop:
Ignoring the fact that it resembles a cartoonish piece of meat on a bone, let's fire it up:
This particular version "only" has Facebook, Windows Live and YouTube but there are other versions out there which do much the same thing but target other Social Networking sites.
Once you've picked your poison (so to speak), you simply enter the EMail address or Username into the space provided and hit the "Freeze" button. But wait! For those who woke up in a particularly malicious mood, the program allows you to watch the demolition of your targets account in a sort of "realtime" mode, with the aid of an extremely slick built-in browser window. Simply hit the "Let me watch" button, and the browser extends out on the right hand side of the application:
Click to Enlarge
Hit "Freeze", and as a meter at the bottom gives you a % score with regards freezing completion, the view in the browser window alternates between the bottom two images - the first, the Facebook login screen:
Once you hit 100%, this is what you see inside the applications browser window:
Click to Enlarge
"You have exceeded the number of invalid login attempts that we allow for your account. If you have forgotten your password, reset your password here".
Whoops.
Now, I know what you're thinking. This is easily fixable, you just hit the "reset password" link and you're back in business. However - if your attacker decides to keep attacking you over a short period of time while you keep on resetting your password, eventually your mailbox will look like this...
...and not only will you be utterly sick to death of resetting your password, you'll be even more fed up when you get locked out one too many times and see this:
I can only assume they do this as an antispam precaution when your account is frozen out in this way. I'd be ready to give up and go home by this point.
In case you were wondering, it does much the same thing with YouTube:
Click to Enlarge
However, doing this to a YouTube account doesn't quite cause as much aggravation as it does where Facebook is concerned - at no point during testing did YouTube lockdown the account the same way Facebook did, although I can't assume there isn't an "upper limit" at which point YouTube also brings down the final curtain.
All in all, something a lot of rage fueled kids will likely be deploying over the coming months.
While it's a little tricky to prevent people from knowing your username on YouTube - because you want people to know who you are on there, right? - it seems a sensible precaution to be as secretive as possible where the EMail account used with Facebook is concerned...
Writeup: Chris Boyd, Director of Research
Additional Research: Chris Mannon, Senior Threat Researcher
What is it?
A malicious program designed to repeatedly lock you out of your various accounts. In time honoured tradition, here it is on the desktop:
Ignoring the fact that it resembles a cartoonish piece of meat on a bone, let's fire it up:
Click to Enlarge
As you can see, the Facebook logo sits in the middle, just above the "Freeze" button. Above the EMail field, you can see a dropdown box where the attacker selects their service of choice:
As you can see, the Facebook logo sits in the middle, just above the "Freeze" button. Above the EMail field, you can see a dropdown box where the attacker selects their service of choice:
This particular version "only" has Facebook, Windows Live and YouTube but there are other versions out there which do much the same thing but target other Social Networking sites.
Once you've picked your poison (so to speak), you simply enter the EMail address or Username into the space provided and hit the "Freeze" button. But wait! For those who woke up in a particularly malicious mood, the program allows you to watch the demolition of your targets account in a sort of "realtime" mode, with the aid of an extremely slick built-in browser window. Simply hit the "Let me watch" button, and the browser extends out on the right hand side of the application:
Click to Enlarge
Hit "Freeze", and as a meter at the bottom gives you a % score with regards freezing completion, the view in the browser window alternates between the bottom two images - the first, the Facebook login screen:
Click to Enlarge
...and the second, the page telling your your login combination is incorrect:
Click to Enlarge
...and the second, the page telling your your login combination is incorrect:
Click to Enlarge
Once you hit 100%, this is what you see inside the applications browser window:
Click to Enlarge
"You have exceeded the number of invalid login attempts that we allow for your account. If you have forgotten your password, reset your password here".
Whoops.
Now, I know what you're thinking. This is easily fixable, you just hit the "reset password" link and you're back in business. However - if your attacker decides to keep attacking you over a short period of time while you keep on resetting your password, eventually your mailbox will look like this...
...and not only will you be utterly sick to death of resetting your password, you'll be even more fed up when you get locked out one too many times and see this:
Yes, eventually you're even prevented from sending a password reset. Bizarrely, you're still given an option to hit a "reset password" button, even though it won't actually work for you anymore.
All you can do now is brave the wilds of the "Contact Us" page, and generally speaking, most people give up in despair and a flailing of arms when presented with such pages. If I'd been the victim of this kind of time wasting "fun", I'd probably be more inclined to simply start again from scratch.
I tried a little earlier on to see if I was now able to resend a password reset to the account used in the above screenshots...I was presented with an "Unconfirmed Account" message:
All you can do now is brave the wilds of the "Contact Us" page, and generally speaking, most people give up in despair and a flailing of arms when presented with such pages. If I'd been the victim of this kind of time wasting "fun", I'd probably be more inclined to simply start again from scratch.
I tried a little earlier on to see if I was now able to resend a password reset to the account used in the above screenshots...I was presented with an "Unconfirmed Account" message:
I can only assume they do this as an antispam precaution when your account is frozen out in this way. I'd be ready to give up and go home by this point.
In case you were wondering, it does much the same thing with YouTube:
Click to Enlarge
However, doing this to a YouTube account doesn't quite cause as much aggravation as it does where Facebook is concerned - at no point during testing did YouTube lockdown the account the same way Facebook did, although I can't assume there isn't an "upper limit" at which point YouTube also brings down the final curtain.
All in all, something a lot of rage fueled kids will likely be deploying over the coming months.
While it's a little tricky to prevent people from knowing your username on YouTube - because you want people to know who you are on there, right? - it seems a sensible precaution to be as secretive as possible where the EMail account used with Facebook is concerned...
Writeup: Chris Boyd, Director of Research
Additional Research: Chris Mannon, Senior Threat Researcher
Hi,
But in Facebook, if the victim after the attack and the freezing, enter your email and password correctly you can normally access your Facebook account.
The last part of the post seems to address this. if you attempt to reset your password too many times as it keeps being locked out, eventually facebook prevents you from sending a password reset:
http://blog.spywareguide.com/images/ffreeze10.jpg
And then you have to send them a message to their contact us page and hope it eventually gets picked up out of the likely thousands upon thousands of contact us requests they probably get every day.
would you wait around for an indefinite amount of time waiting to see if it got fixed, or would you start again? which is less trouble?
Hi, i would like to know if you have the link for downloading it.