Results tagged “Facebook” from SpywareGuide Greynets Blog

You might want to keep an eye on your honesty levels over the next few weeks where Facebook is concerned - sometimes trying to find out more than you're entitled to will bite you on the backside as we're about to see.

You may or may not be familiar with the "Honesty Box" application on Facebook - like similar features on Myspace etc, it allows people to leave entirely anonymous messages on your Facebook page to the tune of "I love you" or "You're a big stinky head" leading to hours of fun for all the family.

It seems a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, promising to "reveal all" with regards who called them an idiot at 2 in the morning:



The program claims it will strip out the hidden data from your honesty box, then convert it into a name so you know who left the message. Of course, it's all nonsense; the program is bound with a random Keylogger / Trojan / Virus of the attackers choosing, which means your day could take a very random and unfortunate turn depending on what they have in store for you.


 This could be a perfect setup for scammers to phish accounts, then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attacted by the lure of "really secret stuff".

Avoid!

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:

I've had a few enquiries come through with regards this blog entry about a strange Facebook threat we found over the weekend, and whether it's the same thing as written about by the awesome Rik Ferguson over here.

To clarify, these are two totally different Facebook attacks so you need to man the battlements on all fronts, or something.

The threat Rik covered involves messages being sent, an actual application and phishing pages that mimic the real thing once you visit the external URL via clicking a hyperlink.

The threat we found has no actual application involved at all - instead, the (mis)use of a Facebook application URL (apps.facebook.com/customer_dispute), with what was likely a phishing page related to "Customer disputes" somehow attached directly underneath the real Facebook app URL.

Be careful out there...

When you're looking into dubious activities online, you don't always catch bad guys in the act - every now and again, you get there a little too late and have to put the pieces together as best you can.

I'd heard rumblings of people using Facebook application pages in weird and not so wonderful ways, but hadn't actually seen it in action. Digging around, I was somewhat surprised to see the following greeting me on a Facebook application page for something called "Customer Dispute":


Click to Enlarge

As you can see, something is very wrong here - there's a valid Facebook URL:

apps.facebook.com/customer_dispute/

...but instead of a standard Facebook application install screen under the URL as you'd expect, the entire content is taken up by a "Page not found" message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).

A quick Google for this "Customer Dispute" page and from a hacking forum we see...



..."New form of Facebook phishing"? Oh dear.

It seems someone set up an application developer account with Facebook, placed a fake "customer dispute page" onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it.

I don't know about you, but people are always complaining about something on Facebook - throw in a fake "dispute" page onto an actual Facebook URL and you're probably going to see stolen accounts roll in 24/7.

I was dying to know exactly what form the fake Customer Dispute page took, but the person responsible had obviously developed cold feet and pulled it. We notified both Ripway and Facebook, and also asked if they could enlighten us exactly what the content of the fake page was before whoever uploaded it took it down.

Ripway quickly closed the account of the uploader:



The thread on the hacking forum magically vanished, presumably because the creator didn't want evidence lying around the net tying it back to him:



Facebook (to their credit) reacted quickly - the dubious application URL now looks like this, which is a genuine "not found" page from Facebook with links that direct you back to the main site:


Click to Enlarge

.....a lot better than "phony content goes here".

I'm not naive enough to have actually expected either company to get back to me, but it would have been useful in knowing what we're dealing with here. While I can appreciate Facebook aren't going to go yelling about this scam from the rooftops if they can help it, they surely have a responsibility to at least warn their users that people are doing something very dubious with Application pages. Of course, it makes it harder for myself to warn you with specifics with regards the exact content of the page that was removed too.

At this point, all I can say is that

1) It seems very likely (based on both the comments posted to that hacking forum and elsewhere) that it was indeed some kind of phony customer dispute phish plastered onto the application page. The exact form that this page took is currently up for debate.

2) If one person has done this, it's entirely possible others have - with that in mind, if you see an

apps.facebook.com

URL, but NO application - then be wary, especially if it's asking you to enter login details (Facebook credentials would, of course, be the obvious target). Otherwise you might end up with a clear case of Two Point Doh...

There's a link currently in circulation that does pretty much what you'd expect it to - drop you onto a site hoping you'll install the executable.

The site in question is

eurostandart.biz/publicdvd/

And going there redirects you to

86.20.21.129

which looks like this:

I've written about Freezers before - in short, programs designed to repeatedly spam the login for various sites & services with the victims EMail address and randomly generated passwords, until the account is locked out.

These Freezers take many forms, and have numerous features including built in browsers, progress bars and the ability to endlessly spam the target account until the PC melts or the account is permabanned, whichever comes first.

Well, here's another one, and it looks considerably better than the first (and that was no slouch in the looks department to begin with). As you can see, this one targets both Messenger Live and Facebook (alternating between the two with a nicely done set of tabs).


Click to Enlarge

The "Freeze" and "Skip Freezing" buttons are very chunky (it's all very 2.0, isn't it) and there are options for "help", "support" and an "about" panel too. Although the Windows Live Freezer didn't appear to function correctly, the Facebook Freezer caused the same problems as the program I wrote about a few weeks ago. Fire it up, walk away, leave it running for a few hours and when you return, the account will have been disabled - leaving the account owner with the prospect of trying to reactivate it, or skip the hassle and start from scratch.


Click to Enlarge

As before, the best (and only) advice you can really give where these tools are concerned is to avoid handing out your EMail address used for various social networking sites to strangers. If the site you use insists on showing your address to visitors, look for the option to hide it.

Today we came across an extremely slick tool designed purely to annoy and confound users of popular Social Networking sites such as Facebook. While it also allows the attacker to target other sites and services such as Youtube and Windows Live, it seems to cause the most problems on Facebook.

What is it?

A malicious program designed to repeatedly lock you out of your various accounts. In time honoured tradition, here it is on the desktop:

There's been quite a bit of action on Facebook the last couple of days, and none of it good from the looks of things:

Yes, our least-favourite Facebook "friend" is back on the scene, infecting PCs as it goes. This time round, the scam involves taking you to a fake Youtube page (that actually looks more like a Myspace player...doh), claiming it's a "Secret video from Tom". Click the video, download the supposed "Flash player update" and run it to ruin your weekend.

If you want to go down a different route however, when you see a message like this from your friend:


Click to Enlarge

Delete it, and let your friend know they have a problem that needs fixing in a hurry! As you can see, most of the messages in this latest wave play on the fear of being seen in "mysterious" videos being spread across the web. The main one being publicised at the moment is a message with the title 'You look just awesome in this new movie.' However, there are plenty more variations out there - the one above, for example, says "Don't worry; the whole Net will see this video".

For the curious, the fake video player page will look something like this:


Click to Enlarge

We detect this as Koobface, rather unsurprisingly!

This was sent to a colleague of mine a day or so ago from one of her friends on Facebook:


Click to Enlarge

The text reads:

"It has come to our attention that some people are using facebook for purposes other than that for which it was intended. Certain people have been using software called "post bot". Therefore we will require that you forward this to all your friends. We will then log your account information to separate you from the people that are running automatic post bots on our site.

If you fail to forward this, it may mean that your account will be banned.

Thank You
Facebook Staff"

This is (of course) a chain letter doing the rounds on FunSpace. When I tried it, I got this:



...so at least someone is keeping an eye out for these things. Rest assured, if you see a message like this sent to you via a Facebook application, you can safely delete it. Nobody is going to come knocking over fictitious threats related to "posting bots".

I've written about cunningly placed adverts on Facebook application installer pages before, but this is getting to be a little.....excessive.

Here's what I saw when installing an image viewer, from the point where I started to install the app, during and once I'd finally made the application live on my page:



Click to Enlarge


Click to Enlarge


Click to Enlarge

As I said....excessive. Anyone thinking these boxes are part of the application installer will be taken to a familiar face:


Click to Enlarge

Yes, it's this thing again.

Facebook should really have strict policies on the kind of adverts allowed on installer pages (as a matter of fact, I don't think there should be any adverts allowed on these pages in the first place. It's way too easy to fool people.

In January, everything went a little crazy because of a Facebook application that (if you believed the hype) force installed Zango, hijacked your PC, set fire to your house, killed your pets.....well, you get the idea. In actual fact, the truth of the matter was a little more convoluted. All I could see was that this application opened up a popup, which (every now and again) would just happen to be an advert for Zango. Hardly Earth shattering, but of course it did switch people on to the fact that they needed to be careful which applications they gave permission to access their data while on Facebook.

Well, a few months on and it looks like the BBC had a coder create an application (in three hours or less) that could swipe a whole pile of data on both you and your friends, before mailing it back home to base. I can't stress enough - when it comes to social networking sites, NEVER post anything you wouldn't feel comfortable posting on an otherwise open and accessible site such as your blog, personal website, whatever. I have pages on Myspace, Facebook, Orkut and a whole bunch of others - and there is NOTHING on them that you couldn't find elsewhere. There is no hidden treasure trove of data to mine, and so I don't care what happens to it because it's all out there in the public domain anyway. This is what I've been telling people for the longest time, and it works.

A few days ago, I talked about the oddly intrusive chat attack I experienced, and how FaceTime products can control / lock down / fire into orbit Facebook applications where necessary. To date, there haven't been any applications out there that have gone in and done all sorts of horrible and malicious things to end-users on Facebook. Personally, I've been more concerned about applications that allow people to post a seemingly endless and imaginative array of body parts in various comical situations. Nobody really wants that all over their desktop in a regular workplace environment, right? However, this seems to me to be a warning shot of sorts - a warning that we not only need to consider locking down applications that cause annoyance and embarrassment, but also to keep an ear to the ground as we await the inevitable arrival of the "I BREAK STUFF" application.

Coming soon to a Web 2.0 site near you...