Today, we have some exciting news. Some of you may have already heard about it, because it is big!

Starting today, we have implemented a partnership with Facebook, arguably the largest, most important platform on the globe, to better protect users against malicious links leading to malware-embedded websites and fraud.

A platform as popular as Facebook is naturally a target for attackers. We have been working with Facebook and their security teams for a number of years in order to keep their users safe, but now we have integrated directly into the platform for an unprecedented security combination.

Soon, when a user clicks on a URL that has been posted within Facebook, that link will be sent to Websense for security classification. The Websense® ThreatSeeker® Cloud, an advanced classification and malware identification platform, will then analyze the link in real time. If the destination site is considered unsafe, the user is presented with a warning page that offers the choice to continue at their own risk, return to the previous screen, or get more information on why it was flagged as suspicious.

In this way, we are helping Facebook continue their proactive fight to keep malicious links off of their platform and allow safe use for all of its members.

At Websense, we are all about innovation and changing the security game. We were the first company to promote and enable our customers to embrace safe, productive use of social with our web security gateway, the first to deliver security and anti-spam to protect companies presence within Facebook with Defensio, and now we are assisting in the protection of all users on the platform with our cloud integration.

This is the same technology that already powers our industry-leading TRITON™ solutions, and it now extends that same protection to consumers and other users of Facebook.

For more information, you can view the news release here, or check out the infographic below.

At their f8 Developers Conference in San Francisco last week, Facebook announced their recent major makeover and how this is just the beginning. These are the largest changes to Facebook since the early beginnings of the site.

Their newly released features are:

• A redo of their Friends Lists (like Google+ Circles) to make it easier to share with whom you want
• A real-time news ticker (same functionality as RSS feeds)
• The option to subscribe to anyone, whether that person is among your friends or not. (similar to Twitter)
  

Timeline

In a few weeks, Facebook is launching “Timeline,” thereby giving the site an entirely new interface.

Timeline will let you customize your personal life story. It’s based on your account activity and will be organized in reverse chronological order. You decide what you want to include in your story from old postings, pictures, and such. And you can show your favorites in double size if you want. 
 

You will also have the ability to go back in time and fill in the blanks for important milestones that were not posted on Facebook (or that happened before Facebook even existed).

When you start out with Timeline, you'll have the option to immediately publish, or wait until you have edited your story. Just be aware that Facebook will set a deadline for all profiles that you can publish in Timeline.

Real-time media sharing

In the past, you would have clicked the “like” button to show everybody that you like a song. With the new interface on Facebook, you no longer need to do this. We are now talking about “passive sharing,” and by default, much of what you do with Facebook apps and even outside of Facebook with their integrated partners such as Netflix, Internet Games, and Yahoo News will automatically be shared.
Example: You can listen to a song on Spotify and Facebook will know and post this in your Timeline.

Now one issue here is that your friends will know every single song that you listen to on Spotify and every movie you watch on Netflix, and you will know the same about them.
 
In some ways, it resembles Beacon, a Facebook project in which sites like Amazon automatically posted to Facebook when and what a user purchased. This initiative failed in 2007 after protests from the public about the lack of privacy controls.

Possible logout risk

Facebook recommends that you log out of their site before browsing other sites if you are worried about them picking up your online activity. Hacker Nik Cubrilovic claims that this may not be enough. He says when logging out of Facebook, their cookies are not removed but merely altered.

“A number of cookies - including your account number - are still sent along to all requests to facebook.com,” Cubrilovic explains in his blog post. “Even if you are logged out, Facebook still knows and can track every page you visit … The only solution to Facebook not knowing who you are is to delete all Facebook cookies."

Cubrilovic adds that this applies to any site with a Facebook “like” or “share” button or any other widget.

Conclusion

Through the use of Timeline, users will be able to participate in and build a stronger social Web experience by sharing their entire life story and exposing that information to an even wider audience. Real-time media sharing will let users get a look at each other's song and media choices in real time.

We're interested to know what you think of the new Facebook. Please leave comments at the bottom of this blog.

Thank you!
Elisabeth Olsen - Supervisor Websense Labs  

Google is synonymous with the Web - from the search engine through Web-based email to video sharing, they are arguably the market leader. However, this has not been the case with social networking. They were constantly searching for a new way to set up a service or an Internet portal to help people connect with each other, finding new friends or even old ones. But it was not only Google who tried this: Yahoo and Microsoft also had a strong proposition to win this market with little success. Then all of a sudden, a young chap called Mark Zuckerberg created a brand new concept and made social networking very popular, and in 6 years they managed to climb all the way up to 2nd place in the Alexa ranking, overtaking many big names like YouTube, Apple, Yahoo and Microsoft.

Facebook came from nowhere, and even challenged Google for the very top rank in popularity. Zuckerberg, as a fresh university graduate, had no experience in how to set up an enormous system like this, but he still smashed it and today is fighting to take the No.1 place as can be seen on the Alexa report.

It's no surprise therefore that Google is constantly looking for a way to beat Facebook and secure their first position. They already have a popular social network called Orkut. OK, it is only popular in some countries like Brazil or India, but still, it proves their concept, they can do it. Also the software giant have done some interesting projects with Google Wave and Google Buzz. None of them really worked out nor got close enough to steal a market share from Facebook, although both got huge attention from the media as well as from users.

New concepts come and go: Google moved on, and have come up with Google+, which is another brand new concept. Looks like Google will keep trying until they get the perfect recipe for the most delicious cake of social networking. They are probably right in sensing the growing need for something new, and that is proved by the overwhelming interest by millions of Internet users.

However for us, security experts, it is always of keen interest to see if it is going to be more secure than Facebook? Or could it be just a perfect gateway for spammers?

If we take a look at the key differences between Facebook and Google+, we notice that while on Facebook you need to accept a friend request, on Google+ someone can add you on to their Circles without your prior approval. Later on you may block people - however, it worries me a bit as it makes it fairly easy to use Google+ as a source of Spam messages.

To test this theory I have just put a test message in my Stream on my existing Google+ account, and shared it with my company email address which was not previously registered by Google in any way. When I shared my stream post, I received an email from Google+ including the content of the message I wrote.

Malicious invitations and notifications

The demand for a Google+ account is still high. It is partly the fact that the service is still in beta, and it is kind of cool to tell our friends that we already have an account - it is like saying I am more up-to-date with technology than you are. So if someone receives a message saying ‘This is an invitation to Google+’ there is a big chance that the recipient is very happy about the invitation or perhaps out of curiosity will follow the link without checking its validity.

And here we go, this is the old school security theory again: the weakest link in all security system is the human itself. Even if the interest in getting an account drops in time, as Google+ sends notifications if someone adds you to their Circles, it is only a matter of time before we see similar attacks to old-style Facebook ones - scams using change password phishing mails or the someone added you mail.

Dangers of beta stage

It is not all about the malicious invitations, and there have been some of these already. Google+ is still in beta which in itself creates further problems. Phishing Web sites are quite often used by cyber criminals: they steal the layout and the look of banks, game portals, Web email services and social networks and drive users to these fake sites to let victims enter their credentials or their sensitive data such as personal information or banking details. The very same can happen with Google+: after a malicious invitation or a fake notification, a user can end up on a fake Web site and unless they notice something strange on the page it is likely they will give up their data.

But why is this different than any previously seen issue? As Google+ is still in beta, people do not really know what it looks like. And even if they know, as it is in beta it might change at any time without prior notice from the software giant. So it is much easier to mimic a Google+ logon page, steal Google passwords, and use them for further malicious activities like sending spam to all email addresses in the contact list or sharing a stream to the Circles in the Google+ account.

In addition to this, when creating a Google+ account, Google asks us to download and install a component on our computer in order to be able to make video conferences and multi-party chats called Hangouts. This again is an opportunity for the bad guys to gain from drive-by download attacks on people - as it seems to be quite normal to download and install something when joining this social networking site.

Recommended Privacy Settings

The issue of privacy is also part of data security, namely data or information leakage. You may not want to let everybody know about your feelings, for example telling your boss that you are not happy with your job and looking for a new one. Sometimes a post about this kind of thing is harmless or just funny or awkward, but also it can be a way to seek out confidential company data. And that is possibly the biggest challenge today with the use of a social networking site from the company.

Google+ uses a different concept to Facebook. Google is based around 'Circles', groups of people, and we can decide to share only with certain circles and/or individuals, rather than sharing everything with either 'Friends' only, 'Friends of Friends' or 'Everyone'. We still have a similar option for this though with the 'Your circles' which is equivalent of 'Friends' in Facebook as that means we share the post with all of the circles we have. 'Extended circles' is very similar to 'Friends of friends' and 'Public' is equivalent to 'Everyone'.

Overall Google+ gives us a better resolution of sharing options, and that is the key point here: If we do not want to share a news or a status with everyone we have in our circles, we do not have to. For example we may have circles like friends, colleagues and family and may not want to let colleagues and our family know how drunk or silly we were at a party last night. This could be an awesome feature for some, however, there is a little glitch. If one of our friends re-shares it to a different audience, then we can still end up sharing our posts with those we did not want to. Because of this Google implemented the 'Disable Reshare' option which prevents this from happening.

Conclusion

At the moment it is not easy to get a Google+ account, and this has created an understandable excitement and exclusivity for anyone who has one. Malware authors and spammers are already trying to take advantage of this, so please exercise caution if you do get an invitation to try it out for yourself. At this stage we can only hope that Google's security and spam filtering will work well to prevent malicious activities on this new social networking site. Anticipation is growing for when it launches to the wider public. I’m sure the spammers are looking forward to this day too.  Let’s see what happens.

The tragic events that occurred at the end of last week with the Norway attacks and the sudden death of British singer Amy Winehouse resulted in some unwanted scam activities in cyberspace. Websense Security Labs™ and the Websense ThreatSeeker® Network have detected that scams pretending to offer a "look at footage of Amy Winehouse just moments after her death" and similar scams in nature are now propagating in Facebook. This type of scam is a "survey scam," where users are lured to complete a survey and in return, are promised to be shown an "exclusive" video or footage. Completion of the surveys puts some money in the scammer's pockets, and users that complete the surveys are never shown the promised videos or footage.

This is how this scam looks on Facebook:

The scam leads to a survey page:

Scams taking advantage of the tragic Norway attacks surfaced this weekend, but these scams appear to have been cleaned out by Facebook:

Facebook Scams - an Ongoing Phenomenon

Survey scams on Facebook are an ongoing thing. They're not limited to one news event alone (tragic or not) or one domain. They keep track of current news events and aim to lure Facebook users with any means possible. Here is a snapshot of some domains affected by these scams, which were propagating via Facebook at the time this blog was being written. They pop up like mushrooms after the rain and share similarities, such as lures that seem to use the same toolkit or application skeleton  to build them all. This is a similar phenomenon to what we blogged on in the past. Anybody can get his or her hands on those "template" applications and create Facebook threats in minutes. Here are some examples of threats dominating Facebook at the moment that are using the same skeleton or toolkit mentioned earlier: 

Scam: "This Is What Happens When Ex Girlfriend Forgets To Turn Off Her Webcam!!!"

Scam [translated from Italian] : "Boy Betrays His Girlfriend and Accidently Puts the Video on Facebook" [Ragazzo tradisce la propria ragazza con una Mora da paura e mette per sbaglio il video su FACEBOOK. ASSOLUTAMENTE DA VEDERE"] 

Scam: "R4p3d g1rl 1n th3 sch00l bathroom - Sh0cking Video"

Scam: "FATHER gets TOTALLY Embarrassed after entering Daughters Room"

Scam: "Look what he did to his Ex Girlfriend!"

Scam Threats on Facebook Spread Swiftly

All the threats illustrated above are happening on Facebook NOW — at the time this was being written. The next image is an example that shows how many users are actually falling for the ""Look what he did to his Ex Girlfriend!"" scam. The propagation of the threats mentioned above onto user's home pages is happening literally at every given single second or less for all the threats mentioned combined:

ThreatSeeker Network on the Prowl

This is a snapshot from our internal ThreatSeeker Network portal showing a slice of the hostnames that the network detected that matches the above profile. Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The Threats Locations - a Geographical Breakdown

The different threats that we covered in this blog have a location and you might wonder where that is. The locations aren't limited to one country but several, the next pie chart shows the location breakdown of all the scams we mentioned earlier. Remember, all the mentioned scams have commonalities and use the same toolkit or skeleton to create the viral pages - the locations vary because there are a number of cyber criminals creating different viral pages that are based of the same toolkit/skeleton (click on pie chart image to enlarge):

Top Hosting Countries:

United States 

Netherlands

Canada

"Do you want to be my friend? I will add you on Facebook." This kind of conversation is quite common nowadays, and is reasonably safe in most cases -- but not in Thailand!

Websense® ThreatSeeker® Network has found a fake Facebook site in Thailand. The Web page looks greatly different than the popular social networking portal, so it is unlikely that the site owner would use the usual social engineering tricks to steal credentials. However, as we will see the site does host some malicious applications to trap their unaware users.  Websense customers are protected from this attack by ACE, our Advanced Classification Engine.

As we can see in the picture above, the home page looks different than the original Facebook, even if it shares a few similarities such as the color and the style of the buttons at the top. Analysis by FireShark also shows us a legitimate-looking picture, as most of the connections seem to be going the right way, as well as to legitimate and clean destinations:

At this point, a security researcher might think that the creator of this site only wanted to gain some capital by buying the top-level domain name for their country (domain squatting), as this then opens negotiations for a trade or buy-out. However, before we close this book and put it back on the shelf, take a look at some of the other pages it hosts:

As we can see, some of the pages hold malicious applications, able to install a bot (Win32/Dorkbot.A) and another malware agent on users' computers. Websense Security Labs would like to emphasize that this site is not the original Facebook, and users should always be careful when visiting sites that are unknown or uncategorized.

In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!

We've seen scams using Osama bin Laden's death in other places and of course they made it onto Facebook as well. Here is the first example talking about a video:

When clicking on the link the user is taken to a page on Facebook asking them to copy/paste the code into the browser's address bar so that they can watch the video:

All you do is to help spread the message so don't do this.

A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook. This one, however, has some interesting twists to it.

The core of the campaign involves a Facebook app that claims to know who your "Top 10 stalkers" are. Our customers are protected from this campaign by ACE, our Advanced Classification Engine.

It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo.

The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates.

At the time of writing, hackers have switched to using a new app. The first illegitimate app was deleted by the Facebook security team. Both apps use exactly the same mechanism to post spam profile messages in Facebook. Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number.

If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free!

As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T DO IT! Chances are, it's spam.

Install Defensio, our free security app for Facebook, to prevent scams like this from ever appearing in your news feed.

Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL" (example screen shot below). Websense customers are protected with by ACE, Advanced Classification Engine. During the 15 minutes it took to write this post over 7,000 new users liked the page so it's clear this is a successful campaign.

This latest scam is very much like a lot of others we see on a regular basis on the world's most popular social networking site. But this one seems to be especially popular for some reason.

When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs.

The page that you are tricked into liking has been liked by over 272,000 users and doesn't really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote "<name>, are you scared? Of course I'm scared. I'm not Superman" is a quote by the actor Jackie Chan. 

After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all. Note that the attackers haven't even bothered to change the title of the last payload site. The title still says "Look What Happens When a Father Catches her Daughter on Webcam" which is another scam that went around Facebook months ago.

As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT! And of course, install Defensio, our free security app for Facebook. It will keep scams like this from ever appearing on your news feed in the first place.

The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be is propagated, and the attacker is sure to get some response.

In this example a Facebook click-jacking attack jumped on the bandwagon of Italian model Marika Fruscio's unfortunate incident with a wardrobe malfunction on live TV.  The title of the scam on Facebook was "The beautiful Marika Fruscio shows her breasts on Italian TV!", which almost sounds like it was staged as opposed to an accident.  Whatever the theory, the interesting part of this attack is what happens when someone clicks on the provided link to watch the embedded video.

The example seems harmless as upon clicking the link, the user is directed to another page where they can view the video.  While this is happening, the user's account is being exploited to post the video on their homepage to distribute.  The user is also added to the list of those who like the video, consequently encouraging others to view this.  The series of steps involved is shown below.

An infected account shows the advert as being liked either by a friend or contact within your Facebook account:

The user is then directed to the page below to view the video.  Unknown to the user, there are hidden elements and iframes within the HTML code, located at the Play button, which directly access the user's 'like' option within Facebook .  These hidden elements are where the magic of click-jacking, or shall we say like-jacking, happens.

Innocent-looking page as seen by the user:

Riddled page with hidden elements and iframe superimposed on the Play button and various parts of the page:

On clicking the Play button, two events take place. The first is that the user's Facebook account accepts 'liking' the video, with the video being posted on their wall as a result. The second is that the video plays Marika Fruscio's wardrobe malfunction on live TV. 

Below is the screen the user is presented with if they are not already logged in to Facebook:

The compromised account then displays a video link on the user's wall encouraging others to view this. 

There are several reasons for this type of attack and in this instance although there is nothing apparently malicious, it brings to mind the elaborate ploy where an attacker uses this means to earn some money.  Pay-per-click springs to mind, as attackers for these scams usually get the user to click on hidden links in order to get many hits, which then rewards the attacker with money.

Further analysis using our in-house tools on spontour.net shows the various links and how they are interconnected.

To protect yourself from attacks such as these, and also from posts like this being posted on your wall, try our free Defensio Facebook app.