In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!

Earlier this week we were fortunate enough to attend the Demo conference in Palm Desert. For those of you who are not familiar, Demo is mostly designed for startups and entrepreneurs to gather and launch their latest products and companies. We were lucky enough to be accepted to demo our newest generation of our Facebook security application Defensio.

Overall the conference had a very positive vibe and there were some interesting new technologies introduced in the key categories: Social, Mobile, and Cloud. Our key value of protecting your brand reputation and image within Facebook resonated very well and we look forward to attending again.

Video of the Demo:

http://bcove.me/5m5g6gyb

Pictures from Demo:
http://www.flickr.com/photos/democonference/5486857611/in/set-72157626044840317/
http://www.flickr.com/photos/democonference/5486857689/in/set-72157626044840317/
http://www.flickr.com/photos/democonference/5486865475/in/set-72157626044840317/
http://www.flickr.com/photos/democonference/5487452544/in/set-72157626044840317/

Full conference images available here: http://www.flickr.com/photos/democonference/sets/
Full conference videos available here: http://www.demo.com

During last weekend a viral rogue app campaign hit Facebook again. This time the application was called "Profile Creeps" which, like many other rogue applications before it, promises to do what Facebook simply doesn't allow *ANY* app to do - let us know who looks at our profile. But users are still tricked into installing apps that promise to do just this. And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app.

Viral Facebook Application Toolkits

Spam campaigns such as this one appear on an almost daily or weekly basis. You might ask yourself: is everybody now becoming a Facebook developer and trying to make tons of cash unleashing those annoying surveys? In essence, the answer is both a "yes" and a "no". No, not everybody is a Facebook developer, yes it's very easy to take on the experience and become one - or pretend to be one. You don't have to be a developer, but a mere $25 can buy you a Facebook viral application toolkit and unleash all the unwanted content you want onto Facebook. 

As an example, let's look at a very similar fraudulent application that "can" allow Facebook users to know who "creeps" at their profile, called "Facebook Profile Creeper Tracker Pro". The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

"Facebook Profile Creeper Tracker Pro" and similar fraudulent applications process:

This application was built with a pre-defined toolkit called "Tinie app" which is a Facebook viral application template available in some variations for only $25 or even less. The next image is one of the template images in the toolkit that aims to give some directions to the buyer, besides the full-blown step-by-step guide that comes with the kit itself:

The buyer doesn't have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal. One of the sellers of the application describes its purpose pretty well:

If you're wondering what CPA lead is, it's the abbreviation of Cost Per Action. It's a program that any Web content publisher can join that allows them to install a survey on their site in order to make money. The cut with those programs is around $0.20-$2.00 and could be more or less.

This phenomenon of template Facebook applications like Tinie app shows how the spamming culture is consolidating more and more around Facebook, adapting to the platform and increasing what we call Web spam.

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from Defensio.com.

This morning Mark Zuckerberg's Facebook fan page is still down after having an apparent rogue comment posted to the page yesterday.  The short post was seemingly from Mark Zuckerberg but was an unusual message with a political theme. This is the second similar hack this week.  The French President Nicolas Sarkozy also offered a political message to his Facebook fans this week - apparently not from him though.

A screenshot of the rogue post to Zuckerberg's page is below:

The URL shortener in the message links to a non-malicious page on Wikipedia.

The current message delivered to users wishing to access the Mark Zuckerberg page is:

Although the reason for the rogue comment is unclear (a short message post seemingly political in nature), the event certainly highlights the need for increased security with usernames and passwords.  This is becoming even more important as many sites are now permitting sign-in using accounts set up in other social networks and services.  For example, Bebo and Yahoo! as below:

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from: http://defensio.com/.

This week has been pretty rough on Friendster, one of the more popular social networking sites. The Websense® Threatseeker® Network detected a spike, or a rather large increase, in the number of abused or fake Friendster accounts that are being Web spammed.

The chart below shows the number of posts that lead to fake Friendster profiles holding spam content this week:

The posted Web spam messages lead to fake Friendster accounts holding pharmaceutical spam.

Here is one example. Please meet "Medication Ativan" - a 45-year-old male from the United States:

"Medication Ativan" isn't your ordinary friend; this fake member would like to sell you a variety of pharmaceutical pills:

Thanks for the offer "Medication Ativan", but no thanks!

Try our Defensio plug-ins to stop this kind of Web spam in your Facebook account or personal blog.

A word of caution to Facebook users: be careful when clicking links on Facebook, even if they're on your friend's page or your favorite superstar's page.

We have detected a malicious campaign that is quickly spreading on Facebook. The malware has very low anti-virus coverage and can be found on prominent Facebook pages such as ones belonging Justin Timberlake (2.1 million fans) and a few others. If you use Facebook and are worried about this, we have a Facebook app that solves this problem (read on). If you are a customer, yes - we stop this at the gateway in real-time.

To get an idea of how fast this link is being shared on Facebook (measured in seconds!), here's a video:

This is what the malicious campaign looks like (WARNING: Do *not* attempt to go to the link - your computer may get infected):

The malicious link isn't spreading through high profile names only, but also "long tail" relatively popular Facebook pages.

VirusTotal shows a < 15% anti-virus detection rate.

We also detected that this campaign is also spreading on Twitter:

Websense customers who click this link are protected from it:

If you're using Websense Defensio Facebook app , you are notified via email when someone posts something malicious on your Facebook page:

Websense Messaging and Websense Web Security customers are protected against this attack.

Nick O'Neil of AllFacebook.com recently reported that his Facebook wall was compromised by a new worm: the "Ex-Girlfriend" worm. Using some CSS and IFrame wizardry, the worm can post on your own wall in your own name, without you knowing it.  Here's an example of Nick's wall:

You can protect your Facebook wall and pages from this worm by installing the Defensio Facebook application. Get started here...

Security for the Social Web

After months of hard work, it is my extreme pleasure to introduce Defensio 2.0 - the first and only complete security suite for the social web.

A number of new features now make Defensio the most advanced spam and malicious content detection service for the web. These features include:

• Spyware, malware, phishing and other types of malicious content detection
• URL blocking by category
• Profanity detection and filtering
• Script and executable blocking
• Enhanced statistics
• Asynchronous API (faster and non-blocking filtering)

Thanks to Websense's Threat Seeker Network, Defensio can now detect and block much more than just spam, offering you the absolute best protection for your website.

Screencast

We prepared a screencast where you can see of the new Defensio 2.0 features.

Wordpress

The Wordpress plugin has been updated to leverage the new features we are introducing today. Upgrade today!

Pixelpost

Thanks to Dennis Mooibroek, Pixelpost now also supports Defensio 2.0. You can download the latest version of the Pixelpost plugin on our website.

Facebook Protection

A few months ago, we started noticing that a lot of spam, profanity, malware and malicious content was making it onto personal and corporate Facebook pages. We knew we had to do something about it. Our response to this growing problem is the first ever Facebook security suite. This is also launching today!

Once Defensio for Facebook is installed, we will constantly monitor your page for possibly unwanted content. Should we find something suspicious, we will alert you. This Facebook application works with any kinds of pages, including personal and corporate profiles, group pages and fan pages.

To install Defensio for Facebook, simply create an account at http://defensio.com/signup. If you already have a Defensio account, log in, then in the control panel, click "My API keys", then "Protect another web property".

Other platforms

More platforms will support 2.0 very soon. Defensio 1.x remains available and software using our old API will keep working as usual.

New Developer API

We love our developers, and we made sure not to leave them out in the cold. Defensio 2.0 ships with a brand new and improved asynchronous RESTful API! The new API features:

• Asynchronous (or synchronous) for fast, non-blocking calls to Defensio
• Optional web hook for asynchronous calls
• Entirely RESTful
• More generic wording, making it less targeted towards blogs and easier to use in a wider range of web applications
• New actions for profanity filtering and enhanced statistics
• Content classification (spam, malicious, innocent)

See the API 2.0 documentation for more details.

We're also releasing many 2.0-ready developer libraries for PHP, Ruby, Python and Perl. This should make your life easier when upgrading your application to Defensio 2.0. You can find them in the "downloads" section of our website.

Conclusion

I hope you're as excited as we are about the second coming of Defensio. Let us know what you think!

If you think image spam is elaborate, think again!

At Defensio, we see all kinds of crazy and innovative spam each day. But recently, something we never thought we'd ever see showed up on our radar: a significant influx of VIDEO spam, most of it hosted on YouTube.com. I guess this just shows how far spammers are ready to go to sell their junk.

Here's a screenshot...

What do you think will be the next trend in spam?

This morning, hosted e-commerce solution Shopify enabled commenting on its users' blogs.

After comparing the many spam filtering services available, the Ottawa-based firm decided to use Defensio as their first line of defense.

This is yet another great step for us since Shopify currently hosts ~40,000 blogs.

Shopify launched in mid-2006 and was greatly acclaimed.  Building an online store with Shopify couldn't be easier and many believe they are a great contender to overtake eBay's dominance in this market. Shopify recently announced they passed $10M in total sales.