Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Comment Spam tagged in these posts

A weekend of Click-jacking on Facebook

Posted: 02 May 2011 07:17 PM | Anonymous | 3 comment(s)


In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE) : To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls. Here's what Chris, a victim of this scam, commented on: The Enticement . Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info ( robtex ): A Real CAPTCHA? Interesting. So this site says that I can only continue if I solve a CAPTCHA . The site explains that it's using the CAPTCHA because it is attempting to protect itself from BOTS . That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. Let's look at the source code behind this page (full source code can be found here ): The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this: But looking at the source code, no such comment box was displayed . Let's take an even closer look at the source code to figure out why ... Classic Click-jacking The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity): Next the source code is overlaying a background image on the entire section where the Facebook comment box is: Can you guess what that image looks like? Here it is ... Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website. ... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page: Classic case of click-jacking ! That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected...

Read more > 

Filed under: , , , , , , , ,

"Ex-Girlfriend" Facebook worm: Check!

Posted: 02 Feb 2010 11:11 AM | Defensio, the blog | no comments


Nick O'Neil of AllFacebook.com recently reported that his Facebook wall was compromised by a new worm: the "Ex-Girlfriend" worm. Using some CSS and IFrame wizardry, the worm can post on your own wall in your own name, without you knowing it. Here's an example of Nick's wall: You can protect your Facebook wall and pages from this worm by installing the Defensio Facebook application. Get started here...

Read more > 

Filed under: , , ,

Prominent blogger's website compromised

Posted: 04 Dec 2009 07:36 PM | Defensio, the blog | no comments


Famous writer and blogger Paulo Coelho had quite a bad surprise this morning when he found out that his blog had been compromised and was proudly advertising Valium. His website has since been cleaned up, but the spam was there long enough for Google to pick it up. This is just a reminder. Keep your Wordpress up to date and use a anti-spam & malware service like Defensio . Better be safe than sorry!

Read more > 

Filed under:

Wordpress users, are you safe?

Posted: 09 Sep 2009 10:20 AM | Defensio, the blog | no comments


If you are running an older version of Wordpress, meaning less than 2.8.4, you ABSOLUTELY want to read this. A worm that can post malware and spam to vulnerable Wordpress installations has recently been discovered in the wild and unless you're running the very latest version of Wordpress, you are at risk. Seriously at risk. The vulnerability allowing the attack was discovered August 11 and was immediately fixed by the Wordpress team in the 2.8.4 security release . If you are using version 2.8.4 or better of Wordpress, or host your blog on Wordpress.com, you are safe. The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable Wordpress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It's also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript. Bah... This stuff never happens to me! If rock star blogger Robert Scoble can be hacked , you probably can as well. This vulnerability is serious, so please treat it as such. Have I already been hacked? As Lorelle VanFossen wrote on her blog : There are two clues that your WordPress site has been attacked. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER %5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.” The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution . How do I prevent my site from being targeted? It's easy. Upgrade. If you are using a somewhat recent version of Wordpress (2.7+), upgrading is easy since the functionality is now built-in. But if you are not, you should take a look at the excellent InstantUpgrade plugin which makes upgrading Wordpress a single-click operation. If you have already been hacked, you will need to delete the malicious admin user as well. Changing all your passwords is also strongly recommended. You might also want to check out How to Keep Wordpress Secure and the My Site Was Hacked FAQ . How can I keep my Wordpress blog safe in the future? Wordpress is generally a safe platform. However, we recommend that you always use the latest and greatest version to make sure that all known security exploits are patched. You should also make sure that your passwords are not easily guessable, either by a human or a machine. A password of at least 8 characters which includes at least 1 uppercase, 1 lowercase and 1 digit is generally considered "strong". Following @defensio , @websenselabs and @wordpress on Twitter is also a good way to stay up to date.

Read more > 

Filed under: ,

Adventures in Spam: Hollywood-style spamming

Posted: 27 May 2009 08:07 PM | Defensio, the blog | no comments


If you think image spam is elaborate, think again! At Defensio, we see all kinds of crazy and innovative spam each day. But recently, something we never thought we'd ever see showed up on our radar: a significant influx of VIDEO spam, most of it hosted on YouTube.com . I guess this just shows how far spammers are ready to go to sell their junk. Here's a screenshot... What do you think will be the next trend in spam?

Read more > 

Filed under: , , ,

Dotclearly Defensio

Posted: 19 May 2008 12:49 PM | Defensio, the blog | no comments


Another week, and yet another platform is adding support for Defensio. This time, it's Dotclear , a French blogging platform written by Olivier Meunier. The plugin, made by Pep can be found right here on our main site . Merci à Pep ainsi qu'à toute la communauté Dotclear. Nous espérons vous aider dans votre lutte contre le spam!

Read more > 

Filed under: , ,

Not sure if Defensio is right for you?

Posted: 02 Apr 2008 07:36 AM | Defensio, the blog | no comments


This morning, I had the joy to wake up to a wonderful review of Defensio . The author of the review, Holly Ord clearly loves what we're doing. But more importantly, she really understands the comment spam problem, how Defensio works and why we're better. I invite you to read her article entitled Tackling Comment Spam -- For Good . It's a great one. This is, in my opinion, the best excerpt (of course, I'm totally biased ): Defensio is a comment spam monitor and eliminator whose entire mission is based off of outsmarting evil spam, which it does miraculously. In my opinion, you cannot get any better than Defensio for taking the edge off when you’re thinking about how your website is doing and if any spam is leaking through. Thanks Holly, that's giving us some fuel to keep going!

Read more > 

Filed under: , ,

Welcome Textpattern users!

Posted: 27 Mar 2008 02:51 PM | Defensio, the blog | no comments


If you're blogging on Textpattern , rejoice! Walker Hamilton , a long time Defensio user, has recently released a plugin for your platform! Here's the link . We're quite excited to bring the Defensio goodness to yet another platform. Big thanks to Walker for making this possible.

Read more > 

Filed under: , ,

Defensio & Mephisto: a marriage made in heaven

Posted: 03 Mar 2008 02:36 PM | Defensio, the blog | no comments


If you're on Mephisto , you'll be happy to know that François Beausoleil just integrated support for Defensio directly into Mephisto... No more plugin to install! While it has not been merged to the official Mephisto repository yet, François invites Rick Olson (author of Mephisto) to do so. If you can't wait (and I know you can't!), you can just pull from François' Git repository. You'll find the instructions and explanations here . Thanks for the support, François!

Read more > 

Filed under: ,