Last week we wrote a blog about a Facebook scam that appeared to spread rather aggresively. We decided to nickname the scam "Jacked Frost." The Websense® ThreatSeeker® network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

Here is the link to our blog that describes this in more detail. The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid.org.

 Websense customers are protected against this threat with Websense ACE (Advanced Classification Engine). 

A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:

Screenshot of the scam's main page:

How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:

Bitcoin is a peer-to-peer currency exchange system that features a predictable currency rate. The generation of Bitcoin currency is controlled by an algorithm created by Japanese researcher Satoshi Nakamoto in 2008. Bitcoin system users are essentially "mining" for Bitcoins using their computers CPU power. Today, because of the intrinsic characteristics of the Bitcoin-generating algorithm, calculating new "coins" in a reasonable amount of time without the use of distributed computing power is very difficult. It's important to remember that Bitcoins are like real money and can be exchanged for real money.

During a recent investigation, we encountered a new trend in the landscape of monetization techniques which can be triggered by the Black Hat SEO (BHSEO) poisoning campaign. What happens when BHSEO specialists meet a service offered, for example, by BitcoinPlus which is used for mining Bitcoins? Well, we should never underestimate the cleverness and the imagination of cyber criminals.  Specifically, we have encountered the presence of an array of Websites that have been setup for BHSEO purposes and that are used for Bitcoin mining. 

Basically, this is the goal of BHSEO poisoning: reach a user for malicious purposes when that user is looking for something via a search engine.There are many ways to create a BHSEO campaign (or structure). The one most often used consists of creating and renaming a Website HTML page to be a popular keyword. So a global celebrity gossip news item can be a gold mine for anyone who wants to build a BHSEO campaign. This technique is frequently used to spread malware or some other kind of malicious content.

BitcoinPlus offers a service  which allows a registered user to mine "coins" using some JavaScript that is added to their Website. This essentially means that the computer's CPU power of any visitor of such Website will be used to generate Bitcoins for the Bitcoin account owner.

The code, provided by BitCoinPlus, is shown in the following screen shot, this is the code that is included in the BHSEO Website to generate Bitcoins:

Essentially the code requires the support of the minimal jQuery library, the call to the mining JavaScript code, and the registration of the BitcoinPlus user account. The following Java applet shows the miner.js call:

A brief analysis of this JAR file shows the code that calculates the amount of time necessary for any Web client visit to mine Bitcoins, as shown in the following code snippet:

Up to this point, nothing illegal has happened.  But what would happen if this script is used for malicious intent? During our analysis using the Websense ThreatSeeker ™ Network, we detected several Websites setup with the JavaScript snippet shown above. The screenshot below shows some of the Websites that are part of the BHSEO campaign, explained earlier in this blog:

The keywords relate to a variety of topics: adult content, electronic devices, hacking, software, and so on.  We tried to load one of the Web links detected, and the HTML page appeared to display the information that a user might expect. At this point, an array of squares appeared, and took some time to download completely. (Remember that a Bitcoin user would already be logged in and using the BitCoinPlus services to mine Bitcoins.)

Once the content of the squares is loaded, another download begins (again a time-consuming activity and delaying tactic to permit the "mining" of the Bitcoins the user has collected). 

A user who clicks the black square (to download the "required video player") actually downloads a rogue player. The user counter offered by Among.Us (the red square on the left with the number 135) indicates an average of 140 users per hour for this Website.

If we examine the user counts in the Among.US counter over time, we can see peak counts of up to 490 users for the Website we analyzed.

One reason that such a large number of visitors can be accommodated could be the use of an automated system (maybe a botnet) to easily create a monetization process with click-jacking activities. The "coins" mined from unsuspecting users are just like real money and can be used for other frauds and malicious activities. This type of cyber fraud could become a larger issue, and difficult to explain in just one blog post.

At this time, the script in the Web page we analyzed is commented. However, via ThreatSeeker we have detected about 10000 URLs where the injected script seems to be active. Many of these URLs are related to Web and email spam and malicious Web sites and reside in low reputation autonomous systems, as shown in the following results:

Recently, we discovered some binary bots created ad hoc to steal the Bitcoin wallets from infected systems. Although Bitcoin mining is not malicious by itself, we can see that the practice can be used to entice users to visit pages that do not contain the contents they were looking for, which could be considered fraudulent activity.

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Today, we have some exciting news. Some of you may have already heard about it, because it is big!

Starting today, we have implemented a partnership with Facebook, arguably the largest, most important platform on the globe, to better protect users against malicious links leading to malware-embedded websites and fraud.

A platform as popular as Facebook is naturally a target for attackers. We have been working with Facebook and their security teams for a number of years in order to keep their users safe, but now we have integrated directly into the platform for an unprecedented security combination.

Soon, when a user clicks on a URL that has been posted within Facebook, that link will be sent to Websense for security classification. The Websense® ThreatSeeker® Cloud, an advanced classification and malware identification platform, will then analyze the link in real time. If the destination site is considered unsafe, the user is presented with a warning page that offers the choice to continue at their own risk, return to the previous screen, or get more information on why it was flagged as suspicious.

In this way, we are helping Facebook continue their proactive fight to keep malicious links off of their platform and allow safe use for all of its members.

At Websense, we are all about innovation and changing the security game. We were the first company to promote and enable our customers to embrace safe, productive use of social with our web security gateway, the first to deliver security and anti-spam to protect companies presence within Facebook with Defensio, and now we are assisting in the protection of all users on the platform with our cloud integration.

This is the same technology that already powers our industry-leading TRITON™ solutions, and it now extends that same protection to consumers and other users of Facebook.

For more information, you can view the news release here, or check out the infographic below.

In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!