First it was the Cheesecake Factory; now, it’s Timeline. Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook, scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline.

These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss.

Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd. 

So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline.  But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important. 

Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it. 

As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE  (Advanced Classification Engine) protects our customers from such scams.

Timeline

A while back, we blogged about some upcoming changes on Facebook. The new Timeline layout is now ready for release. All Facebook accounts will be updated to the new Timeline layout on December 29, 2011.

You may already have noticed changes in some profiles. Timeline has been accessible to all users for a while, giving them the choice to publish or simply modify their Timelines prior to the December 29 release. 

We're interested to know what you think of these new Facebook features. Please enter your comments at the bottom of this blog post. 
And keep in mind that Websense technology can protect your Timeline from spam, malicious links, and unwanted comments.
(Read here about the security partnership with Facebook that we announced in October.) 

Sponsored Stories

In January 2012, Facebook users will start to see their photos appear in third-party advertisements in News Feeds. Facebook’s new “Sponsored Stories” feature will appear in the Ticker section – a feature released earlier this year and located on the right-hand side of the Facebook page.

Users will see targeted Sponsored Stories based on their friends' and their own “Page likes,” check-ins, app shares, games played, and so on. These stories are visible only to people who are already eligible to see your News Feed story.

For example, if you own a small business and you want people to hear about you, you can pay to have activity posted in the Sponsored Stories column. These postings are based only on the actions of users' friends. Your business is more credible because the link comes from a friend.

Facebook will implement this feature slowly, starting with one advertisement per day per user. According to a Facebook spokesperson, up to 10% of the stories appearing in the Ticker will be Sponsored Stories.

As the leading web content classification and security firm, and as a security partner with Facebook, Websense tracks these trends closely. We do not see increased security risks based on Sponsored Stories, but let us know what you think.

Do you often make mistakes when typing? Is the Backspace key your friend? Well, you are not alone!
Most of us make typing errors once in a while, but what if those errors could cause data leakage? 

Typosquatting exploits common typing errors made when entering a Web address in a browser--typing “a” instead of “s”, for example, or “e” instead of “r”--resulting in URL hijacking, malware injection, or phishing. Popular social networking sites, like Facebook, are often targets of typosquatting. With over 800 million active users, it’s no surprise the social networking giant is a target of such exploits.

Say you’re in a hurry to check out the latest update from your friends on facebook.com, but in your excitement, you enter faccenook.com instead.  There could be several outcomes. If the Web site designers anticipated your clumsiness, you still get to the desired destination. Otherwise, you might get an error message saying that the page is unavailable.  Or you could get a page that looks like facebook.com, but that actually redirects you to phishing or other potentially harmful sites, injects malware, infects your system with spyware, and ruins your day.

After carefully studying the objectionable links generated by common typos for Facebook, we found that over 62% of links lead to bot networks, phishing, or malicious web sites. 

Websense Security Labs researchers investigated the top ranked domain (www.facebook.com) and generated common typos based on keyboard character distance, common repeats, and even omissions, anticipating common typos that result in fake or malicious pages. Websense software protects users, their data, and their systems with its unique backtracking algorithm to identify altered domain names. The Advanced Classification Engine (ACE) provides real-time content analysis to keep you safe no matter how bad a tyspist yu aree.

Today, we have some exciting news. Some of you may have already heard about it, because it is big!

Starting today, we have implemented a partnership with Facebook, arguably the largest, most important platform on the globe, to better protect users against malicious links leading to malware-embedded websites and fraud.

A platform as popular as Facebook is naturally a target for attackers. We have been working with Facebook and their security teams for a number of years in order to keep their users safe, but now we have integrated directly into the platform for an unprecedented security combination.

Soon, when a user clicks on a URL that has been posted within Facebook, that link will be sent to Websense for security classification. The Websense® ThreatSeeker® Cloud, an advanced classification and malware identification platform, will then analyze the link in real time. If the destination site is considered unsafe, the user is presented with a warning page that offers the choice to continue at their own risk, return to the previous screen, or get more information on why it was flagged as suspicious.

In this way, we are helping Facebook continue their proactive fight to keep malicious links off of their platform and allow safe use for all of its members.

At Websense, we are all about innovation and changing the security game. We were the first company to promote and enable our customers to embrace safe, productive use of social with our web security gateway, the first to deliver security and anti-spam to protect companies presence within Facebook with Defensio, and now we are assisting in the protection of all users on the platform with our cloud integration.

This is the same technology that already powers our industry-leading TRITON™ solutions, and it now extends that same protection to consumers and other users of Facebook.

For more information, you can view the news release here, or check out the infographic below.

The tragic events that occurred at the end of last week with the Norway attacks and the sudden death of British singer Amy Winehouse resulted in some unwanted scam activities in cyberspace. Websense Security Labs™ and the Websense ThreatSeeker® Network have detected that scams pretending to offer a "look at footage of Amy Winehouse just moments after her death" and similar scams in nature are now propagating in Facebook. This type of scam is a "survey scam," where users are lured to complete a survey and in return, are promised to be shown an "exclusive" video or footage. Completion of the surveys puts some money in the scammer's pockets, and users that complete the surveys are never shown the promised videos or footage.

This is how this scam looks on Facebook:

The scam leads to a survey page:

Scams taking advantage of the tragic Norway attacks surfaced this weekend, but these scams appear to have been cleaned out by Facebook:

Facebook Scams - an Ongoing Phenomenon

Survey scams on Facebook are an ongoing thing. They're not limited to one news event alone (tragic or not) or one domain. They keep track of current news events and aim to lure Facebook users with any means possible. Here is a snapshot of some domains affected by these scams, which were propagating via Facebook at the time this blog was being written. They pop up like mushrooms after the rain and share similarities, such as lures that seem to use the same toolkit or application skeleton  to build them all. This is a similar phenomenon to what we blogged on in the past. Anybody can get his or her hands on those "template" applications and create Facebook threats in minutes. Here are some examples of threats dominating Facebook at the moment that are using the same skeleton or toolkit mentioned earlier: 

Scam: "This Is What Happens When Ex Girlfriend Forgets To Turn Off Her Webcam!!!"

Scam [translated from Italian] : "Boy Betrays His Girlfriend and Accidently Puts the Video on Facebook" [Ragazzo tradisce la propria ragazza con una Mora da paura e mette per sbaglio il video su FACEBOOK. ASSOLUTAMENTE DA VEDERE"] 

Scam: "R4p3d g1rl 1n th3 sch00l bathroom - Sh0cking Video"

Scam: "FATHER gets TOTALLY Embarrassed after entering Daughters Room"

Scam: "Look what he did to his Ex Girlfriend!"

Scam Threats on Facebook Spread Swiftly

All the threats illustrated above are happening on Facebook NOW — at the time this was being written. The next image is an example that shows how many users are actually falling for the ""Look what he did to his Ex Girlfriend!"" scam. The propagation of the threats mentioned above onto user's home pages is happening literally at every given single second or less for all the threats mentioned combined:

ThreatSeeker Network on the Prowl

This is a snapshot from our internal ThreatSeeker Network portal showing a slice of the hostnames that the network detected that matches the above profile. Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The Threats Locations - a Geographical Breakdown

The different threats that we covered in this blog have a location and you might wonder where that is. The locations aren't limited to one country but several, the next pie chart shows the location breakdown of all the scams we mentioned earlier. Remember, all the mentioned scams have commonalities and use the same toolkit or skeleton to create the viral pages - the locations vary because there are a number of cyber criminals creating different viral pages that are based of the same toolkit/skeleton (click on pie chart image to enlarge):

Top Hosting Countries:

United States 

Netherlands

Canada

In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!

During last weekend a viral rogue app campaign hit Facebook again. This time the application was called "Profile Creeps" which, like many other rogue applications before it, promises to do what Facebook simply doesn't allow *ANY* app to do - let us know who looks at our profile. But users are still tricked into installing apps that promise to do just this. And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app.

Viral Facebook Application Toolkits

Spam campaigns such as this one appear on an almost daily or weekly basis. You might ask yourself: is everybody now becoming a Facebook developer and trying to make tons of cash unleashing those annoying surveys? In essence, the answer is both a "yes" and a "no". No, not everybody is a Facebook developer, yes it's very easy to take on the experience and become one - or pretend to be one. You don't have to be a developer, but a mere $25 can buy you a Facebook viral application toolkit and unleash all the unwanted content you want onto Facebook. 

As an example, let's look at a very similar fraudulent application that "can" allow Facebook users to know who "creeps" at their profile, called "Facebook Profile Creeper Tracker Pro". The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

"Facebook Profile Creeper Tracker Pro" and similar fraudulent applications process:

This application was built with a pre-defined toolkit called "Tinie app" which is a Facebook viral application template available in some variations for only $25 or even less. The next image is one of the template images in the toolkit that aims to give some directions to the buyer, besides the full-blown step-by-step guide that comes with the kit itself:

The buyer doesn't have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal. One of the sellers of the application describes its purpose pretty well:

If you're wondering what CPA lead is, it's the abbreviation of Cost Per Action. It's a program that any Web content publisher can join that allows them to install a survey on their site in order to make money. The cut with those programs is around $0.20-$2.00 and could be more or less.

This phenomenon of template Facebook applications like Tinie app shows how the spamming culture is consolidating more and more around Facebook, adapting to the platform and increasing what we call Web spam.

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from Defensio.com.

Websense Security Labs™ ThreatSeeker™ Network has detected another fake Facebook sites campaign, just 4 days after Websense warned of the Mark Zuckerberg Facebook Page Showing Rogue Comments hack. A malicious executable file appears on fake Facebook sites titled  "Facebook Profile Photos". Websense customers have been protected against this attack with ACE, our Advanced Classification Engine.

The attack posts messages on the wall of compromised Facebook accounts, and uses a previously-created counterfeit Facebook application to lure users' visits.

The payload of the application site redirects to another malicious link:

The malicious link then redirects users to a fake Facebook sign-in page to steal usernames and passwords:

The compromised Facebook accounts are starting to send messages to their friends' accounts with fake applications sites and other malicious links such as  "Facebook Profile Photos" sites, further spreading the campaign.

The "Facebook Profile Photos" site is shown below:

A piece of malicious code in the payload:

When a user clicks on the fake link, a dialog appears prompting them to download a file. At the time of writing this file had a low 2/42 malware detection as analyzed by Virus Total, and is now only detected by almost half of the AV engines.

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from: http://defensio.com/.

Websense Security Labs™ ThreatSeeker™ Network has detected a new Koobface campaign spreading on Facebook. The campaign is spreading via direct messages sent from compromised accounts. Websense customers have been protected against this attack with ACE.

Sample message:

Some observations on employed tactics by Koobface

One of the tactics employed by the Koobface gang is to attempt to obfuscate the malicious URL that is linked in each message. In message shown above, this is done by adding "hpPg" just before the valid URL link--an obvious attempt to avoid detection by security software and by the Facebook security team. The addition at the start of the URL makes it unclickable, but this is unlikely to stop determined users from copying and pasting the link directly into the browser. Another tactic is the use of open redirects on the facebook.com domain itself. This gives the URL a more credible look (social engineering), as well as helping it pass basic security checks. Usually, Facebook alerts users if they're about to browse to a link outside of its domains, but no alert is triggered in this case. 

In the message above, the open redirect on facebook.com points to a bit.ly shortened link. The redirector at bit.ly points to a compromised Web site controlled by Koobface. The compromised site checks whether the request was referred from facebook.com. If it was, then it serves a dynamically generated script that further redirects to a malicious site. The malicious site requires "a missing Flash plug-in" in order to play a "video," a.k.a., a variant of the Koobface worm. At the time of writing, the variant had a 23% detection rate.

An example redirection chain:

http://www.facebook.com/[removed]bit.ly/g1[removed]

==>> http://bit.ly/[removed]

==>> [removed].com/24uqy7e/?md5=f6d9f0efc395fc0f331028c23f9fa5b9&page=12263

==>> [removed].net/jxjv0z2s/? 

There are some checks in place to make sure that the request came from Facebook. If the request at the first step of the redirection didn't originate from facebook.com, a fake Google News page is presented rather than further redirecting to the malicious fake video Web site.

[removed].com/24uqy7e/?md5=f6d9f0efc395fc0f331028c23f9fa5b9&page=12263

[UPDATE] - One reader commented that the the redirection to the malicious page can take place if any URL (not just facebook.com variations) is as referrer field in the request header at the second stage request (the request to [removed].com/24uqy7e/?md5=f6d9f0efc395fc0f331028c23f9fa5b9&page=12263). This is correct and has been verified, also it seems that a valid browser user agent must also be set in the request header in order to redirect to the malicious page. If a referrer is not set at all, the response will not present a fake Google News page any more, but a fake Facebook page that requires a login, The page is set up for harvesting credentials, once a victim enters his/hers credentials in, they're redirected to facebook.com and attempted to automatically be logged in. It seems that Facebook detects that an invalid attempt was made to login to their platform and notify the user. Beware that if the correct credentials were entered to the phishing page then Facebook may have stopped a potential attack on the victim's account but the credentials are deemed to be stolen and should be changed immediately. 

Right now there's a campaign ongoing on Facebook where fake invitations are sent to users that claim to be about "Lindsay Lohan Leaked Celebrity Sex Tape", "Lindsey Lohan Just Leaked Having a THREEWAY on Camera" or variations on this theme. Websense customers are protected with our ACE technology.

Invites using different spelling of Ms. Lohan's name exist as well, such as "Lindsey Lohan Just Leaked Sex Tape". As with a lot of malicious campaigns on Facebook which rely on social engineering (which is pretty much all of them), it's sometimes astounding to see how people can fall for them, but they do. Social engineering on a social networking site is unfortunately a powerful combination. In the following screenshot, 8 people have accepted the fake invite and 12 are maybe coming. All in all we've seen hundreds of different invitations being sent around.

The information on each invite is not the same every time, but the common theme is that they all contain a TinyURL link which redirects to the following page:

When clicking on Login the following popup appears so it seems like the actual payload is not available.

While the payload is not available at the time of writing, it could be made available at any time. We will keep monitoring this and update the blog post if we see any developments.

Thanks to Fa7her for sending us this tip.

Update

This attack eventually was changed, activated and later killed again. When it was working it lead to a page showing a video from YouTube. It also tricked the user into installing a Facebook application that, when the user selected to install the app, created an event in your name similar to the screen shot in the beginning of this post. Lastly, it redirected the user to a survey, tricking the user into giving away personal information.