Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Facebook

Malaysia Airlines MH370 Used as a Lure in Facebook-Themed Scams

Posted: 14 Mar 2014 04:51 PM | Carl Leonard


The Websense ® ThreatSeeker ® Intelligence Cloud has observed Facebook-themed scams using news of the missing Malaysia Airlines MH370 flight as a lure. Legitimate news sources report that on March 8, 2014, the plane went missing over the South China Sea. The lure websites have been configured to appear like a legitimate Facebook page; complete with sharing button, suitable graphics, and relevant links. Should users browse to the lure website, they are presented with a series of dialogue boxes, which eventually lead to a Facebook popup supposedly referencing a Yahoo! News article. We shall walk through an example of a user interacting with such a website. Figure 1: The relevant lure title is displayed to the user, yet when attempting to close an unrelated dialogue box, the user is directed to "Please Share Us on Facebook To Close." Figure 2: The user is then encouraged to share the link. Should the user click the link while logged onto Facebook, a share action occurs thus spreading the threat further. Figure 3: The user is then presented with another page of a YouTube video overlayed with a further request to interact, by taking a short test. Thus, we identify the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action (CPA) lead scam. Certainly not a new idea as our previous blogs show. When we review our telemetry, we observe that the registrant responsible for this timely scam has also been responsible for Facebook-themed lures as far back as December 2012. Other websites hosting the fake news include: hxxp://cotmot.com/mh370plane/ hxxp://mh370malaysia31.droppages.com/ hxxp://insidevideo.net/ Websense Protection Websense customers are protected with ACE ™ , our Advanced Classification Engine . Specific attributes which triggered our analytics include domains registered between 12 and 25 days ago, which are now being used to host the fake video lures, and the association to the past CPA ecosystem. A sample ACE Insight report showing the protection offered is available here: http://csi.websense.com/Report/Index/6eb049c1-7d42-4056-b568-a2ee009c97a9 If you are searching for information on this event, Websense Security Labs ™ strongly recommends that you use trusted and legitmate media outlets to source your news.

Read more > 

Filed under: , ,

no comments

2013 Threat Report: More Than Scary Stats and Chilling Charts

Posted: 13 Feb 2013 08:30 AM | Carl Leonard


The 2013 Threat Report from the Websense® Security Labs™ is now available.

 

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

 

Creating the report began with the ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.

 

...

Read more > 

Filed under: , , , , , , , , , , , , , ,

no comments

'Jacked Frost' Facebook Scam Goes Wild and Doubles Over the Weekend

Posted: 10 Dec 2012 11:51 AM | Elad Sharf


Last week we wrote a blog about a specific Facebook scam that appeared to spread rather aggresively. We have decided to nickname the scam "Jacked frost". The Websense® ThreatSeeker™ network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

 

...

Read more > 

Filed under: , , ,

no comments

Christmas-Themed Facebook Scams: How Cybercrooks Kick it up a Notch and Piggyback on Big Brands

Posted: 07 Dec 2012 07:03 PM | Elad Sharf


 

From time to time the Websense® ThreatSeeker™ Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 

 

With the holiday shopping season here, it appears that cyber crooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands like Walmart, Asda, Visa, Best Buy, Apple, and more. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were compromised and used as part of the cyber criminals' scam infrastructure. Read on for details.

 

...

Read more > 

Filed under: , ,

2 comment(s)

Black Friday/Cyber Monday Survival Guide

Posted: 23 Nov 2012 01:00 AM | Carl Leonard


Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.

...

Read more > 

Filed under: , , , , ,

no comments

Unsolicited Secret Admirers Via Email

Posted: 02 Oct 2012 08:47 AM | Carl Leonard


The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

 

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

 

...

Read more > 

Filed under: , , ,

no comments

Beware of scams related to Facebook Timeline!

Posted: 05 Jan 2012 08:26 PM | Devi


First it was the Cheesecake Factory ; now, it’s Timeline . Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook , scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline. These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss. Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd. So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline. But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important. Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it. As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE ( Advanced Classification Engine ) protects our customers from such scams.

Read more > 

Filed under: , , ,

no comments

Facebook launches new features

Posted: 29 Dec 2011 09:26 PM | Elisabeth Olsen


Timeline A while back, we blogged about some upcoming changes on Facebook . The new Timeline layout is now ready for release. All Facebook accounts will be updated to the new Timeline layout on December 29, 2011. You may already have noticed changes in some profiles. Timeline has been accessible to all users for a while, giving them the choice to publish or simply modify their Timelines prior to the December 29 release. We're interested to know what you think of these new Facebook features. Please enter your comments at the bottom of this blog post. And keep in mind that Websense technology can protect your Timeline from spam, malicious links, and unwanted comments. ( Read here about the security partnership with Facebook that we announced in October.) Sponsored Stories In January 2012, Facebook users will start to see their photos appear in third-party advertisements in News Feeds. Facebook’s new “ Sponsored Stories ” feature will appear in the Ticker section – a feature released earlier this year and located on the right-hand side of the Facebook page. Users will see targeted Sponsored Stories based on their friends' and their own “Page likes,” check-ins, app shares, games played, and so on. These stories are visible only to people who are already eligible to see your News Feed story. For example, if you own a small business and you want people to hear about you, you can pay to have activity posted in the Sponsored Stories column. These postings are based only on the actions of users' friends. Your business is more credible because the link comes from a friend. Facebook will implement this feature slowly, starting with one advertisement per day per user. According to a Facebook spokesperson, up to 10% of the stories appearing in the Ticker will be Sponsored Stories. As the leading web content classification and security firm, and as a security partner with Facebook, Websense tracks these trends closely. We do not see increased security risks based on Sponsored Stories, but let us know what you think.

Read more > 

Filed under: , ,

no comments

Facebook scams kick it up a notch with Firefox/Chrome plugins

Posted: 20 Dec 2011 06:12 AM | Elad Sharf


Scams on Facebook are a daily thing. Websense ® Threatseeker ® Network recently detected some Facebook scams that now utilize the power of browser extensions to spread to other users' profiles. Scam pages typically utilize social engineering tricks - like enticing users with videos or offers for a free voucher, all of which lure victims to take part in the scam. Now on top of that, we've found that victims are also asked to install a browser plugin. The plugin is an integral part of how the scam is spread. Once installed, the plugin connects to a script that uses the Facebook API and then posts the scam to the victim's friends' pages. O ne of the advantages of using a plugin is the ability to persist in the victim's browsers and propagate to other profiles - that is similar to malicious Facebook applications we've seen before. We have noticed that at the moment, only Chrome and Firefox plugins are used. This is how a sample scam page looks using Chrome and Firefox browsers respectively: The code checks which browser is installed and serves the compatible malicious plugin. Chrome plugin files end with a CRX file extension and Firefox plugin files end with the XPI file extension. Chrome and Firefox plugin files come in a compressed form. Looking inside these malicious plugins reveals some code that loads a script from external websites. This code is ultimately loaded by the browser that connects to Facebook. The code posts in the victim's name on the victim's friends pages, which results in the victim further spreading the scam, spam, and possibly malware. To see the code behind the plugin of the scam shown above, take a look at these next images: Here is another example of a scam with the same concept. The next two images show a 'Cheesecake Factory' voucher scam offering to download a Chrome plugin and how the scam looks like in Facebook's news feed: Websense Advanced Classification Engine , or ACE, helps protect users from such scams.

Read more > 

Filed under: , ,

no comments

"Lost Weight" Spam Campaign Spreading on Facebook and ibibo

Posted: 15 Dec 2011 11:20 PM | uwang


Websense® ThreatSeeker® Network detects that a new spam campaign is spreading on Facebook and ibibo (a popular game site in India). The content of the spam messages is: " Lost 30 pounds in just 4 weeks all thanks to hcg. Check it out: http://spam_url ". We have seen a number of similar spam campaigns on Facebook such as, "Sexiest Video Ever" on Facebook ", " Osama bin Laden scams on Facebook ", etc. But, unlike previous campaigns which took advantage of a hot topic to lure visitors to click the link in the spam post, here the attackers publish a comment in the name of the account owner: "Never thought losing weight could be so easy!!!". With this method, some of the account owner's friends can be tricked into clicking the spam link: For the Facebook version of the attack, the attackers abused the blogspot.com service. Here are some of the URLs used for the attack: http://learn-how-to-be-thinghhfwi.blogspot.com http://learn-how-to-be-thing3lk8o.blogspot.com http://find-out-how-to-be-thing5nuhl.blogspot.com http://find-out-how-to-be-thingpmgbg.blogspot.com http://learn-how-to-be-thingiihfz.blogspot.com http://learn-how-to-be-thing4m4wr.blogspot.com http://learn-how-to-be-thingrebrl.blogspot.com http://learn-how-to-get-thingqvg34.blogspot.com http://learn-how-to-be-thing0jk0h.blogspot.com http://find-out-how-to-get-thingczign.blogspot.com The spam link redirects victims to another spam site. At the moment, the spam site is unavailable, but the attackers can always update the sites with malicious content. http://ad2ac.com/?s=15yy1 http://zcwqa2.com/?s=15yy2 The spam link used in Ibibo is new registered sites. Still unavailable now. http://diet-news.m9q.report.qfz.htttp96.com/ http://diet-news.1tc.report.n8e.httpai.com/ http://diet-news.gxf.report.wxb.htttp92.com/ http://diet-news.ejp.report.3ok.http1m.com/ http://diet-news.z1o.report.yl9.httpv1.com/ http://diet-news.e86.report.i63.http1n.com/ http://diet-news.d8b.report.1b2.httpao.com/ http://diet-news.4rv.report.ezi.httpum.com/ http://diet-news.ice.report.75l.httpmn8.com/ http://diet-news.wja.report.95k.htttp45.com/ http://diet-news.aki.report.uks.httpy4.com/ http://diet-news.5fh.report.yeb.http1c.com/ http://diet-news.ly8.report.o4i.httpvv8.com/ Websense customers are protected from these threats by ACE, our Advanced Classification Engine .

Read more > 

Filed under: , ,

no comments