Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Spam, Defensio

A weekend of Click-jacking on Facebook

Posted: 02 May 2011 07:17 PM | Anonymous


In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE) : To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls. Here's what Chris, a victim of this scam, commented on: The Enticement . Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info ( robtex ): A Real CAPTCHA? Interesting. So this site says that I can only continue if I solve a CAPTCHA . The site explains that it's using the CAPTCHA because it is attempting to protect itself from BOTS . That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. Let's look at the source code behind this page (full source code can be found here ): The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this: But looking at the source code, no such comment box was displayed . Let's take an even closer look at the source code to figure out why ... Classic Click-jacking The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity): Next the source code is overlaying a background image on the entire section where the Facebook comment box is: Can you guess what that image looks like? Here it is ... Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website. ... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page: Classic case of click-jacking ! That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected...

Read more > 

Filed under: , , , , , , , ,

3 comment(s)

"Ex-Girlfriend" Facebook worm: Check!

Posted: 02 Feb 2010 11:11 AM | Defensio, the blog


Nick O'Neil of AllFacebook.com recently reported that his Facebook wall was compromised by a new worm: the "Ex-Girlfriend" worm. Using some CSS and IFrame wizardry, the worm can post on your own wall in your own name, without you knowing it. Here's an example of Nick's wall: You can protect your Facebook wall and pages from this worm by installing the Defensio Facebook application. Get started here...

Read more > 

Filed under: , , ,

Introducing Defensio 2.0

Posted: 20 Jan 2010 04:00 PM | Defensio, the blog


Security for the Social Web After months of hard work, it is my extreme pleasure to introduce Defensio 2.0 - the first and only complete security suite for the social web . A number of new features now make Defensio the most advanced spam and malicious content detection service for the web. These features include: Spyware, malware, phishing and other types of malicious content detection URL blocking by category Profanity detection and filtering Script and executable blocking Enhanced statistics Asynchronous API (faster and non-blocking filtering) Thanks to Websense's Threat Seeker Network , Defensio can now detect and block much more than just spam , offering you the absolute best protection for your website. Screencast We prepared a screencast where you can see of the new Defensio 2.0 features. Wordpress The Wordpress plugin has been updated to leverage the new features we are introducing today. Upgrade today! Pixelpost Thanks to Dennis Mooibroek, Pixelpost now also supports Defensio 2.0. You can download the latest version of the Pixelpost plugin on our website . Facebook Protection A few months ago, we started noticing that a lot of spam, profanity, malware and malicious content was making it onto personal and corporate Facebook pages. We knew we had to do something about it. Our response to this growing problem is the first ever Facebook security suite. This is also launching today! Once Defensio for Facebook is installed, we will constantly monitor your page for possibly unwanted content. Should we find something suspicious, we will alert you. This Facebook application works with any kinds of pages, including personal and corporate profiles, group pages and fan pages. To install Defensio for Facebook, simply create an account at http://defensio.com/signup . If you already have a Defensio account, log in, then in the control panel, click "My API keys", then "Protect another web property". Other platforms More platforms will support 2.0 very soon. Defensio 1.x remains available and software using our old API will keep working as usual. New Developer API We love our developers, and we made sure not to leave them out in the cold. Defensio 2.0 ships with a brand new and improved asynchronous RESTful API! The new API features: Asynchronous (or synchronous) for fast, non-blocking calls to Defensio Optional web hook for asynchronous calls Entirely RESTful More generic wording, making it less targeted towards blogs and easier to use in a wider range of web applications New actions for profanity filtering and enhanced statistics Content classification (spam, malicious, innocent) See the API 2.0 documentation for more details. We're also releasing many 2.0-ready developer libraries for PHP, Ruby, Python and Perl. This should make your life easier when upgrading your application to Defensio 2.0. You can find them in the "downloads" section of our website . Conclusion I hope you're as excited as we are about the second coming of Defensio. Let us know what you think!

Read more > 

Filed under: , , , , ,

Adventures in Spam: Hollywood-style spamming

Posted: 27 May 2009 08:07 PM | Defensio, the blog


If you think image spam is elaborate, think again! At Defensio, we see all kinds of crazy and innovative spam each day. But recently, something we never thought we'd ever see showed up on our radar: a significant influx of VIDEO spam, most of it hosted on YouTube.com . I guess this just shows how far spammers are ready to go to sell their junk. Here's a screenshot... What do you think will be the next trend in spam?

Read more > 

Filed under: , , ,

Shopify joins Defensio

Posted: 06 Oct 2008 02:33 PM | Defensio, the blog


This morning, hosted e-commerce solution Shopify enabled commenting on its users' blogs . After comparing the many spam filtering services available, the Ottawa-based firm decided to use Defensio as their first line of defense. This is yet another great step for us since Shopify currently hosts ~40,000 blogs. Shopify launched in mid-2006 and was greatly acclaimed . Building an online store with Shopify couldn't be easier and many believe they are a great contender to overtake eBay 's dominance in this market. Shopify recently announced they passed $10M in total sales .

Read more > 

Filed under: ,

ExpressionEngine, here we come!

Posted: 24 Sep 2008 06:30 AM | Defensio, the blog


Another week, another platform supported! It's our pleasure to announce that our Canadian friends at Hop Studios built a Defensio module for the wonderful ExpressionEngine CMS. They call it Defensio Combo . You can get it from Hop's website , or download it from our very own website . With ExpressionEngine 2.0 just around the corner, you'll be happy to know that the guys at Hop committed themselves to releasing an update to their module shortly after the 2.0 release. You'll never be without decent spam protection again. Welcome to the family EEers!

Read more > 

Filed under: ,

Defensio now on Google's Textcube

Posted: 15 Sep 2008 01:12 PM | Defensio, the blog


Google recently acquired Textcube , a Korean blogging platform that looks very promising. To our surprise, we discovered that a Defensio plugin was already available for Textcube! We're glad to add it to our list of supported platforms. You can download it on the Defensio for Textcube page.

Read more > 

Filed under: , , ,

WordPress plugin upgrade

Posted: 23 Jul 2008 04:09 PM | Defensio, the blog


We just released a new version (1.6) of our WordPress plugin. ( get it here ) It is a recommended update for everyone. Many small things were improved and fixed, but the most interesting change is the better integration of the quarantine with WordPress 2.5 and up. We've been testing this new release for some time, but if you have any problem with this update, please let us know. Happy blogging!

Read more > 

Filed under: ,

Not sure if Defensio is right for you?

Posted: 02 Apr 2008 07:36 AM | Defensio, the blog


This morning, I had the joy to wake up to a wonderful review of Defensio . The author of the review, Holly Ord clearly loves what we're doing. But more importantly, she really understands the comment spam problem, how Defensio works and why we're better. I invite you to read her article entitled Tackling Comment Spam -- For Good . It's a great one. This is, in my opinion, the best excerpt (of course, I'm totally biased ): Defensio is a comment spam monitor and eliminator whose entire mission is based off of outsmarting evil spam, which it does miraculously. In my opinion, you cannot get any better than Defensio for taking the edge off when you’re thinking about how your website is doing and if any spam is leaking through. Thanks Holly, that's giving us some fuel to keep going!

Read more > 

Filed under: , ,

Welcome Textpattern users!

Posted: 27 Mar 2008 02:51 PM | Defensio, the blog


If you're blogging on Textpattern , rejoice! Walker Hamilton , a long time Defensio user, has recently released a plugin for your platform! Here's the link . We're quite excited to bring the Defensio goodness to yet another platform. Big thanks to Walker for making this possible.

Read more > 

Filed under: , ,