There has been a lot of talk lately about Pinterest, the "virtual pinboard" that allows you to "organize and share all the beautiful things you find on the web."

Pinterest uses online social networking to extend the ways you can share your images. Its mission statement reads:  "Our goal is to connect everyone in the world through the 'things' they find interesting. We think that a favorite book, toy, or recipe can reveal a common link between two people. With millions of new pins added every week, Pinterest is connecting people all over the world based on shared tastes and interests."

How does it work?

Currently, the site is available by invitation only, but it’s quite easy to request an invitation either directly from the site or from a friend who’s already using it. Once you’re in, you create “pins”: images you want to post, including videos, along with any text captions you care to add. The “Pin It” button can be added to Firefox or your iPhone, allowing you to grab images anytime and anywhere.  It also adds a link to the source, automatically crediting the author and, presumably, avoiding copyright issues, which have sparked a lot of discussion.*

A collection of pins is called a “board,” which usually focuses on a theme or interest. By displaying images in a thematic board, Pinterest creates a visual collage which provides context and relationships for images in ways other social media sites do not.

It is precisely the social media elements that seem to be fueling Pinterest’s popularity.  Users can search pins, boards, or people. They can “like” other people’s pins, post comments, repin the images to their own boards, and even share them via Facebook and Twitter links, or via embedding in a blog or email. They can follow other users, see activity streams, and click through to the source of an image for more information, or to make a purchase. Collaboration with Flickr was just announced, which enables sharing in the user's Flickr account.

 Who uses it?

The number of unique visitors per month to Pinterest has jumped in just under one year from less than half a million to well over 18 million. Most (68.6%) are in the US, but all parts of the world are represented—and growing. Users tend to spend quite a bit of time on the site: more than 15 minutes per day, which is over 50% more than Twitter.

This explosion has created a huge buzz around the site, and at Websense we’ve learned that sites which attract lots of users also tend to attract lots of security concerns.

What could possibly go wrong?

Any site that attracts a lot of users and attention inevitably becomes a target for hackers and spammers. Spam and other types of objectionable content can be reported to Pinterest with the click of a button, which suggests the site relies on its users to spot problems and flag them for review. Malicious image files—where embedded malware is hidden in an image file—can be a particular threat on an image-based platform.

A while back we wrote a blog about inexpensive application toolkits on Facebook. This time around, it's Pinterest's turn.

Here are a few examples of  spamming toolkits that automatically generate massive amounts of traffic on a spammer's Pinterest account.  Tools may be purchased individually or in packages, and prices range from about $25 to almost $2000 depending on the number and functionality desired.

One tool creates automatic "likes" for pins, and sends an email to the pin creator saying you liked it, along with a link to your profile.

Another tool finds the most popular pins and re-submits them into the same board name and category on the spammer's account.

Websense researchers found many similar tools for sale, all of which generate unnatural traffic to the spammer's account in order to increase the popularity of a site or brand.  Of course, Pinterest may notice or be informed of the unusual traffic and block the account. A bigger risk is that spamming tools may actually contain viruses, malware, or other threats, making the would-be hacker into a hacking target. 

Pinterest was recently the target of injected JavaScript code (possibly created by such spamming tools) that changed many pins into ads. A recent Pinterest blog post about spam on the platform generated a fair number of user responses about fake followers and spam (comments are now closed). And the site is reportedly using CAPTCHA, at least on some accounts, to ensure that users are human beings.

Regardless of how Pinterest evolves, you can be sure that Websense will stay on top of any security risks, helping you use social media safely.

In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!