From time to time the Websense® ThreatSeeker® Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 

With the holiday shopping season here, it appears that cybercrooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands such as Walmart, Asda, Visa, Best Buy, Apple and others. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were used as part of the cybercriminals' scam infrastructure. Read on for details.

The scam varies in appearance, is geolocation aware, and serves content based on the location of the victim. Potential victims are enticed with videos and free shopping vouchers. Here are some examples of how it might look in a Facebook news feed:

The scam in a Facebook news feed 

What happens when a scam post is clicked?

When a scam link is clicked in the news feed, the victim is redirected to a fake Facebook page that hosts a fake video that pretends to show the "Fail Blog Daily Video." A clickjacking technique is employed on the page so that when the victim clicks on the video's play button, it results in one of two outcomes:

1. A browser popup is launched and the victim is asked to "Like" a certain scam post. This is done to propagate the scam further because liking it causes it to appear on the victim's news feed.
(Click here to see what it looks like; a new browser window will open.)

2. The victim is redirected to fake video page that uses the CPA advertising method to "unlock" what is supposedly a YouTube video.
(Click here to see what it looks like; a new browser window will open.)

This isn't the end, though. The page also has a timeout mechanism.  If the victim doesn't play the video they are greeted with a "Merry Christmas!" message and are redirected to a fake Facebook page offering some fake free vouchers.  In the following example, some fake Asda vouchers are offered:

 Christmas-themed congratulation:

The scam is geolocation aware:

Here is a scam page offering some free vouchers from Asda.  This particular page is desgined for UK-based visitors:

This scam page offers vouchers and rewards from Walmart, Best Buy and Visa.  This particular page is desgined for US-based visitors:

This scam page offers vouchers and rewards from Walmart and American Express.  This particular page is designed for US-based visitors:

As mentioned, the scam comes in many variations and piggybacks on the reputation of many well-known brands. Let's have a look at the example from above that piggybacks on Asda. The fake voucher page for Asda takes the victim through the scam step by step. First, in order to get the free voucher the victim has to share the voucher in their Facebook profile. Second, the victim must publish the comment "Thanks Asda!" to support the scam. Lastly, the user must click the Like button, which is a scam link.  

After the victim completes the steps, their Facebook news feed includes the fake voucher scam and they are redirected to a legitimate website at new.activeyou.co.uk that gives out prizes and supports an affiliate program. The way this works is that any user coming to the site --  thanks to a certain affiliate -- and who participates, earns the affiliate some money; there is no free voucher after all. The affiliate here obviously engages in illegal methods to advertise and generate traffic to a website that earns them money.  The affiliate ID is seen in the next image, marked in red in the URL where it states affid.

No free vouchers after all:

The scam infrastructure and intelligence: accounts on Afraid.org as doorways

Websense's partnership with Facebook alerts us and invites us to assist Facebook in mitigating such scams using Websense ACE. We released this blog because we saw a spike in our data feeds and a rather large number of different URLs that are used for scam purposes that have a relation to each other. We think that Facebook is doing a good job of cleaning up and removing posts related to this scam.

We spotted more than 3,000 unique URLs used for this scam on Facebook.  The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.

The scam peak as seen by the ThreatSeeker Network. This plots the number of new hosts seen hosting the scam vs. the number of active hosts using this scam.

One of the most interesting findings is that most of the scam hosts used in the attack use the DNS servers of the free service at freedns.afraid.org. Essentially we found that all the name-server records used by websites involved in the attack use Afraid.org DNS server and point to ns1.afraid.org (see illustration below)

freedns.afraid.org is a free service that offers domain owners free DNS services. For example, a domain owner can use the DNS servers of freedns.afraid.org and have them point to their website's IP address. freedns.afraid.org also allows users to manage those free DNS services via an account. It allows account holders to add various subdomains to their main domain and optionally point those new websites to different IP addresses. For example, if John Doe owns johndoe.com on IP address x.x.x.x, he can go to freedns.afraid.org, create an account, and use their DNS servers to point to their website IP address at x.x.x.x. On top of that, John can easily add DNS records to subdomains of his main website (johndoe.com) via his account at freedns.afraid.org. At his option, John can have those subdomains (that essentially represent different web sites) point to different IP addresses. So, for example, John can use his DNS account with freedns.afraid.org to have johnsfriend.johndoe.com point to y.y.y.y.

Scam host example and its DNS record:  91037997396662norryyoutubecomplay10pegahihypupegahihypu.opbco.web74.net

In this attack, accounts/hosts on freedns.afraid.org have been used to serve scams URLs by pointing subdomains of legitimate hosts to the attackers' infrastructure. If we examine some of the scam hosts involved in the attack, we can see that they point to a different IP address than the one used at the host level. Websites at the host level vary in purpose and appear to be legitimate. We verified that this pattern is consistent with all of the approximately 3000 instances that we found involved in the attack. In the next example, we present an example scam URL that is used for the scam that is hosted on an IP address that cybercriminals are using to host the scam (213.152.170.193), while the host is hosted on a different IP address that hosts a legitimate website (65.96.116.101), in this case a personal cooking blog. Looking at other websites hosted on the offending 213.152.170.193 reveals more scam websites:

urbancooking.net appears to be a personal blog about cooking:

Exploring other websites hosted on the offending 213.152.170.193 reveals more scam websites:

 Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam websites:

208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252

We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong. We're going to keep an eye on events related to this attack and keep you in the loop.

Also, we would also like to take this opportunity to wish you a merry and cybersafe holiday season.

The week before we published a blog that discussed typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site. The Websense® ThreatSeeker® Network has discovered over 7,000 typosquatting sites within this single network.

These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site (which we showed you in this blog). After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed based on the their interests. An example of such advertisment is a free movie downloader as shown below. Currently, these spam advertisements are not spreading maliciously. However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks.

You'd surprised by the number of visitors who mistype popular domain names. These mistyped domains generate a huge amount of traffic (some sites even managed to reach the Alexa top 250 list). For the careless users who fill in the survey, the cyber-criminals obtained their sensitive data. All of this can be translated into profit. Based on online web site valuation tools such as worthofweb.com (as shown below), we expect that attackers are pulling in a substantial income from typosquatting campaigns.

Websense Security Labs will continue monitor these campaigns and Websense customers are protected from these threats via ACE, our Advanced Classification Engine.

Scams on Facebook are a daily thing. Websense® Threatseeker® Network recently detected some Facebook scams that now utilize the power of browser extensions to spread to other users' profiles. Scam pages typically utilize social engineering tricks - like enticing users with videos or offers for a free voucher, all of which lure victims to take part in the scam. Now on top of that, we've found that victims are also asked to install a browser plugin. The plugin is an integral part of how the scam is spread. Once installed, the plugin connects to a script that uses the Facebook API and then posts the scam to the victim's friends' pages. One of the advantages of using a plugin is the ability to persist in the victim's browsers and propagate to other profiles - that is similar to malicious Facebook applications we've seen before.

We have noticed that at the moment, only Chrome and Firefox plugins are used. This is how a sample scam page looks using Chrome and Firefox browsers respectively:

The code checks which browser is installed and serves the compatible malicious plugin. Chrome plugin files end with a CRX file extension and Firefox plugin files end with the XPI file extension. Chrome and Firefox plugin files come in a compressed form. Looking inside these malicious plugins reveals some code that loads a script from external websites. This code is ultimately loaded by the browser that connects to Facebook. The code posts in the victim's name on the victim's friends pages, which results in the victim further spreading the scam, spam, and possibly malware. To see the code behind the plugin of the scam shown above, take a look at these next images:  

Here is another example of a scam with the same concept. The next two images show a 'Cheesecake Factory' voucher scam offering to download a Chrome plugin and how the scam looks like in Facebook's news feed:

 Websense Advanced Classification Engine, or ACE, helps protect users from such scams.

The Twitter account of famous singer Lady Gaga has apparently been hacked. It's being used by attackers to lure her more than 17 million followers to click on a link:

After a number of redirects, the link ultimately leads to a survey scam that is designed to harvest personal information:

The first link uses the URL shortener bit.ly, which has suspended the link as "being potentially problematic." Although this should keep most users away from the scam for now, the attackers are likely to post new tweets that include phishing or malicious URLs as long as they have control of the account. The Twitter community has responded by sharing the fact that Lady Gaga's account shouldn't be trusted. This led to #stophackinggaga as a trending Twitter topic at the time this post was written. As always, be careful of links you click on Twitter, even when they appear to come from trusted accounts.

Customers who are using Websense security products are protected from this spam campaign through our ACE technology and TRITON™ solutions.

Websense® ThreatSeeker® Network detects that a new spam campaign is spreading on Facebook and ibibo (a popular game site in India). The content of the spam messages is: "Lost 30 pounds in just 4 weeks all thanks to hcg. Check it out: http://spam_url".

We have seen a number of similar spam campaigns on Facebook such as, "Sexiest Video Ever" on Facebook", "Osama bin Laden scams on Facebook", etc. But, unlike previous campaigns which took advantage of a hot topic to lure visitors to click the link in the spam post, here the attackers publish a comment in the name of the account owner: "Never thought losing weight could be so easy!!!". With this method, some of the account owner's friends can be tricked into clicking the spam link:

For the Facebook version of the attack, the attackers abused the blogspot.com service. Here are some of the URLs used for the attack:

http://learn-how-to-be-thinghhfwi.blogspot.com

http://learn-how-to-be-thing3lk8o.blogspot.com

http://find-out-how-to-be-thing5nuhl.blogspot.com

http://find-out-how-to-be-thingpmgbg.blogspot.com

http://learn-how-to-be-thingiihfz.blogspot.com

http://learn-how-to-be-thing4m4wr.blogspot.com

http://learn-how-to-be-thingrebrl.blogspot.com

http://learn-how-to-get-thingqvg34.blogspot.com

http://learn-how-to-be-thing0jk0h.blogspot.com

http://find-out-how-to-get-thingczign.blogspot.com

The spam link redirects victims to another spam site. At the moment, the spam site is unavailable, but the attackers can always update the sites with malicious content.

http://ad2ac.com/?s=15yy1

http://zcwqa2.com/?s=15yy2

The spam link used in Ibibo is new registered sites. Still unavailable now.

http://diet-news.m9q.report.qfz.htttp96.com/

http://diet-news.1tc.report.n8e.httpai.com/

http://diet-news.gxf.report.wxb.htttp92.com/

http://diet-news.ejp.report.3ok.http1m.com/

http://diet-news.z1o.report.yl9.httpv1.com/

http://diet-news.e86.report.i63.http1n.com/

http://diet-news.d8b.report.1b2.httpao.com/

http://diet-news.4rv.report.ezi.httpum.com/

http://diet-news.ice.report.75l.httpmn8.com/

http://diet-news.wja.report.95k.htttp45.com/

http://diet-news.aki.report.uks.httpy4.com/

http://diet-news.5fh.report.yeb.http1c.com/

http://diet-news.ly8.report.o4i.httpvv8.com/

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Websense ThreatSeeker® Network has been tracking an ongoing spam campaign relating to reports of Libyan leader Colonel Gaddafi's death.  We have been monitoring related spam campaigns about Gaddafi for a while now, and the recent rumours of his death as stated here on Reuters seem to have raised the bar a little with an influx of such spam.

The scams, like many others similar to this, bear the usual traits with a request for the victim to help the assailant, and then further going through the motions of trying to make the message convincing by legitimising the content with a news article. 

Below we have a number of examples of the messages we have seen through our feeds.

From the above messages, we can ascertain that a lot of work was put into the detail to lure the unsuspecting victim into believing this.  This also reinforces a point made in the past about the real nature of current spammers, as all forms of current news just become another means of propagating spam.

At the time of writing this blog, the keyword 'Gaddafi' seems to be the highest-ranking trend on Twitter.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

Fake Apple Store Order Notifications have been making rounds for months now.  The volume of this particular spam campaign is not as astonishing as other past campaigns.  It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly stop the next day.  Websense customers are protected from this blended attack by ACE, our Advanced Classification Engine

Typically, the email contains a link that redirects users to a very familiar pharmacy spam site.  These links either belong to compromised sites or newly registered domains.

Screen shot 1 :  Fake Apple Store Order Notifications sample email

Today, we noticed the same fake Apple Store email redirecting users to a different, relatively new pharmacy spam web template.  The new template channels a wikipedia feel to it and is cleverly titled "WikiPharmacy".

Screen shot 2 : WikiPharmacy web spam template

Looking deeper into the IP where this domain is hosted, we learned that it caters to over 24,000 other domains.  These domains were all used in pharmacy spam campaigns at one point.

In this blog post, I will analyze a Facebook scam technique that we've seen grow in popularity over the past few weeks, but let's focus on one example that was circulating this past weekend. As a Websense customer, if you are running our Web Security Software or real-time analytics, your users would have been protected from the first link right off the bat, thanks to our Advanced Classification Engine (ACE):

To show how this particular attack works, I set up a scenario using a test account. In this scenario, a friend named Chris has already fallen for the scam and posted a comment to his own Facebook profile page, which appears on all of his friends' walls.

Here's what Chris, a victim of this scam, commented on:

The Enticement

.

Remember scammers aren't going to post something boring, this is meant to be enticing ... OK, I'll play along. Let's see what happens as I follow the trail. By clicking on the link, I'm redirected to mcdshock DOT info (robtex):

A Real CAPTCHA?

Interesting. So this site says that I can only continue if I solve a CAPTCHA. The site explains that it's using the CAPTCHA because it is attempting to protect itself from  BOTS. That seems to make sense. CAPTCHAs are in fact meant to tell humans and programs apart (in theory) - but this particular page has more going on than meets the eye. 

Let's look at the source code behind this page (full source code can be found here):

The first thing that is noticeably odd is that the source code indicates the use of the Facebook comments social plugin (see fb:comments code) that allows websites to include a comment box linking to a user's Facebook page if they are logged into Facebook in another window or tab. A typical comment box looks like this:

But looking at the source code, no such comment box was displayed. Let's take an even closer look at the source code to figure out why ...

Classic Click-jacking

The style sheet section of the source code shows that the Facebook comment box is being wrapped in a div that has been given a style making it completely invisible (see opacity):

Next the source code is overlaying a background image on the entire section where the Facebook comment box is:

Can you guess what that image looks like? Here it is ...

Analysis of the source code indicates that the CAPTCHA is not a real CAPTCHA but an image sitting on top of a Facebook comment box meant to trick me, the unprotected user, into clicking on something - all the while, hiding its true nature. The submit button is carefully placed on top of the comment button. By clicking on it, I would be submitting text to my Facebook wall with text that is supplied by the scammer's website.

... and sure enough, once I hit submit, here is the comment that is posted to my Facebook page:

Classic case of click-jacking!

That's not the end of it though! What happens next after clicking submit, apart from a comment being posted to my profile page is that I'm redirected, first to a tracking website:

... and next to isozbanks DOT com, where I'm asked for further verification to either play a Pacman game or answer what my favorite Facebook game is:

Another click? Can you say clicking-jacking part deux? Indeed, if I click on one of the above links, another comment is posted to my Facebook profile page:

Click-jack complete, commence project information gathering

Next, I'll be redirected to playsushi DOT com (Alexa Ranking: 7903)  where if I click on "Click Here To Play," I'll be prompted to download an executable called SetupPlaySushi.exe (VirusTotal report):

Had I chosen instead to take the survey of my favorite Facebook game, I would've been brought to the following pages where the attacker would have a very good opportunity to capture my email address and post another comment to my Facebook page. Upon clicking continue, I'd be asked to give out more information (a great method for attackers to build up a profile for tracking purposes and to store their victims' personal information).

Now assuming I either visited the Pacman site or the survey site, the following page is shown:

I then must proceed through a few more Web pages, which in the end ask me to play more games or fill out more surveys for verification purposes (it's worth noting that each user will be prompted with different games and different links) - again really just to trick me into clicking and sending comment spam to my own Facebook profile page:

Clicking one of these links will bring me to the following pages:

Finally after viewing any of the above sites, I'll get a final Web page screen indicating that  the content has been unlocked and that I can view the video.

Is there even a real video to view?

At the end of this entire process, I'll be rewarded for my persistence by being able to finally see the video I was promised.

Let's review all that I had to give up to get to view the final video:

• Full name
• Full address
• Gender
• Phone number
• Downloading and possibly execution of an executable (spyware)

The Click-jacking to post comments to my profile was the main motivation from the attacker's point of view. Everything that came after was just a bonus.

To give you an estimate of how many people fell for this scam, we can look at the hits on YouTube yesterday and this morning, Overnight more than 100,000 users visited the YouTube video, showing how successful this scam really was.

Don't become a victim! Here are some tips and tools to protect yourself against Click-jacking (link).  Websense has a free Facebook plugin called Websense TRITON Defensio that would have protected users from this attack. Install it, and it will protect you from these types of scams.

Web Filtering and real-time analytics within ACE would have protected a user from the start!

Principal Security Researcher: Stephan Chenette
Thanks to our newest researcher Armin Büscher for the assistance!

It’s no secret that criminals try to use huge disasters to their benefit to make some cash,  this time is no exception!  We have been able to track several black hat methods to convince people to "help” Japan’s disaster-affected population.  The set of techniques are not new and usually involve:

• SEO poisoning
• Rogue AV (anti-virus)
• Phishing emails asking for donation
• Malicious files attached to emails claiming to be legitimate documents
• Facebook apps with CPA (cost per action) lead surveys

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Black Hat SEO

SEO poisoning was used within minutes after the first wave hit the Japanese coast.  Using common search terms like, "japan earthquake news 2011" to search for the latest information in search engines is bringing all sorts of results, including malicious sites hosting fake AV.

Looks like a benign search result:

Following a link, the victim lands at a website with a slightly modified version of a redirection to fake AV,  in previous campaigns such websites were directly hosting fake AV,  nowadays they redirect to fake AV.

Rogue AV

When redirected via a "CLICK HERE" button,  a warning appears stating that your computer might already be infected:

Whether the "Cancel" or "OK" button is clicked, rogue Windows OS-like anti-virus will popup,  though it is running on a Linux OS

Phishing Email

Below is a very simple, nicely written and almost legitimate email which asks the recipient for a donation on behalf of Humanitarian Care Japan.  Notice this little detail:  "reply to:"  is a free mail address and completely different from the sender's address.

Malicious Email

Another type of e-mails used are malicious e-mails and e-mails with links leading to malicious content. One like this is used in a targeted attack,  providing information about the nuclear crisis in Japan, and also has a document attached called "Understanding Japan's Nuclear Crisis.doc" which surprisingly enough has very low coverage 5/43 in VT. Also, as you can see from the message source, it was also sent from a free mail account.

Facebook apps with CPA lead survey

And the last, but not least, vector of attacks is through social networks.  For example, Websense Threatseeker Network has identified a set of Websites that entice users to watch a video about the latest disaster events in Japan. As you can see per the picture below the involved sites are registered with .info TLD. D1 - stands for "Registered for 1 day". Instead of getting a movie, users are redirected to a Facebook application installation page. The application asks for permission to post on the user's wall.

The scam application has different names such as "RemoteViews",  "Collect",  "Consumer" and others.  Once clicked it asks the victim to fill in a survey to unlock pictures of people who viewed the victim's profile:

It also leaves a post on the victim's wall with a link to this application:

We have already discussed CPA (cost per action) leads in our previous blog about Viral Facebook Applications as well as most techniques listed in this blog.  

In conclusion we can see how, again and again, such disastrous events give cybercriminals a lot of  "ammo" for their "arsenal" of malicious activities.

Web sites don't necessarily have to be injected with malicious code (the kind of code that ends up delivering exploits to the user’s browser). In fact we see a LOT of Web sites that are injected with code used for black SEO purposes. This kind of code targets the visiting search engine instead of directly targeting the visiting user with exploits. This is a phenomenon also known as Spamdexing.

When search engines visit a Web site, they also look at the links that the Web site currently links to. Having a reputable Web site (for example CNN.com) link to your site (if you have one) will add to the reputation of your site from the search engine's perspective. The opposite is also true: if a reputable Web site links to a dodgy and not reputable Web site, that won't be good for the reputable Web site and will affect its reputation from the visiting search engine's perspective.

As part of spammers' and scammers' efforts to get good reputation to their cunning Web sites and their customers' sites, take for example Opole.pl: this official and pretty popular local Polish government Web site has had one of its sites injected with rogue links to pharmaceutical Web sites. 

The links are hidden from the user's browser (see the screenshot below), and since they have been injected to the Web site, it would probably be as easy to change them or add additional rogue links, like Iframes or scripts that can potentially lead to malicious content.

You might wonder: how common are hijacks like these? They're pretty widespread. The next graph shows the number of compromised/hijacked pages used for black SEO purposes so far this week. Bear in mind that this graph represents only one analytic that we have in ACE for spamdexing hijacks. The numbers are huge and the trend is clear - the bad guys are monetizing from such black SEO activities.

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Snapshot of the Injection in Opole.pl:

The official Web site of Opole Poland - Opole.pl: