Wednesday, August 04, 2010

PhacePhish: New Facebook Attack gives a One-Two Punch

Tonight I had a message from one of my Facebook friends who was concerned that someone may have hacked her Facebook account. She was worried that she might get a virus by looking at the links they had posted on her behalf. I assured her not to worry -- if her Facebook account was sending links to other people's walls, she probably already had a virus. After digging a bit deeper, I'm not so sure.

The "One-Two" punch of this current Facebook attack is similar to some of the spamming malware. Some of the messages it sends are to generate profit for the cybercriminal, and some of the messages are to infect more users to build the criminal's delivery network.

Here is the first type of message -- the "profit" message:



This reminds me of a current "work at home mom" trend that some of my other friends are engaging in. There really is a weight loss multi-level marketing scheme right now where the participants are encouraged to make a website telling about "the plan" and then are told that making money is as easy as following the plan yourself, and posting your weight loss reports to all your Facebook friends. (Hope your happy and skinny, DG, I wouldn't know, I blocked you on facebook as soon as you started that crap!)

What happens if you follow the link? The link doesn't go to my friend's weight loss page. It goes to an Acai Berry affiliate sales "news" page that is supposed to look like a real "news" site that just happens to be featuring a story about the miracle of the Acai Berry.



Clicking anywhere on the "news" page takes you first to an affiliate tracker page:

tracker.cpaprosperity.net/affe?offer_id=500&aff_id=1161

and then to the sales page for their diet plan:

acaioptimum.com/?afil=az1007

The diet scam page is hosted by Black Rock Hosting on the IP address 64.38.201.205.

That was the "One" . . . here comes the "Two" of our One-Two Punch:



What's the other important purpose for Facebook besides getting your friends to join your Multi-Level Marketing Weightloss plan? Sending stupid videos to one another, right? Everyone knows that when one of your friends posts a link, you are required to immediately click on it, and the click the "Like" button. This is how people know that we are their friends. We "Like" all their stupid videos.

(Actually, I'm a big Facebook fan. My family communicates like crazy with it, and I enjoy sharing pictures with my friends and playing Bejeweled Blitz. But this is the part where I'm supposed to be all sarcastic...)

So, when my friend BG posted this message to all of her friends' walls, what would happen if they clicked on it?

The first thing is that it sends you to a website called "securitymeassures3.co.tv". That page is going to call some Javascript to find out what country you are in:



If you are in the US, you then load the webpage "explororjones.com/deel/deeus/"

If you are anywhere else in the world, you then load the webpage "explororjones.com/deel/deeint/"

Either way, the page that loads looks like this:



WAIT! How did I get logged out of Facebook? (you are supposed to say to yourself...) then you quickly type in your userid and password for Facebook on this other page, which is actually at "explororjones.com"

ExplororJones is hosted on that excellent Netherlands hosting company Worldstream. I don't recall Facebook moving their operations there. When a webpage that isn't really the company you are trying to log in to tries to convince you to login on the fake web page we call that phishing.

That's why I'm calling this particular attack "PhacePhish" - most phishing attacks start with a spam message that sends you a scary reason that you really need to log in to your bank RIGHT NOW. This one starts with a spammy Facebook message instead.

Sooo...does my friend have a virus?

No, its very very probable that my friend clicked on a "funny baby" or some other leading video on one of her friends' Facebook posts, believed she was logged out of Facebook, and logged back in, giving her password to the criminals. The criminals then can login as my friend and repost the message on all of their facebook pages. If they fall for it, then they'll tell their friends, and they'll tell their friends, and they'll tell their friends, and pretty soon we'll all be skinny and rich! Happy ending!

I'd call my friend and tell her all of this, but its 3:00 AM. I'll let her sleep a bit more while the criminals spread their message through her Facebook account. Wonder if the Facebook guys are awake . . . hmmmmmmmm....

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.