The code that you are pasting into your address bar is a JavaScript that simply calls a second JavaScript file hosted on a compromised but otherwise innocent website. The second file enumerates all your friends and sends them chat messages, creates an event to which all your friends are invited and continually updates your facebook status. Meaning that the video link is immediately posted to your facebook wall to entice other unwary facebookers and spammed out in personalised chat messages and event invitations to your nearest and dearest (well, your Facebook friends anyway).
 
The tactics used are exactly the same as in many of the “Profile Spy”, or “See who views your profile” scams that do the rounds so often, in fact the offending JavaScript file in this instance even contains the line “var eventdesc = ‘Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! -” suggesting that this represents nothing more than a rebaited trap.
 
But hey, there’s an old saying in Tennessee – I know it’s in Texas, it’s probably in Tennessee – that says, fool me once, shame on … shame on you. It fool me. We can’t get fooled again (with thanks to GWB)
 
What do we learn from this? I guess the simplest lesson is, if you receive an unsolicited link from someone, even someone you know, check with them first before you click. You never know, you could be doing them a favour and letting them know they have been duped. And NEVER paste ANYTHING that is not a URL into your browser address bar.
 
It is also worth noting that this is not the only Osama scam currently spreading on Facebook, I also spotted many iterations of a second attack that uses clickjacking in the form of a bogus CAPTCHA to fool users into posting the bait to their own walls.
 

 

 
Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

 
Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.
 
What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.
 
It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember
 
As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.
 
Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.
 

My notification mail from Hilton HHonors

• Pay careful attention to emails your receive in the coming months, perhaps years.
• Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
• Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
• Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
• To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

 
And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.
 

Robot Face from Garrette's Flickr Photo Stream under creative commons

  
Many of you will be familiar with the idea of Spam bots when it comes to real time chat, if not I detailed a Facebook related scam a while back that took advantage of this technique.
   
Classical chat spam bots operate in four distinct modes, the research paper describes them as “Periodic bots” – they simply post spam messages at regular intervals; “Random bots” – posting messages at random intervals; “Responder bots” – automating replies to other user’s messages and “Replay bots” which as the name implies simply replay previously recorded conversations.
   
The problem that scammers and criminals have to overcome with these technologies is the effectiveness of our natural suspicion and intuition. It turns out that, in the main, humans are particularly good at spotting when they are being spoken to by a computer. The researchers from Vienna have devised a way to overcome these natural defenses.
   
The paper details an application they call Honeybot which acts as a man-in-the-middle between two human correspondents, intercepting, diverting and, crucially, modifying messages sent between them in order to direct the conversation and engineer the victims into clicking links. Links which have been inserted by the attackers. According to the paper:
  

“The general attack principle works with any chat system that allows the exchange of private messages. It is based on the traditional man-in-the-middle concept. Every instance of the attack involves two human users and a bot in the middle. Both users believe that they are talking to the bot, but in reality, their messages are forwarded back and forth as shown in the following example:

• bot -> Alice: Hi!
• Alice -> bot: hello
• bot -> Carl: hello
• Carl -> bot: hi there, how are you?
• bot -> Alice: hi there, how are you?
• Alice -> bot: . . .

 

The bot looks perfectly human to both users because the entire conversation is reflected off the bot in the middle.“

 
 Not only are all communications proxied but the bot has the intelligence to be able to guess at the respective genders of the victims, use questions to take control of the direction of the conversation (usually to engineer a scenario where a link would normally be posted) or to simply replace links posted by one victim with pre-configured malicious links.
   
In their testing, the researchers inserted three different kinds of link, a simple IP address, a TinyURL shortened link and a MySpace link into conversations on three different IRC channels and they recorded up to an impressive 76% click through. In a similar but more limited experiment using Facebook chat, the click through rate was still impressive at 40%.
   
With those kinds of results, surely we can expect to see this kind of technology incorporated into cybercriminal campaigns in the very near future. Just like your mother always told you, don’t talk to strangers! In those situations where you really have to, then this is just one more reason to ensure that your security solution of choice is scanning for malicious URLs in real-time…