CounterMeasures - A Security Blog � Web 2.0

Facebook prank, lost in translation.

Rik Ferguson — Wed, 28 Jul 2010 17:12:49 +0000

A group of Turkish pranksters enlisted the help of their fellow message board users to mount a large scale linguistic assault on Facebook, resulting in red faces all round.

A post on the Inci Sözlük discussion forum describes the plan for abusing the Facebook translate application for the amusement of the discussion board members and it seems, the attack was a complete success.

A selection of 56 words and phrases that are commonly used across the Facebook platform, words and phrases such as “Like” or “Your message could not be sent because the user is offline” had their Turkish translations, erm… “improved” The attackers abused the official Facebook Translate interface, a crowdsourcing method for improving the linguistic accuracy of the site. Discussion forum members then went on to provide enough votes to push these translations into use for anyone viewing Facebook in Turkish resulting in some very red faces. The terms of course were offensive and insulting, some may have found them amusing, not I of course!

The word “Like” for example was substituted for another word that rhymes with Luck but begins with an F. The familiar notification in Facebook chat “Your message could not be sent because the user is offline” became “Your message could not be sent because of your tiny penis”

"Your message could not be sent because of your tiny penis"

Facebook rolled back the unwanted translations during the day and the Facebook Translate application is offline for many languages, although it is not clear if this is related.

It is interesting to note the fully automated nature of this crowdsourced method, it certainly seems as though the replacement translations did not go past any human eyes before going live. Perhaps there were possibilities here for criminals to take advantage of by substituting obfuscated URLs for the popular words. Perhaps it is fortunate that the hole has been exposed through a prank in the first instance and not something more nefarious.

Any online service, whether it’s transaltion or reputation services, which solicits user generated content would be well advised to quality check that content before going live with it.

Facebook users… Don’t Panic!

Rik Ferguson — Mon, 12 Jul 2010 11:34:18 +0000

from cogdogblog's Flickr photostream under Creative Commons

You might have noticed in the news today, Facebook have agreed to make the ClickCEOP app available to their users. This app, often referred to in the media as a “Panic Button” gives concerned Facebook users a place where they can go to get help and advice related to many aspects of online safety.

CEOP (the Child Exploitation and Online Protection Centre) encourages Facebook users aged between 13 and 18 to add a ClickCEOP tab to their profile, the tab contains a link through to the CEOP Abuse Reporting site. This site is aimed at providing direct links to report or get advice on cyberbullying, hacking (by this they mean account takeover), viruses, mobile problems, harmful content or inappropriate or unwanted sexual behaviour.

While the ClickCEOP app will not be installed by default into every teenager’s profile, Facebook have stated in this interview that they will support the app with a site-wide awareness campaign aimed at their younger users and the app itself is clearly designed to spread by word of mouth and recommendation.

It is great to see Facebook taking the safety of their more vulnerable users more seriously. Education and awareness are powerful tools against online threats, hopefully as people notice their friends adding this app to their profile pages it will rapidly become almost a default installation.

The reason why predators are so successful on social networks and online in general, is because they work diligently to allay any suspicions or fears that their victim my feel. They use stolen photographs, misappropriated identities and outright lies to appear to be something they are not. For some commentators, this is the reason the Panic Button may not be as effective as could be hoped. But surely something is better than nothing at all?

One argument that says that the simple presence of the button will help to raise awareness and help to raise the suspicion level of the more vulnerable. It could also be the case that repeat offending will be uncovered more rapidly if even one potential victim sounds the alarm.

Unfortunately an alternative outcome is that this functionality could drive bullies and predators into more devious tactics, for example the creation of “use once and destroy” alter-egos making finding and stopping them all the more complicated.

At the very least for the younger or more vulnerable there should be no more confusion about where to go or what to do when they feel somehow targeted. One of the aggravating factors when it comes to online crime, is the absence of any central reporting facility. For Facebook users this small part of the problem, at least, is now solved.

Are you being stalked? Yes. By scammers. Again.

Rik Ferguson — Tue, 29 Jun 2010 14:58:39 +0000

One of my favourite singer songwriters once wrote “There is nothing new, only forgotten” and today is an object lesson in short term memory loss.

Once again facebook scammers are fooling users en masse into believing that they can find out who has been checking their profile pages. You may notice several of your friends posting something like the below at the moment:

Bogus message from bogus app

It’s a variation on a theme I blogged about only three months ago but it seems the attraction has not worn off. As I said back then, there is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile. Don’t click the links, don’t install the app.

If you do authorise this scamware you will be asked to grant permission for the app to post to your wall and to access your information.

Don't be tempted...

Once you grant that permission you will be put in the unenviable position of enticing your friends and family to fall for the same scam with an automated post to your wall.

In the meantime you are redirected to yet another affiliate marketing based moneyspinner for the scammers.

"Please click this link and make me some cold hard cash"

Unless of course you’re using Trend Micro, in which case you’ll see this…

Not on my watch, sonny Jim.

I have informed Facebook incident handlers of this latest ruse and doubtless it will be gone very soon.

New malicious Twitter spam

Rik Ferguson — Tue, 15 Jun 2010 14:36:25 +0000

Just a couple of hours ago I started getting some very shady looking tweets like the below.

Malicious Tweet

The link in the post is abbreviated, but leads on to a site hosting some obfuscated JavaScript.



If this JavaScript is executed by the browser an unpleasant payload is delivered to the victim. So far we have seen both malicious PDF documents and executable files. These Trojans attempt to connect to additional locations to download further malware. TrendLabs are currently investigating, watch the blog for updates.

This latest Twitter malspam follows hot on the heels of the Gaza and FIFA spam run earlier this month.

Be careful where you click and make sure your security software is blocking those evil links.

Facebook 419

Rik Ferguson — Tue, 15 Jun 2010 13:24:14 +0000

No matter how hard I try, I just can’t get away from people trying to give me money.

It’s an age old scam, older even than the venerable Internet; Advance-fee fraud also known as 419 fraud. Fortunately it is also a scam that anti-spam technology has become adept at spotting and blocking. So it’s no surprise to see that criminals are turning to alternative distribution mechanisms to try to snare their victims.

I just received I friend request on Facebook from (the no-doubt bogus) Mariam Mehdi and as you can see below, the content is unfortunately all too familiar

419 fraud mail received as Facebook friend request

I was very pleased to note that, in the hour that passed between the message being sent and me checking my friend requests on Facebook, the offending Facebook user account and the any friend requests had been erased from the social network.

Anyway, old scams never die, they just get annoyingerer more annoying. If you receive any of this junk, treat it the same as any other Spam, terminate with extreme prejudice.

I’m starting with the man in the middle.

Rik Ferguson — Mon, 14 Jun 2010 13:08:52 +0000

Researchers at the Technical University in Vienna have published details of an important evolution in Automated Social Engineering and proved the concept using IRC and Facebook chat.

Robot Face from Garrette's Flickr Photo Stream under creative commons

Many of you will be familiar with the idea of Spam bots when it comes to real time chat, if not I detailed a Facebook related scam a while back that took advantage of this technique.

Classical chat spam bots operate in four distinct modes, the research paper describes them as “Periodic bots” – they simply post spam messages at regular intervals; “Random bots” – posting messages at random intervals; “Responder bots” – automating replies to other user’s messages and “Replay bots” which as the name implies simply replay previously recorded conversations.

The problem that scammers and criminals have to overcome with these technologies is the effectiveness of our natural suspicion and intuition. It turns out that, in the main, humans are particularly good at spotting when they are being spoken to by a computer. The researchers from Vienna have devised a way to overcome these natural defenses.

The paper details an application they call Honeybot which acts as a man-in-the-middle between two human correspondents, intercepting, diverting and, crucially, modifying messages sent between them in order to direct the conversation and engineer the victims into clicking links. Links which have been inserted by the attackers. According to the paper:

“The general attack principle works with any chat system that allows the exchange of private messages. It is based on the traditional man-in-the-middle concept. Every instance of the attack involves two human users and a bot in the middle. Both users believe that they are talking to the bot, but in reality, their messages are forwarded back and forth as shown in the following example:

bot -> Alice: Hi!

Alice -> bot: hello

bot -> Carl: hello

Carl -> bot: hi there, how are you?

bot -> Alice: hi there, how are you?

Alice -> bot: . . .

The bot looks perfectly human to both users because the entire conversation is reflected off the bot in the middle.“

Not only are all communications proxied but the bot has the intelligence to be able to guess at the respective genders of the victims, use questions to take control of the direction of the conversation (usually to engineer a scenario where a link would normally be posted) or to simply replace links posted by one victim with pre-configured malicious links.

In their testing, the researchers inserted three different kinds of link, a simple IP address, a TinyURL shortened link and a MySpace link into conversations on three different IRC channels and they recorded up to an impressive 76% click through. In a similar but more limited experiment using Facebook chat, the click through rate was still impressive at 40%.

With those kinds of results, surely we can expect to see this kind of technology incorporated into cybercriminal campaigns in the very near future. Just like your mother always told you, don’t talk to strangers! In those situations where you really have to, then this is just one more reason to ensure that your security solution of choice is scanning for malicious URLs in real-time…

Facebook users: Raise your mallets.

Rik Ferguson — Thu, 03 Jun 2010 14:59:00 +0000

Image from Joe Shlabotnik's Flickr stream under creative commons

Niket Biswas posted an entry in the Facebook Developers blog yesterday entitled “Confirming Developer Accounts“. It seems that they are asking application developers to attach either a mobile telephone phone number or a credit card to their Facebook account. The telephone number is verified by way of a validation code sent by SMS, the credit card number is not verified in any two way fashion, in fact Facebook explicitly state that they do not even make a token charge to the card. In their own words;

“We’re taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account.”

There are a couple of glaring problems with this… Firstly, what guarantees are there that any Facebook account is “valid and real” in the first place? Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. So if criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account where does that leave us?

Well, with the proposed “Confirmed Developer Accounts”; it leaves us with a fake “confirmed” profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuning to play Whac-a-Mole with the scammers.

If Facebook really want to turn around the security situation when it comes to malicious or (being charitable) rogue content, then the only effective option open to them is an application approval process such as the ones already in place over on MySpace or on the Apple App Store.

The effort that Facebook incident handlers currently put in to tracking down and suspending the ever increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place. This is something I first suggested back in February 2009 when two rogue apps in a week was considered shocking (how times change). At the time Mr Zuckerberg was very quick to dismiss my proposal, but with these first steps perhaps we can live in hope.

GORDON’S ALIVE?! Tory online campaign fail.

Rik Ferguson — Mon, 22 Mar 2010 17:11:05 +0000

The Conservative party this weekend unveiled a social media marketing campaign aimed at embarassing the Labour Party. The plan has backfired quite spectacularly…

The “Cash Gordon” web site was highly dynamic and tied in with many popular social networking sites and tools. It capitalised on user generated content and relied on organic sharing and interaction. In a blog post on the Conservative home page Samuel Coates said

“Once users have connected to the Cash-Gordon campaign, they can start accruing “action points” for reading briefings about the issue, getting their friends involved, donating, or even for directly asking Charlie Whelan a question.”

However today it’s the Conservatives that have been left with red faces, after a web site configuration error (or maybe just a lack of planning) saw the site abused to the point of being taken offline.

The Cash Gordon website was set up to collect any message posted on Twitter that contained the hashtag #cashgordon and republish it in a live stream in a widget on the home page of Cash Gordon.

Obviously this was duly noted and passed around. It was soon discovered that if you tweeted HTML or JavaScript instead of standard messages, this content would be interpreted and rendered by the visitor’s browser as legitimate part of the Cash Gordon site, allowing pranksters to redirect visitors to any site of the miscreant’s choosing.

The screen shot below shows the steady stream of tweets that ensured that visitors to the web site were constantly redirected to many different, sometimes salacious, destinations.

Tweets containing JavaScript and #cashgordon hashtag

This isn’t all fun and games though, configuration oversights can lead to serious harm. This latest in a line of social media marketing related fails is a salutary warning not to underestimate the technical know-how of the world wide audience you are inviting.

In reality this poor configuration could have posed a serious risk to the Tory party’s own supporters as well as any other curious visitor. Those responsible for the page should have been filtering incoming Tweets or simply sanitising the code before it was reposted. This could just as easily been used as a means to infect visitors by redirecting them to malicious web sites.

Who’s checking your Facebook profile? Scammers.

Rik Ferguson — Sun, 14 Mar 2010 21:08:08 +0000

Yet another variation on a Spam theme for Facebook to deal with tonight. I have identified at least 25 different copies of the same rogue app with names such as peeppeep-pro, profile-check-online and stalk-my-profile

A wave of applications have been published that promise to reveal the truth about which of your friends are viewing your Facebook profile. The promise is worthless and the apps are bogus.

Rogue App wall post

Facebook users may notice wall posts or receive notifications from their friends, unwitting victims all, encouraging them to install the rogue app, along with bogus assurances on its reliability.

Rogue App "Configuration" screen

The app itself is designed to look convincing enough, but none of the many “Continue” buttons it offers will activate some under-the-counter profile checking functionality, they will just push you into another Facebook app earning the scammer advertising revenue in the process.

Notifications from two versions of the rogue app

In an interesting twist on the now familiar theme, at least one version of the rogue app will create a photo montage of all the infected user’s friends, tag it so that they all receive notifications and then post the photo.

Bogus photo montage from rogue app

These changes in scam tactics are clearly designed to overcome the changes that Facebook made recently to application functionality, including removing the ability for applications to send notifications directly.

I can see that Facebook are actively combating these applications as they are posted, even on a Sunday evening, which is commendable but… I said it first back in February 2009, isn’t it time Facebook at least had a review of their application publishing policy? The idea was dismissed back then, but now that these things are becoming a regular occurrence there must be a tremendous burden being placed on the incident response handlers at Facebook that could be better channeled into an application vetting process.

For now though, just don’t click the links, they will disappear from your streams as Facebook remove the offending apps. There is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile.

A quick look in your Photo stream will show you how widespread the victims of this scam are:

Screenshot of my own Photo stream

Rogue Facebook app “Like” pushing Zwinky & MyWebSearch

Rik Ferguson — Sat, 27 Feb 2010 17:09:25 +0000

Initially I wasn’t going to blog about this, as I didn’t want to appear to be on a run of Facebook related posts. However this has been ongoing for over a week now, this same rogue app keeps reappearing, several of my own friends have fallen victim, so a warning seems like a good idea!

The rogue Facebook app in question has appeared for at least the third time in the space of a week and is clearly designed to fool victims into clicking the spam notifications it sends out, in order to earn the scammer some cash through affiliate based advertising.

The app is named “Like” and borrows the icon from the official Facebook “Likes” function. The Spam notifications it sends out have also been designed to resemble the real Facebook functionality. The name of the application contained in the Facebook URL has equally been designed to fool each time, it has been ”im_best_app”, “farn_ville” and “pet_villeik” respectively.

Rogue app Facebook notification.

If you click the link in the notification you are invited to allow the rogue app access to “your profile information, your photos, your friends’ info and other content it requires to work”. Of course with the app having ‘borrowed’ so freely from official Facebook look and feel many otherwise cautious users are falling for the ruse.

Rogue app "Like".

If you do click the “Allow” button you will very briefly see an application page that simply reads “Error! Error! ERROR!” before being forwarded to an external (to Facebook) website hosted at Dizzy Networks.

Like Facebook app page

Dizzy Networks is a “technology focused advertising company” whose advertisers are apparently “hand selected and control their campaigns to fully optimize your overall performance“. Although, if you were interested in signing up as an advertiser for Dizzy Networks you’ll need to be trusting because the terms and conditions that you must agree to are “coming soon”!

The page at Dizzy Networks contains only a JavaScript that redirects once more to the landing page at Zwinky proposing the installation of the Zwinky software. The URL of that landing page contains the partner ID ZJxdm493 which would perhaps identify the person behind the scam. At the very least it would appear that Zwinky may be paying out commission under false pretences and Facebook users are having their personal information put at risk.

Facebook staff have responded to user complaints and to the information that I have sent them very rapidly in the two previous cases and I am sure this third example will also be removed quickly. Wouldn’t it be great though if some mechanism could be put in place to protect their hundreds of millions of users proactively?