UPDATE: I should make clear that whilst Facebook believe this attack to be related to earlier account phishing activity, more than one victim has assured me that they have not logged into facebook for some while and are certain they have not fallen for a phishing scam. It is certainly true that code has been published on more than one site that uses the Facebook mobile portal to push status updates to a facebook profile.
A few people have contacted me over the last few days, concerned about spam status messages that were being posted on their Facebook accounts.
The Messages advertise a supposed weight-loss URL (colonrevi.com) which was earning through an affiliate scheme. That URL has already been suspended for abuse, but at the time of the attack it redirected visitors to cleancoloncleanse.com, a site peddling a spurious dietary aid, CleanseProX. I think their own disclaimer at the bottom of the page backs up my use of the word spurious.
The site employs many tricks familiar to fake pharmaceutical scams and rogue AV alike, wildly exaggerated claims of effectiveness, attempts at credibility by association with unrelated content (this site was showing a CBS News video entitled “Conquering colon cancer”) and the unlinked images intended to prove the security of the product or service.
One interesting addition to this was the use of a fake real-time chat window that pops up when you try to navigate away from the site. The window masquerades as a real person responding to concerns and offering half-price shipping to get your order but is in reality a very poorly disguised automated script. In this case it is programmed to respond to words like “scam”, “con” and “real” to assure the victim that this of course is not a scam and that they are talking to a real person, when the reverse is clearly the case. They didn’t have too much to say when I asked them about the compromised Facebook profiles…
You can see from the screen shot that the service is provided by a company called Intellichat, who are very clear on their website that they provide scripted responses rather than live chat. You have to wonder though why they are willing to script responses which are blatant falsehoods, such as the below.
CleanseProX is promoted by a company called Teloxys Technologies Limited, a quick Google search reveals that they are also connected with products such as TrimBerryAcai, CleanseHerbal, Naturacai and Resveratin(an “anti-aging” pill)… CleanseProX doesn’t appear to have too many satisified customers either (yes, people do actually fall for this)
I have been talking to the good folk over at Facebook about this latest account hijacking activity and they think that it is the result of a previous credential phishing attack. The spam updates in this particular attack so far all appear to originate from “Mobile Web“. This does not mean that scammers are abusing your profile via SMS as some victims have feared, only that they are using m.facebook.com (the portal designed for mobile users) to send their spam. SMS updates would show up as origintating from “Mobile texts“. So if you have fallen victim to this, you should change your passwordimmediately. Facebook users should keep an eye on the Facebook Security blog for updates on the latest threats they are seeing.