| 17 |
| Aug |
Article from Rik Ferguson
Filed under: Phishing,Web 2.0 | RSS 2.0 | TB | Tags: Facebook, Phishing, web | 62 Comments
UPDATE 4: 20th August Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns.
Facebook notifications page
UPDATE 3: 19th August Rogue app number six just showed up and is unsurprisingly called “Inbox (1)”
UPDATE 2: 19th August:A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.
UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications that lead to yet another rogue app.
Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”
“Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.
I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation.
________________________________________________________________________________________
Original post follows:
I have been continuing to look into the Facebook phishing/rogue application story that I blogged about yesterday, because it wasn’t at all clear to me how the application “sex sex sex and more sex!!!” was generating those messages pointing to the malicious web site.
My research has turned up two further Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.
When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).
Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.
The application then goes on to send spam to all your contacts, without asking for permission of course…
The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.
How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.
So like I said yesterday, always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use
Trend Microhas informed Facebook of these findings.
| Rik Ferguson: Wednesday, 19. August 2009 um 2:35 pm |
|
|
It depends on whether you are logged into Facebook at the time you visit the link. If you are already logged in (as most will be to have received the notification, then the first login screen is bypassed completely and you are invited then simply to “Allow” the rogue app. |
|
| Rogue Facebook apps steal login data, send spam « Friendly Computers Virus Alerts: Wednesday, 19. August 2009 um 11:34 pm |
|
|
[...] "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik [...] |
|
| The Tech Town » Facebook Phishers Target Notification Messages [ALERT]: Wednesday, 19. August 2009 um 11:40 pm |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] | TechTerminal: Thursday, 20. August 2009 um 12:01 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT]: Thursday, 20. August 2009 um 12:02 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] | Techdare: Thursday, 20. August 2009 um 12:11 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Tech News World » Facebook Phishers Target Notification Messages [ALERT]: Thursday, 20. August 2009 um 12:16 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Rogue Facebook apps steal login data, send spam « Friendly Computers: Thursday, 20. August 2009 um 12:32 am |
|
|
[...] "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik [...] |
|
| Rogue Facebook apps steal login data, send spam « Compren’s Weblog: Thursday, 20. August 2009 um 12:33 am |
|
|
[...] "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik [...] |
|
| Beware: Phishing and Spam in Social Networks at Word to the Wise: Thursday, 20. August 2009 um 1:33 am |
|
|
[...] Trend Micro warns us today about how spam and phishing can hit you even in the closed ecosystem of a social networking system such as Facebook. Malware abounds. And in the social network arena, just like anywhere else, “using your account to send spam” is a common thing for the bad guys to want to do. [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] - Programming Blog: Thursday, 20. August 2009 um 1:39 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] | World News: Thursday, 20. August 2009 um 2:17 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] | Stoth: Thursday, 20. August 2009 um 3:18 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Mentors Blog » Facebook Phishers Target Notification Messages [ALERT]: Thursday, 20. August 2009 um 5:02 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] | NASZAKLASA: Thursday, 20. August 2009 um 5:51 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Phishers Target Notification Messages [ALERT] | Blog13: Thursday, 20. August 2009 um 8:40 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook Applications Used For Phishing: Thursday, 20. August 2009 um 10:03 am |
|
|
[...] After entering the credentials, users would then be redirected to Facebook itself. (The posts detailing these findings can be found at the Counter Measures blog; the initial report is here and a follow-up was posted here.) [...] |
|
| Facebook-Anwendungen stehlen Log-in-Daten - Security | News | ZDNet.de: Thursday, 20. August 2009 um 11:05 am |
|
|
[...] Blogeintrag des Sicherheitsforschers Rik Ferguson zufolge lauten die Namen der bisher identifizierten Programme [...] |
|
| Malicious Facebook apps can steal your info | Gadget Nomad: Thursday, 20. August 2009 um 6:30 pm |
|
|
[...] Read: [Trend Micro] [...] |
|
| Facebook disables rogue phishing apps | Dreamdee Have a good dream: Thursday, 20. August 2009 um 7:32 pm |
|
|
[...] The apps were discovered earlier this week by Trend Micro researcher Rik Ferguson, who detailed the problems in a blog post. [...] |
|
| Phishing Apps Running on Facebook | WCZone Web Design! | Akron Ohio Website Design - Akron Web Development, Cleveland Web Design, Business Website,Web Programming, Akron, Summit County - Services Cuyahoga Falls Website Design Web Development, Business Web: Thursday, 20. August 2009 um 8:14 pm |
|
|
[...] has found phishing apps running on Facebook. More rogue apps have been found and reported in another Trend blog. The apps, named Posts and Stream, sent users notifications in their Facebook profile. Click on the [...] |
|
| Phishing-Gefahr: Auf Adresse in URL-Zeile des Browsers achten - datensicherheit.de Informationen zu Datenschutz und Datensicherheit: Friday, 21. August 2009 um 11:56 am |
|
|
[...] Ferguson auf CounterMeasures, 20.08.2009 (Update) Two more rogue Facebook apps linked to Fucabook scam Fügen Sie diesen Artikel zu den folgenden Social-Bookmarking-Diensten hinzu: Diese Icons [...] |
|
| Facebookのフィッシングアプリ、対策を講じたその日にまた登場 « WordPress: Friday, 21. August 2009 um 12:09 pm |
|
|
[...] Microの研究員Rik Ferguson氏のブログによると、20日に登場したアプリは「Friends」「Friends [...] |
|
| Identity Theft Expert Speaker Protection Prevention Resource Blog » A Glorious Week of Identity Theft: Friday, 21. August 2009 um 1:57 pm |
|
|
[...] “Birthday Invitations,” “Inbox (1),” “Inbox (2)” according to a blog post by Trend Micro researcher Rik Ferguson. The activity started earlier in the week with a Facebook [...] |
|
| » A Glorious Week of Identity Theft - Blogger News Network: Friday, 21. August 2009 um 2:03 pm |
|
|
[...] “Birthday Invitations,” “Inbox (1),” “Inbox (2)” according to a blog post by Trend Micro researcher Rik Ferguson. The activity started earlier in the week with a Facebook [...] |
|
| Una aplicación de Facebook dirige al usuario a ataques de phising | Shadow Security: Friday, 21. August 2009 um 3:01 pm |
|
|
[...] compañía de seguridad en Internet Trend Micro alerta de la existencia de una aplicación maliciosa de la red social Facebook que está enviando [...] |
|
| Facebook Security Becoming a Bigger Issue? - News: Everything-e: Friday, 21. August 2009 um 4:53 pm |
|
|
[...] goods through the network. For specific details on the malicious Facebook apps themselves, check Trend Micro's post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Facebook verwijdert zes virusapplicaties | PC Web Plus: Friday, 21. August 2009 um 5:49 pm |
|
|
[...] enkele uren later doken alweer nieuwe toepassingen op. De virusapplicaties zijn ontdekt door Rik Ferguson van Trend [...] |
|
| Facebook Security Becoming a Bigger Issue? | SEO Strategy Consultants - Florida - Miami - West Palm Beach - Orlando: Friday, 21. August 2009 um 6:00 pm |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Facebook eCommerce May Have to Clear Security Obstacle | SEO Strategy Consultants - Florida - Miami - West Palm Beach - Orlando: Friday, 21. August 2009 um 7:40 pm |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Beware Rogue Facebook Phishing Apps - Privacy and Identity Theft: Friday, 21. August 2009 um 8:38 pm |
|
|
[...] Rik Fergusons’ Trend Micro Security Blog about the Facebook Phishing [...] |
|
| Beware Rogue Facebook Phishing Apps | Complete Source: Saturday, 22. August 2009 um 2:38 am |
|
|
[...] Rik Fergusons’ Trend Micro Security Blog about the Facebook Phishing [...] |
|
| Anti-Virus & Anti-Malware website. » Facebook Applications Used For Phishing: Saturday, 22. August 2009 um 4:40 am |
|
|
[...] After entering the credentials, users would then be redirected to Facebook itself. (The posts detailing these findings can be found at the Counter Measures blog; the initial report is here and a follow-up was posted here.) [...] |
|
| Facebook phishing app plague may be getting out of control | CHARGED's Digital Lifestyle at Work or Play: Saturday, 22. August 2009 um 7:33 am |
|
|
[...] Ferguson reported that Facebook removed the first five rogue applications he had discovered, only to have six more [...] |
|
| Information: Facebook delete 6 Virus application « Tuen's Blog: Saturday, 22. August 2009 um 10:41 am |
|
|
[...] source from: http://countermeasures.trendmicro.eu/two-more-rogue-facebook-apps-linked-to-fucabook-scam/ [...] |
|
| Marcosof Informatica y Telecomunicaciones » Blog Archive » Una aplicación de Facebook dirige al usuario a ataques de phising: Saturday, 22. August 2009 um 1:16 pm |
|
|
[...] compañía de seguridad en Internet Trend Micro alerta de la existencia de una aplicación maliciosa de la red social Facebook que está enviando [...] |
|
| Beware Rogue Facebook Phishing Apps, IronKey Secure USB Device: Saturday, 22. August 2009 um 8:23 pm |
|
|
[...] Rik Fergusons’ Trend Micro Security Blog about the Facebook Phishing [...] |
|
| Facebook eCommerce May Have to Clear Security Obstacle - Programming Blog: Sunday, 23. August 2009 um 12:33 am |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Facebook eCommerce May Have to Clear Security Obstacle - Programming Blog: Sunday, 23. August 2009 um 12:33 am |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Is Facebook A Safe Haven For Social & Viral Marketing?: Sunday, 23. August 2009 um 9:25 am |
|
|
[...] Trend Micro reports on at least eleven applications that surfaced last week. The problem down the track is the effect it may have, not on marketing, but on business itself. Facebook now allows developers to sell goods through applications they develop. Think of the damage that could be created if these applications called on credit cards or any other sensitive information, and a rogue application intercepted this data. [...] |
|
| Small Business Mavericks » Blog Archive » Social Media Marketing, Facebook and Rogue Applications: Sunday, 23. August 2009 um 4:00 pm |
|
|
[...] a story on Trend Micro I can only advise on thing if you are using Facebook as part of your marketing strategy – [...] |
|
| Rogue Phishing Applications Plague Facebook | Everything's Social: Sunday, 23. August 2009 um 6:18 pm |
|
|
[...] Gifts,’ ‘Matching,’ ‘Pok,’ and ‘Your Photos.’ According to Trend Micro researcher Rik Ferguson, the latest apps were similar in style/functionality to earlier ones, but [...] |
|
| A Glorious Week of Identity Theft « The Aloricans: Sunday, 23. August 2009 um 9:12 pm |
|
|
[...] “Birthday Invitations,” “Inbox (1),” “Inbox (2)” according to a blog post by Trend Micro researcher Rik Ferguson. The activity started earlier in the week with a Facebook [...] |
|
| Facebook eCommerce May Have to Clear Security Obstacle | The Free Site Hosting | Reviews & Top Hosts: Sunday, 23. August 2009 um 9:20 pm |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Facebook eCommerce May Have to Clear Security Obstacle | Work at home | Wholesale Dropship Websites | Turnkey Websites | Online Business Opportunity: Monday, 24. August 2009 um 12:37 am |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Facebook eCommerce May Have to Clear Security Obstacle | Jupiter SEO Services: Monday, 24. August 2009 um 9:40 am |
|
|
[...] specific details on the malicious Facebook apps themselves, check Trend Micro’s post, which has been continuously updated as more malicious apps have surfaced. Be careful out [...] |
|
| Shopping Mall » Blog Archive » Facebook Phishers Target Notification Messages [ALERT]: Tuesday, 25. August 2009 um 1:41 am |
|
|
[...] look just like real activities you’re used to being notified about. Security firm Trend Micro explains: “Using an already compromised account, I loaded up the app page for the malicious app [...] |
|
| Facebook disables 6 rogue phishing apps, but 5 more appear : BizzRoot: Tuesday, 25. August 2009 um 4:15 am |
|
|
[...] “Matching,” “Pok,” and “Your Photos,” according to an updated blog post by Trend [...] |
|
| Twitter Trackbacks for Two more rogue Facebook apps linked to Fucabook scam » CounterMeasures [trendmicro.eu] on Topsy.com: Tuesday, 25. August 2009 um 8:30 am |
|
|
[...] Two more rogue Facebook apps linked to Fucabook scam » CounterMeasures countermeasures.trendmicro.eu/two-more-rogue-facebook-apps-linked-to-fucabook-scam – view page – cached A Trend Micro Blog. Rik Ferguson and others blog about security related issues — From the page [...] |
|
| Social Media Security Podcast » Social Media Security Podcast 1-Social Zombies, Bad Facebook Apps, Twitter SPAM: Tuesday, 25. August 2009 um 4:19 pm |
|
|
[...] Two more rogue Facebook apps linked to Fucabook scam [...] |
|
| More rogue Facebook Apps appearing: Thursday, 27. August 2009 um 3:03 am |
|
|
[...] is reporting that, even after they found three new rogue facebook apps related to the fucabook scam and Facebook [...] |
|
| Anne: Monday, 31. August 2009 um 6:34 pm |
|
|
i’m far from technically literate, but am certain there is something malicious with an application that specifically is called “Send Your Friends a Cup of Coffee”… (aka: a Sunset, a Teddy Hug, a Sunrise, etc… ALL are malicious) upon realizing some things about application removal, ie; you need to actually find them under “Never Allowed to Post” in Application Settings and then Block them; then go back to reset your Privacy Settings, as every application accepted unchecks it and allows all of your information to be sent to ALL of your friends apps (see the story by the ACLU http://www.deseretnews.com/article/705326328/ACLU-Facebook-knows-too-much.html) i realized what was happening when some would be BLOCKED but would NOT dissappear as all of the non-malicous apps did, they still remain as of today… i took screenshots and made a photo album to show friends what was going on, and how every time you used the “Create a Gift Application” which is supposedly the platform for “Send Your Friends a _____”, there was a third party developer way down at the bottom of the page also, and when i clicked the privacy violations link, it took me OFF facebook and tried to get me to install something… i’ve reported this to Facebook and have seen others did as well, yet they’ve done nothing… i wish i’d never allowed a single application at this point, but it’s too late… i wish others would listen… i may make a website to show what is happening, where i can post the screenshots so others can understand what is going on… |
|
| Scam on Facebook: Wednesday, 9. September 2009 um 8:45 am |
|
|
[...] Thanks to Trend Micro for sharing us the informations. Read the rest of the entry here. [...] |
|
| Questions still linger over Facebook and your privacy : Dailycensored.com: Thursday, 8. October 2009 um 6:35 pm |
|
|
[...] August, 2009 Facebook was faced with several rogue apps that were quickly dealt with, leading users to believe that they are, indeed, concerned with its [...] |
|
| 2010 – Year Of The Zombie Cloud? | Business Computing World: Wednesday, 16. December 2009 um 10:43 am |
|
|
[...] crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate [...] |
|
| Aplicaciones maliciosas en Facebook | Carlos A. Castillo L.: Tuesday, 30. March 2010 um 6:08 am |
|
|
[...] estas falsas aplicaciones. Un ejemplo de ello son las seis aplicaciones maliciosas detectadas por TrendMicro el año pasado: “Stream”, “Posts”, “Your Photos”, “Birthday Invitations”, “Inbox [...] |
|
| Skarke: Thursday, 19. August 2010 um 10:48 pm |
|
|
I truly enjoy this blog. It was extremely informative as well as useful. I will return to wait on upcoming articles. |
|
| Cheryl Judd: Monday, 30. August 2010 um 7:20 pm |
|
|
I need to change my password? |
|
Wednesday, 19. August 2009 um 12:17 pm
[...] This post was Twitted by DeathwishDuck [...]