document.write("
F-Secure Antivirus Research Weblog
Facebook Spam Worm Links to \"Mobile Entertainment\"
The survey spam worm that spread across Facebook yesterday was posted to profile Walls \"via Mobile Web\".

In here the lab, we're always interested in all things mobile, so we took another look at All Facebook's post. In an update, they show that the spam was also spreading via messages.

And there is a link visible in the screenshot pointing to artcentertransportation.com:

\"http://www.allfacebook.com/alert-massive-new-survey-scam-spreading-on-facebook-2010-09\"

That site is registered to a \"Jane Doe\" and is hosted in the USA by Dynamic Dolphin. Visiting the URL from Finland simply redirects to another site called Wixawin (via tracklead.net) which offers \"Mobile Entertainment\". And what kind of entertainment do they offer?

The kind that could cost you upwards of €17.50 per month in subscription fees.

This is what you'll see if you attempt to visit Wixawin with our Mobile Security Browsing Protection enabled.

\"Mobile

The affiliate ID that appears to be behind much of this mischief is: \"affiliateid=WANE\". Perhaps the spam was being posted via Mobile Web so that it included the necessary referrer?

In any case, let's hope that the affiliate network revokes whatever leads this spammer may have made.

On 07/09/10 At 11:59 AM
New Spam Worm on Facebook
A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.

But clicking on any of these application spam links is enough to \"share\" the application to the user's Wall.

See the search results below:

\"I

Note that each of search results were posted \"via Mobile Web\", which suggests that a common bug is being exploited. Or perhaps the spammer is posting via m.facebook as it's generally more responsive than the main site.

It's also interesting that the application links seem almost polymorphic or Captcha-like.

All of the links that we tested resulted in a page not found, so Facebook appears to have halted the worm's progress.

Tip hat to All Facebook, read more here.





On 06/09/10 At 11:46 PM
Fake Passports
In today's episode of What Can You Find On the Web, we give you an online store for purchasing fake passports that we ran into.

Prices of these range from $650 to $1000. They don't seem to (yet?) offer passports with embedded RFID chips.

Some screenshots:

\"passports\"


\"passports\"


\"passports\"


\"passports\"

Updated to add: We can now confirm that the URL of the site was mynewpass.com and it has been taken offline by the hosting company. Unfortunately there are copies of the site still operating elsewhere in the world.

On 06/09/10 At 02:20 PM
Twitter Spam and the OAuthcalypse
Twitter discontinued support for basic user authentication in third-party applications yesterday morning.

Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.

All third-party applications must now use Twitter's OAuth.

\"OAuthcalypse\"

So, that being the case… we have a feature request.

The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called \"Lady Gaga photos\".

\"OAuthcalypse\"

If you \"Allow\" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).

We don't suspect Boy George is behind this…

\"OAuthcalypse\"

Okay, so it's a spam application. Time to visit Settings/Connections and revoke its access.

\"OAuthcalypse\"

And here's our feature request, we want a \"Revoke Access and report as a spam application\" as well as the \"Revoke Access\" option.

Cheers!

On 01/09/10 At 03:36 PM
When do 258 tweets equal nearly half a million dollars?
Wikipedia's affiliate marketing entry includes the following sentence: \"Although many affiliate programs have terms of service that contain rules against spam, this marketing method has historically proven to attract abuse from spammers.\"

This is very true — affiliate marketing methods definitely attract abuse from spammers.

Our recent posts on Facebook and YouTube spam linked to cost per action (CPA) affiliate networks. We've come across affiliates from several CPA incentive networks while investing social networking spam, and one of the more interesting companies that we frequently see abused is CPAlead.com.

CPAlead claims to be to be one of the largest affiliate networks with nearly 11 thousand members in its Facebook Group. They also have an interesting Twitter profile that lists their daily top earners.

They've tweeted 258 times since June 18th and the total amount of daily top earnings is $485,188.34.

\"CPAlead

There were 281+ thousand leads (completed surveys) and 3.7+ million clicks. That's a 7.5% conversion rate for the top earners.

With numbers such as that… there's little wonder why spammers are attracted.

On 31/08/10 At 09:44 PM
Phishing Attempt Alert!
Someone has been trying to pose as us again, and is sending out an e-mail that looks like this:


From: Account Support
Date: Saturday, August 28, 2010 4:33 AM
To: none
Subject: Account Alert!!!

An HTK4S virus has been detected in your Email Account, and your email account has to be upgraded immediately to our new F-Secure HTK4S anti-virus/anti-Spam version 2010 to prevent damage to the email and important files in your email account. You are therefore required fill the columns below to enable us verify your email account or your email account will be suspended temporarily from our services.

Username:
Password:
Date of Birth:
Telephone Number:

Copyright© Customer Care Center 2010 All Rights Reserved.


You can safely ignore that e-mail and please do not reply with the requested details. We don't have a product called F-Secure HTK4S anti-virus/anti-Spam, and we certainly wouldn't let such a badly written e-mail to be sent out to customers.

On 30/08/10 At 04:13 AM
CPAlead Spam on YouTube
One of our Safe and Savvy bloggers, Melody-Jane, recently asked me about some \"free\" offers for F-Secure Internet Security 2010 that she spotted on YouTube. She thought the videos, and their associated links, looked just a bit more than suspicious. So I decided to check them out.

What I discovered was Cost per action (CPA) spam. The same sort as I've recently been investigating on Facebook. (I'm really, REALLY beginning to hate this CPA stuff.)

This is what one of the typical videos looks like:

\"YouTube

\"Click the Link to Begin Your DOWNLOAD.......BEFORE IT'S REMOVED!!\"

Too late. I've already reported the video to YouTube and Bit.ly abused their link within 30 minutes of my request. (Nice!)

Here's another example of a spam video.

\"YouTube

As you can see, it isn't just our software that the spammer is trying to rip-off, he's offering many other AV products as well.

If you click on the link advertised in the video's description, you'll end up at a WordPress.org blog.

At which point you'll be presented with a CPA survey to \"unlock the free content\".

\"YouTube

And what content do you get for your trouble when you fill out the survey?

A link to a torrent site… (jerk).

Downloading cracked software is typically a short path to malware. We don't recommend it (doesn't matter what software).

Be seeing you,
Sean

On 27/08/10 At 08:22 PM
DLL Hijacking and Why Loading Libraries is Hard
In the past days, a class of exploits that fall under the category of DLL hijacking (or \"binary planting\") have gotten a lot of attention. Apple's iTunes had problems, and a lot of other applications seem to be falling for the same thing.

The problem is really quite simple. An attacker will try to trick someone into opening a data file (for example, an MP3 file in the case of iTunes) from a folder while at the same time placing a malicious Dynamic-link Library (DLL) somewhere under the same location. By doing this, he can force a vulnerable application to execute the malicious code. So, double-clicking on the wrong file on a network share might get your machine infected.

The whole class of problems is really nothing new. As Thierry Zoller points out, a nearly identical issue was reported a good 10 years ago. Why are we seeing lots of new vulnerabilities now? A lot can be attributed to a new tool that was made available by HD Moore last Sunday. It makes finding such vulnerabilities very easy.

So what can you do to keep safe? Microsoft has Security Advisory 2269637 out on the issue. It has several ways to mitigate the risks. You should also make sure to apply updates from different vendors for vulnerabilities in their products.

We'll of course be following this closely and adding detection for any malicious DLLs abusing the vulnerabilities.

Currently we are not aware of any vulnerabilities in our own software, but we are continuing further investigations on the matter.

Signing off,
Antti

P.S. Those of you developing Windows software: isn't it funny that a single function with a single argument,
LoadLibrary(\"mylibrary.dll\"), can be so difficult to get right?

\"LoadLibrary

The documentation for LoadLibrary has about 1100 words, the page describing it in more detail has 1000 words, and the page that tells you how to really get it right has 900 more. That's around 3000 words, or ten times the length of this post. You just gotta love LoadLibrary!





On 25/08/10 At 05:45 PM
Corporate Identity Theft Used to Obtain Code Signing Certificate
Last week, the lab identified a curious set of spammed malware; files signed with a valid Authenticode code signing certificate.

\"Company

This is something we've seen before. But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.

I searched for a company that matched the name and address in the certificate and found small consulting firm that provides services related to industrial process control and optimization.

I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.

I investigated the case with the help of the victim and Comodo, the Certification Authority that had signed the fraudulent certificate. I discovered that the certificate had been requested in name of an actual employee and that Comodo had used both phone call verification as well as e-mail. The fraudster had access to the employee's e-mail and the phone call verification either ended up with wrong person, or there was some misunderstanding. So the phone check offered no prevention this case.

Comodo has revoked the fraudulent certificate and any files signed with that certificate will be blocked automatically.

Also during the investigation I learned that the compromised employee had received a phone call from Thawte, another CA company. Thawte asked if she requested a code signing certificate in the company's name, to which she had answered \"no\", and Thawte then aborted the certification process. So it seems that the malware authors tried multiple CAs until everything fell into place in gaming the application process.

This case gives cause for serious concern about the trustworthiness of code signing in general.

When scammers have access to a company's e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine. Mistakes will also happen in the future. It is very likely that we'll see more of these cases in which an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.

Certification Authorities already have measures to pass information about suspicious certification attempts, and other kinds of system abuse. However these systems are maintained by humans, and are thus fallible, and we have to accept the fact that that with current system, certificates are not 100% proof of a file's origin.

The current situation of a single entity being served by several certification authorities is not good from a security point of view. Certification Authorities should have similar process as with domain names where a single domain name, for example f-secure.com, can be hosted by only one registrar at a time.

Also, code signing or SSL certificates should be allowed to be signed by only one CA at the time.

So if someone would like to get certificate in name of F-Secure they would only be able to get that from the same CA where F-Secure currently gets its certificates, which has an existing business relationship with F-Secure, and thus any new certification requests would be verified from existing business contacts. For this to be possible, the CA would need to have a central information resource.

The current model of any CA being able to issue a certificate in any name is simply not ever going to be secure as there are way too many possibilities for scams and social engineering.

For those interested in hearing more about code signing abuse, I will be giving a presentation at T2 Information security conference in October.

\"T2'10\"

Signing off,
Jarno

On 25/08/10 At 12:46 PM
I May Never Text Again: More Facebook Spam
Today we have an example of yet another Facebook spam (YAFS).

This particular spam links to a Facebook Page called \"I May NEVER T�XT AGAIN After Reading THI$!!\".

\"I

As you can see, there are over 200 thousand likes.

The Facebook user must click the Like button in order to continue.

\"Like\"

But not really. Let's skip step 1 and take a look at the selection source.

\"selection

Step 2 requests (but doesn't enforce) sharing the Page and step 3 provides a link to Blogger.

\"Blogger\"

JavaScript for a CPAlead (an affiliate marketing vendor) kicks in when you visit the Blogger page.

This actually surprised us as we wouldn't have expected Google to allow this sort of thing on a page hosted at blogspot.com.

\"CPAlead

In order to view the Blogger page, you have to fill out a survey.

But not really. A browser add-on such as NoScript can be used to disable the JavaScript and view the page. Adblock Plus also works.

The \"Never Texting Again\" blog looks like this once you disable the survey.

\"Never

The Blogger page was created in May 2010 and simply copies this switched.com article from September 2008.

So how many people filled out the survey in order to view the page? That's difficult to say as there aren't any counters on the page.

Another similarly themed spam link from June 29th offers a hint:

\"bit.ly/a37TaB+\"

There were nearly 300 thousands clicks on the bit.ly link…

But remember — clicks don't equal conversions.

The bit.ly statistics show that the link was only liked 3048 times.

That's just a one percent conversion rate from Clicks to Likes (step 1 to step 2). And as we mentioned yesterday, even fewer people appear to fill out the surveys (step 3).

Yes. The links do \"spread virally\". But as a wise man once wrote: Don't Panic!

The links are just spam, and the majority of people recognize it as such — just like e-mail spam, which also links to surveys, scams, and dubious offers.

This spammer has several Blogger pages:

\"My

And they all seem to fit Google's definition of spam:

\"Google's

So we reported the entire account to Google.

Done, and done.

We don't really care for the sort of \"news\" that CPA spammers continue to hype — and you probably don't either — but perhaps you have a friend that frequently falls for this sort of spam? Then check out Bypass Facebook Fan Pages. The site tracks Facebook spam and links to the material on which the CPA affiliates are trying to capitalize. They also have a Twitter account.

Cut the spammers out of the loop.

On 24/08/10 At 04:50 PM
RSS integration by RSSinclude
");