i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

New Year Selena Gomez Facebook Scam

So its the start of 2012 and the first of many Facebook scams has begun.  It involves Selena Gomez and tempts you to see some ‘possibly’ naughty video leaked.

The link includes the words:

Selena Gomez Caught On (LEAKED Tape) 
 you will lost your all respect for Selena Gomez after watching this

Clicking the wall post link takes you to the following page designed to look like Facebook:

Clicking the play button loads a “share” box allowing you to spread the scam message to your friends. The following survey scam also loads:

**Note – Scams like this often use multiple domains, so you may see a variation in the landing pages and scam messages.

Dealing with the Scam:

If you did make the mistake of sharing the scam link, then you are now spamming your friends with the very same message. Clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

Never complete surveys to unlock videos or other content on Facebook. Scammers use these tricks to either spread malware, obtain personal identification or earn commissions from marketing companies. Don’t pad their pocket and possibly open yourself up to harm!

Some of the surveys require you to download files to your computer. Never do this! If you did so in error, then run a complete system scan with a good anti-virus software program. The I.Q. Quiz scam has been around for a while, and it typically requires you to enter your cell phone number to receive the results. The scammers then bill you for premium services. Keep an eye on your phone bill for bogus charges.

Yet another Facebook Worm

Today another new attack on Facebook users with the Zeus Bot comes in action. Researchers at Danish security firm CSIS, have spotted a worm spreading within the Facebook platform. The new worm has popped up on Facebook, using apparently stolen user credentials to log in to victims’ accounts and then send out malicious links to their friends. The worm also downloads and installs a variety of malware on users’ machines, including a variant of the Zeus bot.


If followed, the link takes potential victims to a page where he or she are offered what appears to be a screensaver for download. Unfortunately, it is not a JPG file, but an executable (b.exe). Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

Zeus is a common tool in the arsenal of many attackers these days, and is used in a wide variety of attacks and campaigns now. It used to be somewhat less common, but the appearance of cracked versions of the Zeus code has made it easier for lower-level attackers to get their hands on the malware. Zeus has a range of capabilities, and specialises in stealing sensitive user data such as banking credentials, from infected machines.
The worm carries a cocktail of malware onto your machine, including a Zbot/ZeuS variant which is a serious threat and stealing sensitive information from the infected machine,” warn the researchers. The worm is hosted on a variety of domains, so the link in the malicious message may vary. Other servers are used to collect the data sent by the malware and to serve additional malicious software.

As always be very wary of any links that are posted to you on Facebook, even if they appear to be from your friends.  Also if you receive any emails asking for login details or banking details, or even if they just request your name and address be very wary.

  • If you haven’t asked for a password reset then a company won’t have sent you an email asking you to reset your password.
  • If you haven’t made a banking transaction recently then your bank won’t be cancelling it.
  • etc etc etc

Facebook promises ‘consequences’ for smut scammers!

Facebook officials have tracked down the scammer’s responsible for filling the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek justice.


Facebook has blamed the extreme smut on a “self-XSS vulnerability in the browser” that tricked users into pasting and executing malicious javascript in their address bars and caused them to unknowingly share this content. Many victims have reported that the highly offensive content is visible to others but not to the user whose account was used to spread it.


According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:

“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow.”


Facebook has yet to elaborate on key details of the ongoing attack. It’s still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected.

Security firm Zscaler has a primer on self-inflicted JavaScript injection on their website. In the post, researcher Mike Geide said the most common ploy in the ongoing deluge comes from malicious Facebook groups that ask users to join and then enter JavaScript into their URL bar.


The scripts contain obfuscated code that generates invite messages to all of a user’s Facebook friends and includes an invisible link which has now been taken down.

TopShop Facebook Scam

Only the other week I reported about the Tesco, Argos and ASDA Facebook scams that were circulating.  They were offering you money in return for ‘Liking’ them on Facebook.


The scam detailed here has shown up again, this time using TopShop as the famous retailer how is ‘supposedly’ offering money, however do not do as they ask as you will not be getting anything in return.  Read my early post about the Tesco, Argos and ASDA scam

Tesco. Argos. ASDA Facebook Scams

Well its almost Xmas and the Facebook scams are rife.  Over the last few days we have seen ASDA, Argos and now Tesco hit by Facebook scams offering people £500 for ‘liking’ them on Facebook and following links.

This  hit ASDA recently, Argos a few days ago and now Tesco is the favourite.  The same scammers are probably responsible for all of these campaigns and are just using different retailers to refresh the scam.

Facebook users are tricked into sharing the link with their online friends, in the belief that they will win a prize. Of course, the more that the link is shared the more traffic is driven to a website of the scammers’ own choosing – and they earn commission every time they trick users into filling in an online form requesting personal information.

Tens of thousands of users have already been duped – proving just how easy it is to be conned into sharing “special offer” links.
Of course, Argos, ASDA and Tesco have nothing at all to do with the scheme – but it’s their brand names which are being besmirched.

If you were fooled into participating in this scam remove the message from your newsfeed, so you are no longer spreading it with your online chums.

Facebook accused of violating US wiretap laws

A lady from Mississippi in the USA has accused Facebook of violating US federal wiretap laws by tracking her internet browsing history.  She states this happened even when she wasn’t logged into the social networking site.

In the lawsuit filed on wednesday, Brooke Rutledge of Lafayette County, Mississippi also claims breach of contract, trespassing, invasion of privacy and unjust enrichment.  Class action status has been set so that other users can join in the lawsuit.  This comes a few weeks after an Australian blogger published evidence that Facebook could track users browsing habits even when not logged into the site.


Sick Facebook scammers try to exploit the death of a genius

As always in the world we live in it hasn’t taken long for the scammers to try to exploit a sad world event, the passing away of Steve Jobs.

The scammers are telling people that an unnamed company are giving away 50 iPad’s in memory of the Apple genius.  Victims are asked to follow a link and complete a survey to qualify for the prize.

The offer is obviously a fake one and so far over 15000 users have followed the link, according to reports from the security company Sophos.
The scammers are aiming to make money from affiliate links, basically they make more money the more people they drive to certain websites such as gambling, contests and survey sites.  Obviously they could just as easily point you to sites hosting malicious content, but in this particular scam all pages that you redirect to are the types mentioned above.

I think we can expect a few more of this type of scam over the coming days, as always these scams seem to surface after an event like this.
Just be careful of the links you click on, never give away your personal details, logins, bank details etc and try to keep all your anti virus and other software up to date.

Facebook adds Websense Phishing Filters

Facebook has announced it is stepping up its efforts to help users of the site protect themselves from malicious or phishing links posted within their site.
Phishing links often lead to username and password theft.

As of next week users will be warned if they are about to be taken to a malicious website when following a link, this has been possible by partnering with security firm Websense.  The current setup already alerts users if they are about to visit another website but there is no distinction as to whether that is a friendly or malicious website.

The new technology will show a warning screen whenever the system thinks there is a risk, from this screen users can return to the Facebook page or continue on to the linked website, at their own risk.

The protection will be powered by Websense’s “Threatseeker Cloud”, a system which stores a database of known malicious URLs.

Facebook WONT charge for access

There has been a lot of activity on Facebook over the last few days with people contacting all of their friends worried that Facebook will soon be charging to use it.  I have seen lots of ‘status updates’ where people have been told if they update their status with the information then they will not be charged an ongoing fee.

I would just like to say that this ‘Hoax’ has been doing the rounds for a long time now and rears it’s head every now and then.  But DON’T WORRY, Facebook has always said it will NEVER charge and to be honest they make enough money already from all the advertising.  In m opinion if they start to charge then they would lose customers at an alarming rate, even for a site the size of Facebook.

Now although not really a security issue it brings me onto something similar that is.  CHAIN EMAILS, I know we all get a lot of these on a regular basis and many people feel as though they just have to act upon it and send it onto all of their friends, or whatever the instructions tell you to do.  These are all “hoax’s” as well, all they do is fill up mailbox’s on servers, use up server resources and flood networks with junk that should just be deleted.

So next time you get a chain email telling you that “unless you forward it onto 20 of your friends the chain will be broken and you will receive bad luck for the next 7 years and never win the lottery”,  just delete it, that way the email telling you that you have won may actually make it through the system to your inbox 🙂