FYI...Fake Facebook 'Account Verification' Scam/SPAM
Jan 28, 2014 - "Message purporting to be from the "Facebook Verification Team" claims that users must verify their profiles by March 15th 2014 to comply with the SOPA and PIPA Act. The message is a -scam- and -not- from any official Facebook Verification Team. Those who follow the link will be tricked into installing a rogue Facebook app
and participating in -bogus- online surveys. Some variants may attempt to trick users into divulging their Facebook email address and password to criminals. Example:Warning: Announcement from Facebook Verification Team:
All profiles must be verified before 15th March 2014 to
avoid scams under SOPA and PIPA Act.
Verify your Account by steps below
Invite your friends.
According to a message currently moving round Facebook, all users must verify their profiles by March 15th 2014 in order to comply with the SOPA and PIPA Act. The message, which comes in the form of a graphic, claims to be an announcement from the "Facebook Verification Team". Users are instructed to click an "Invite your Friends" button
to begin the verification process... Users who fall for the ruse and click the button will first be asked to give a Facebook application permission to access their details. Once installed, this rogue app will spam out more fake messages in the name of the user. Victims will then be taken to another fake page where they are again told that that they must verify their account by clicking a further link. However, clicking the link takes them to various survey pages or tries to entice them to sign up for online games. Many of the surveys claim that users must provide their mobile phone number to enter in a prize draw. But, by giving out their number, users are actually signing up for very expensive SMS "subscriptions" charged at several dollars per message sent. Other surveys may ask victims to provide personal and contact information that will later be shared with third parties and used to inundate them with junk mail, emails, phone calls and text messages. The scammers responsible for the bogus "verification" messages
will earn commissions via dodgy affiliate marketing systems each and every time a person participates in a survey or provides their personal information in an online "offer". Reports indicate that some versions of the scam may try to trick victims into divulging their account login details to criminals. The criminals can then -hijack- the compromised accounts and use them to distribute further scam messages..."
___Fake RingCentral Fax msg SPAM
28 Jan 2014 - "This -fake- RingCentral fax spam has a malicious attachment
: Date: Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
From: Sheila Wise [client@ financesup .ru]
Subject: New Fax Message on 01/22/2013
You Have a New Fax Message
From: (691) 770-2954
Received: Wednesday, January 22, 2014 at 11:31 AM
To view this message, please open the attachment
Thank you for using RingCentral.
Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50*, and the Malwr analysis** shows an attempted callback to ren7oaks .co .uk on 220.127.116.11
(Enix Ltd, UK). The executable then downloads an apparently encrypted file..."
___Fake flash update via .js injection and SkyDrive
28 Jan 2014 - "... ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is -still- showing in the injection attacks
themselves. F-Secure also covered the attacks* from a different aspect... this infection is -still- current..."(More detail at the dynamoo URL above.)
___Fake Flash Update aimed at Turkish users
Jan 27, 2014 - "... A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update; it actually installs a browser extension that blocks access to various antivirus sites
. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle. This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey. The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would -not- work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.
... The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K. In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:
Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users... this attack’s behavior – blocking antivirus sites – ... would leave them vulnerable to future attacks..."
___Malformed FileZilla - login stealer
Jan 27, 2014 - "Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3
. We have noticed an increased presence of these malware versions of famous open source FTP clients. The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on -hacked- websites with -fake- content (for example texts and user comments are represented by images.)
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same. The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.
We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code... The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall
. The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections... Malware authors use very powerful and inconspicuous methods to steal FTP log in credentials in this case... We -strongly- recommend to download any software only from official, well-known or trusted sources. Avoid strange looking websites and portals offering software via their own downloaders or installers containing bundled adware and PUP applications