OMG [username] You Should Untag Yourself in This Video

There is currently a new spam campaign spreading across Facebook. The spam has an appearance similar to the following:

It is worth mentioning that the app_id in the requests is “6628568379”, which may cause the post to look as though it was sent from an iPhone when this is not the case. This is done to give an appearance of further credibility to the scam.

The message may vary slightly as it is randomly generated by using a combination of the following three options:

Part one:

  • hey
  • HEY
  • OMG
  • omg
  • omg!
  • OMG!!
  • WTF
  • wtf
  • wtf!!
  • WTF!!
  • YO
  • yo
  • YO!

Part two:

  • I can't believe you're
  • i cant believe youre tagged
  • what are you doing
  • why are you
  • why are you tagged
  • you look so stupid
  • you should untag yourself

Part three:

  • in this vid
  • in this video

When the video is clicked, malicious JavaScript is copied to the clipboard and the user is asked to paste (“Ctrl+V”) this into the address bar and press “Enter”.

Next, the following message is displayed, which has the Facebook “look and feel”; don’t be fooled – filling out the survey doesn’t verify anything; it just nets a survey fee for the spammers.

Unfortunately, the spam video link is also sent to everyone in your friends list in an attempt to keep the campaign spreading.

Be vigilant when you come across messages like these and if you do happen to click on the link, it would be advisable to remove it from your wall or mark it as spam so that other users aren’t duped by the same trick!

Facebook engineers have been working diligently on the self-cross-site scripting problem; not only have enforcement mechanisms been pursued to shutdown the malicious pages and fake accounts, but also Facebook has been putting affected users through educational checkpoints to help curb the spread of the attacks. Additionally, backend measures exist to slow the rate of these attacks and we are always iterating on new ways to proactively protect users.

Think before you click, don't paste code into your address bar, and keep your software up-to-date.

Thanks to Karthik Selvaraj for drawing attention to this new spam campaign.

Why are you tagged in this video? It’s a viral Facebook scam

Facebook users have been hit by another fast-spreading scam today, pretending to be a link to a YouTube video that they have been tagged in.

Facebook video scam

The scam messages use potential victims’ first names, claiming that they have been tagged in the “Youtube” video.

Phrases used in the attack include:

YO [name] why are you tagged in this video

WTF!! [name] why are you tagged in this video

hey [name] i cant believe youre tagged in this video

hey [name] you look so stupid in this video

omg! [name] why are you tagged in this vid

OMG [name] why are you in this video

OMG [name] you should untag yourself in this video

Each “video” has a random number of views and likes, but the length of the movie always appears to be 2:34. Eagle-eyed Facebook users might realise something is awry when they see that the links refer to “Youtube” rather than the rather more accurate “YouTube”.

But if you do make the mistake of clicking on the video thumbnail you will be taken to a webpage which tries to trick you into cutting-and-pasting a malicious JavaScript code into your browser’s address bar (this appears to be one of the scammers’ favourite methods of attack at the moment).

You have to concede, it’s a cunning piece of social engineering by the bad guys. Wouldn’t you want to see a video that your Facebook friends say you have been tagged in?

If you’re a regular user of Facebook, make sure you join the Sophos page on Facebook to be kept informed of the latest security threats.

Hat tip: Thanks to Naked Security reader Ken for sending us a tip about this latest Facebook attack.

UK Government under cyber-attack says Chancellor George Osborne

George OsborneGeorge Osborne MP, the UK’s Chancellor of the Exchequer, has said that British government computers are on the receiving end of over 20,000 malicious email attacks every month.

In a keynote address at the Google Zeitgeist event in London today, Osborne claimed that foreign intelligence agencies are responsible for many of the attacks, with the intention of stealing sensitive information.

Here’s part of what he said:

In any given month there are over 20,000 malicious emails sent to government networks.

Here is a salient story from my time as Chancellor.

During 2010, hostile intelligence agencies made hundreds of serious and pre-planned attempts to break into the Treasury’s computer system.

In fact, it averaged out as more than one attempt per day.

This makes the Treasury one of the most targeted departments across Whitehall.

At some point last year, a perfectly legitimate G20-related email was sent to HM Treasury and some other international partners.

Within minutes it appeared that the email had been re-sent to the same distribution list.

In fact, in the second email the legitimate attachment had been swapped for a file containing malicious code.

To the recipient it would have simply looked like the attachment had been sent twice.

Fortunately, our systems identified this attack and stopped it.

The full text of George Osborne’s speech can be read here.

The “20,000 malicious emails sent to government networks” statistic is getting a lot of press, but actually it’s the same as the one revealed last year by the director of the UK Government’s Communications Headquarters (better known as GCHQ).

At that time it was claimed that 5% of the attacks (1,000 a month) were specifically targeted against government departments.

Earlier this year, UK Home Secretary William Hague revealed that attackers had successfully infected government departments with the Zeus trojan (also known as “Zbot”).

Of course, most of the attacks said to be hitting the UK government are hitting other organisations and businesses around the world too. Governments and firms alike face the challenge of keeping their systems secure, and their sensitive data out of the hands of cybercriminals.

Does the UK government keep its systems properly up-to-date?

Clearly up-to-date security software has an important part to play in all this, but I would recommend that the British government also takes a close look at its computers and applications to ensure that they are properly patched against vulnerabilities.

One key question I would pose, for instance, is whether the web browser and PDF viewer being used by the British Government is properly up-to-date and patched. That’s even before we consider Microsoft Office, Java, Adobe Flash, and so on ad nauseam.

Internet ExplorerIn early 2010, the British Government was strongly criticised for its unwillingness to upgrade from the chronically insecure Internet Explorer 6, and thousands of people signed a petition calling on government departments to upgrade their browsers.

In October last year, the Home Office announced plans that it would at last upgrade to Internet Explorer 8.

It’s unclear whether all UK Government departments are now up-to-date in the browsers and other application they use, but it seems to me that if their computers are being attacked by foreign powers with boobytrapped documents and dangerous links that to do anything less would be negligent in the extreme.

Spammers Claim Wikipedia for Pharma Fakes

Last year, phishers targeted Wikipedia with a large number of spam emails that directed unsuspecting users to a fraudulent Wikipedia website. Currently, we are observing a new spam tactic being used, which targets the Wikipedia name for the promotion of fake pharmaceutical products.

In the last couple of days, we have observed various spam email messages that use a wiki template to promote bogus online pharmacies. The “Subject” line in these attacks has a lot of randomization. The “From” header is either fake or a hijacked ISP account that gives a personalized look to the email.

Below are some subject lines that were observed in the spam samples:

Subject: wWIKIp
Subject: kWIKIx
Subject: yWIKIg
Subject: hWikiPharmacyl
Subject: oWikiPharmacyp
Subject: uWikiPharmacym


In the image shown above, spammers are promoting pharmacy products at a discounted price using a wiki-style layout. The Web page pretends to be that of “WikiPharmacy”. The volume of spam in this latest attack is quite high. Needless to say is that Wikipedia’s popularity is being exploited here, considering its vast knowledge base and popularity. In this case, users have to be very careful not to enter and personal details on these fake sites.

Here are some of the URL patterns seen in these samples:

http://cinar. [removed]
http://jmleml. [removed].com/wiki14.html
http:// [removed]
http:// [removed].com/wiki15.html    
http://web164892.web23. [removed].net/wiki15.html

A careful look at the “Subject” line is sufficient to identify this type of spam. However, don’t throw caution to the wind when performing online transactions. Beware of prowling predators who are waiting to pounce on casual netizens. Update your antivirus signatures regularly—Symantec’s antispam technologies identify all such tricks and protect users from such annoying spam emails.

Note: My thanks to Anand Muralidharan and Amit Kulkarni for their contributions to this blog.