The New Black: Facebook Black Scam Spreads on Facebook

Yesterday, Facebook users may have noticed an influx of their friends posting about something called Facebook Black.
 

Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
 

Similar to previous scams, users are tagged in a picture that contains a link to an external website. In this case, the link is found within the comments instead of the description field (Figure 1).
 

Figure 2. Iframe is used to redirect the user to the landing page, briefly displaying this page
 

If a user clicks on the Facebook link, they are redirected to a Facebook page. This page contains an iframe (Figure 2) that goes through a series of redirects and ultimately lands on a page promoting Facebook Black (Figure 3).

Some of the sites we have observed leading to the Facebook Black landing page include:

  • photocurious.com
  • phototart.com
     

Figure 3. Facebook Black Page
 

Users are then enticed to install a Google Chrome extension (Figure 4).
 

Figure 4. Fake Chrome extension for Facebook Black
 

The extension is used to download two JavaScript files that are hosted on Amazon’s Simple Storage Service, Amazon S3 (Figure 5).
 

Figure 5. Extension downloads more files
 

These JavaScript files are used to keep the scam spreading through each victim’s account. It does so by creating a new Facebook page on the victim’s account, which includes an iframe to the page that will redirect users to the Facebook Black landing page (Figures 6 and 7).
 

Figure 6. User account contains a new page
 

Figure 7. Newly created Facebook page contains iframe redirect (Welcome tab)
 

Ultimately, users that install this Facebook extension will be presented with a set of survey scams (Figure 8), which is how the scammers monetize these types of campaigns.
 

Figure 8. Survey scam pushed after extension is installed
 

Symantec customers are protected against this attack by our Web Attack: Fake Facebook Application 3 IPS signature and we detect the fake Chrome extension as Trojan Horse.

Google has already removed several of these Chrome extensions and continues to improve their automated detections for malicious extensions. Users that may have been tricked by this scam should uninstall the Chrome extension and delete the Facebook page that was created.

Chameleon botnet steals millions from advertisers with fake mouseclicks

Security researchers have discovered a botnet that is stealing millions of dollars per month from advertisers. The botnet does so by simulating click-throughs on display ads hosted on at least 202 websites. Revealed and dubbed "Chameleon" by the Web analytics firm spider.io because of its ability to fool advertisers' behavior-tracking algorithms, the botnet is the first found to use display advertisements to generate fraudulent income for its masters.

In a blog post today, spider.io reported that the company had been tracking Chameleon since December of 2012. Simulating multiple concurrent browser sessions with websites, each bot is able to interact with Flash and JavaScript based ads. So far, more than 120,000 Windows PCs have been identified—95 percent of them with IP addresses associated with US residential Internet services. The company has issued a blacklist of the 5,000 worst-offending IP addresses for advertisers to use to protect themselves from fraud.

While in many respects the botnet simulates human activity on webpages to fool countermeasures to clickfraud, it generates random mouse clicks and mouse pointer traces across pages. This makes it relatively easy for bot-infected systems to be identified over time. The bot is also unstable because of the heavy load it puts on the infected machine, and its frequent crashes can also be used as a signature to identify infected systems.

Read 1 remaining paragraphs | Comments

iOS passcode bug squashed once again with iOS 6.1.3 release

More than a month after security researchers pointed out a new passcode bug in iOS, Apple has patched it with the release of iOS 6.1.3. The software update, released over the air or via iTunes, is mainly aimed at addressing the security vulnerability that allowed attackers to get around an iOS device's passcode by performing a series of steps. Apple says that iOS 6.1.3 also comes with "improvements to Maps in Japan."

It was mid-February when reports began to spread that an old vulnerability in the iPhone's emergency call feature had resurfaced as part of iOS 6.1. As we wrote at that time, "[w]ith the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected." A couple weeks later, different researchers pointed out another way to get around the iPhone's lock screen based on the same vulnerability. Apple released iOS 6.1.2 in the meantime, but it did not fix the passcode bug with that update.

As rumored, however, iOS 6.1.3 does in fact address the passcode lock screen vulnerability. Since this is a security concern that could affect many iOS device users, we certainly recommend installing it as soon as you get the chance. But be warned: if you've jailbroken your iOS 6.1.x device, we're hearing that 6.1.3 update fixes one of the security holes that enables the evasi0n jailbreak. In that case, update at your own risk.

Read on Ars Technica | Comments

Cisco switches to weaker hashing scheme, passwords cracked wide open

Password cracking experts have reversed a secret cryptographic formula recently added to Cisco devices. Ironically, the encryption type 4 algorithm leaves users considerably more susceptible to password cracking than an older alternative, even though the new routine was intended to enhance protections already in place.

It turns out that Cisco's new method for converting passwords into one-way hashes uses a single iteration of the SHA256 function with no cryptographic salt. The revelation came as a shock to many security experts because the technique requires little time and computing resources. As a result, relatively inexpensive computers used by crackers can try a dizzying number of guesses when attempting to guess the corresponding plain-text password. For instance, a system outfitted with two AMD Radeon 6990 graphics cards that run a soon-to-be-released version of the Hashcat password cracking program can cycle through more than 2.8 billion candidate passwords each second.

By contrast, the type 5 algorithm the new scheme was intended to replace used 1,000 iterations of the MD5 hash function. The large number of repetitions forces cracking programs to work more slowly and makes the process more costly to attackers. Even more important, the older function added randomly generated cryptographic "salt" to each password, preventing crackers from tackling large numbers of hashes at once.

Read 7 remaining paragraphs | Comments