Dad catches daughters on webcam: Beware viral Facebook video link

Facebook is being hit by another viral message, spreading between users’ walls disguised as a link to a saucy video.

The messages, which are spreading rapidly, use a variety of different links but all claim to be a movie of a dad catching his daughters making a video on their webcam:

Dad catches daughters on webcam message

two naughty girls get caught in the WORST moment while making a vid on their webcam! omg!!

The messages also tag some of the victims’ Facebook friends, presumably in an attempt to spread the links more quickly across the social network.

If you make the mistake of clicking on the link you are taken to a webpage which shows a video thumbnail of two scantily clad young women on a bed. The page urges you to play the video, however doing so will post the Facebook message on your own wall as a “Like” and pass it to your friends.

Unfortunately, the new security improvements announced by Facebook this week fail to give any protection or warning about the attack.

Dad catches daughters on webcam message

When I tested the scam I was presented with a (fake) message telling me that my Adobe Flash plugin had crashed and I needed to download a codec.

Dad catches daughters on webcam message

Codec downloadUsers should remember that they should only ever download updates to Adobe Flash from Adobe’s own website – not from anywhere else on the internet as you could be tricked into installing malware.

Ultimately, you may find your browser has been redirected to a webpage promoting a tool for changing your Facebook layout, called Profile Stylez and – on Windows at least – may find you have been prompted to install a program called FreeCodec.exe which really installs the Profile Stylez browser extension.


It’s certainly disappointing to see Facebook’s new security features fail at the first major outbreak – clearly there’s much more work which needs to be done to prevent these sorts of messages spreading rapidly across the social network, tricking users into clicking on links which could be designed to cause harm.

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Fake-Alert Scams Growing Again

Fake-alert Trojans, also known as scareware, fool consumers by claiming imaginary threats, and insisting its victims purchase a product to repair the “infected” systems. They exist in Windows and Macintosh environments.
In my recent report explaining this threat, I included a table showing the approximate number of scareware products with their known release dates:

After receiving some requests to update this table, I created a new chart by compiling data from the web. This chart shows a significant increase for the first quarter of 2011, after a drop-off in 2010.

Curious to explain this spike, I discovered its origin: fake-alert products from South Korea. Next, a quick search showed most of the associated websites were rated in red by SiteAdvisor.

Looking into the McAfee Labs web threats databases, I discovered that many of these “new” products, at least as seen in Europe and the United States, were not necessarily new. They included products that appeared between 2009 and today (72 in 2010, and only 31 during the first quarter of this year). Among them, a family I named the boan was the most widespread.

Using these dates, we now have a more accurate chart–showing the number of scareware products with known release dates.

Although the latest numbers are less alarming, these figures demonstrate that scareware are still a major threat on the Net.

Square Enix confirms website hack, email addresses and resumes stolen

Deus Ex Human RevolutionResumes of job hunters and email addresses of video game fans have been stolen by hackers in an attack on the Eidos and “Deus Ex: Human Revolution” websites.

Square Enix, the parent company of Eidos, confirmed the hack in a PDF press release. (Why do companies publish their press releases as PDFs, anyway? That’s just daft.)

Here’s part of the statement from Square Enix:

Square Enix can confirm a group of hackers gained access to parts of our website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again. does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates.

There are two main risks here.

One threat is that if your email address is one of the 25,000 that has been stolen, you could receive a scam email (perhaps containing a malicious link or attached Trojan horse) that pretends to come from a video game company. After all, the hackers know that you’re interested enough in video games to give your email address to Eidos.

Secondly, the resumes from job hunters. This is a more serious problem. Just think of all the personal information you include on your CV: full name, date of birth, email and home address, telephone number, job history. This kind of information is a god-send to identity thieves interested in defrauding internet users.

So, it seems Sony is not the only video game company to be having problems with its computer security.

Lets hope the continuing stream of stories of companies having customer data stolen from them makes them take security more seriously in the future.

More information about the hack can be found on the KrebsOnSecurity blog.

Android market affected by SMS Trojans

According to a report by AegisLab, Android Market has been hit by another malware incident, with a number of SMS-sending Trojans published by unknown attackers. The incident was not as serious as the one in March when over 50 apps were affected by the Droid Dream malware, although any attack affecting Android Market should be regarded as very serious.

The latest batch of malicious applications are purported to be developed by a legitimate Android developer Zsone. However, it seems that the legitimate applications from the same developer have a version number different than the malicious versions.

When one of the malicious applications is installed on the device, an SMS message will be sent to one of a range of premium rate numbers. The numbers are different depending on the application. The attack targets mobile devices in China since the SMS subscription service numbers used are only available from Chinese mobile network providers.

Sophos has received several applications with the SMS sending functionality, including iCalendar, iMine and iMatch. The malicious versions of the applications I have seen come with the version number 1.1.0.

The most interesting characteristic of the latest set of Trojanized applications is the fact that a special Broadcast receiver is used to inspect all new SMS messages received on the device.

If the application receives an SMS message from the number which was previously used to register the phone for services the Broadcast receiver attempts to abort the broadcast using the AbortBroadcast function. This method could prevent other SMS applications from processing the message.

The obvious intention of the code is to hide the fact that the device is receiving messages from subscription based services and make the user unaware that they have been losing money.

The latest Android incident shows that applications installed directly from the Google market could still be affected by malware.

In an ideal world, Android apps should not be allowed to be self-signed and only allowed keys certified by trusted authorities. Although this measure would not prevent malicious applications it would help with tracing the originators of rogue apps.

Having two classes of applications, signed by certified keys and self-signed, would allow developers of Android OS to limit the capabilities available to self-signed applications. For example, self-signed apps should not be able to send SMS messages. Perhaps this measure would not be a silver bullet but it would certainly be a welcome sign that Google is taking Android security more seriously.

Sophos products are detecting malicious SMS sending Android applications as Andr/AdSMS.