Facebook Watcher

Cybercriminals and phishers are still focusing their efforts on Facebook. Several new scam tactics are listed as below.

1) Koobface Variant Resurfaced again

Recent report from CA suggested that a Koobface variant is still actively sending massive spam messages to millions of users on Facebook. During the attack, the Koobface variant connects to the malicious server UPR15MAY.com to acquire information for its spam messages to be sent to contacts of infected users.

2) Killselfz and Ligromind Malware

Similar to the “.at” and “.be” domains, this time the domains used are of the top-level domain. If you come across Facebook messages with phishing links to Killselfz[dot]com and Ligromind[dot]com, do not click on it or else the scammers will plant the malware to your computer.

3) Today, a new wave of phishing attacks on Facebook users is underway. A popular tech news blog Mashable is reportedly discovering two new top-level domains that can steal your Facebook login details and then spam your Facebook friends. If you get Facebook messages which prompt you to click the phishing links to Junfunrun[dot]com and Bulitre[dot]com, stay away from those messages and delete the messages instantly.

There is a new wave of phishing scams that targeted Facebook users for the past few days and probably you’ve heard of this. It started with the phishing sites that registered under .at (Austria) and later the .be (Belgium) domain names. For this purpose, I’ve compiled a list of these phishing sites, and whenever you came across it in your Facebook email messages, do not click on the URL links.

A common trick is that all of these phishing scams start from a Facebook message with an aim to trick Facebook users to click on the URL links. In order to lure users to click on these links, all the subject line of the emails is either “Look at This”, “Hello” or “Check” following by one of the .at or .be domain names listed below.

This wave of phishing scams garnered much attention in Facebook since there are users who fail for the scam, lost their Facebook login details as well as the new cycle continues as the cybercriminals started using their accounts to send emails to their friends.

Picture: Phishing site; noticed that there is no Facebook logo in the header of the site

WARNING: DO NOT click links to the following sites:

Areps.at
Bests.at
Brunga.at
Kirgo.at
Nutpick.at

Atomclub.be
Bestspace.be
Bitclan.be
Databus.be
Dynasale.be
Goldbase.be
Greenbuddy.be
Indigoline.be
Linkteria.be
Mymarket.be
Orangefan.be
Picoband.be
Pinkamigo.be
Redbuddy.be
Redfriend.be
Silvertag.be
Sweeter.be
Vispace.be
Whiteflash.be
Whitemart.be

Nevertheless, the good news is that Facebook has taken action and blocked all of the outgoing links to the aforementioned phishing sites, while Firefox browser has also blocked its users from accessing to the above sites as well.

According to the news across the Web, Facebook has blocked two bogus Facebook sites, that are fbaction.net and fbstarter.com. These two sites used the same trick by sending the phishing emails to some Facebook users that attempts to convince them to type in their Facebook username and password onto these bogus sites.

As at this moment, some browsers are taking action towards blocking these two sites. With Firefox browser has pinpointed these two sites as Web forgery (as shown in below pictures) while Safari browser has neither show the Web sites on its browser.

Picture 1: fbaction.net on Firefox

Picture 2: fbstarter.com on Firefox

Picture 3: fbaction.net blocked by Facebook; with this outgoing link being blocked, i.e. www.facebook.com/l/4253f;http://fbaction.net/

Picture 4: fbstarter.com blocked by Facebook; with this outgoing link being blocked as well, i.e. www.facebook.com/l/4253f;http://fbstarter.com/

Ironically, the most popular browser on the Web, i.e. Internet Explorer still continue to allow one of the bogus sites being accessed as at my time of writing, as shown in the below picture.

As always, my advice to this type of the spoofed Facebook email messages, malicious links or bogus Facebook Web site is to look carefully on the actual URL shown on your browser. Type the www.facebook.com to access to your Facebook account whenever you want to login to your Facebook.

If you’re using Windows, you probably have heard of Malicious Software Removal Tool (MSRT). It is a quality antivirus solution to be delivered to the Windows PCs as part of the Automatic Updates package each month.

A good news is that now it’s more safer to use Windows-based PCs to access Facebook as Koobface, a
particularly nasty virus have been included as one of the major virus and worm families being added to the MSRT.

“In working with Facebook, we were able to add detection of Koobface to our Malicious Software Removal Tool (MSRT), which checks computers running Windows software to detect and remove viruses.” Jeff Williams, a Principal Group Program Manager for the Microsoft Malware Protection Center, wrote in a guest post on the Facebook blog.

Meanwhile, the MSRT has also removed Koobface nearly 200,000 times from over 133,677 computers in more than 140 different locales around the world in just two weeks, he wrote.

Online criminals are increasingly targeting at Facebook. So guys, if you’ve received any message that contain the following message subjects, please “do not” open it or proceed according to what the message told.

The message is served as a bait which offer malicious link and if you click on it, it’ll redirect you to a bogus Facebook site and you’ll be prompted to install a virus file in the form of a fake “Adobe_Player11.exe”, according to a report by websense.

FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Betsy Person)
FaceBook message: Dancing girl oriental dance … (Last rated by Abdul Kay)
FaceBook message: Magnificent Striptease Dance (Last rated by Rosalind Lindsey)
FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by Delores Tucker)
FaceBook message: Hot Girl Dancing At Striptease Dance Party

Although the message subject seemed to be appealed to most of the Facebook users, especially male users when first encountered it. But you know you’ll be safe if you ignore such message, and refrain yourself from clicking any URL link within the message, even it is out of your curiosity. Generally, these kind of messages are known well to elicit our emotions, in this case joy, and curiosity.

Another warning: Don’t let this kind of message trick you into clicking the link and install the file. It is due to the virus might not be detected by your anti-virus software installed on your PC or laptop, according to an analysis done by VirusTotal.

Picture 1:

Picture 2:

I’m not sure whether this is a good sign for the Facebook and its users. More security issues would mean that Facebook is large enough as a viable target for the spammers or scammers. And on the other end, the new Koobface worm as reported by TrendMicro security blog more or less helped the users be prepared “not to” download any software that prompted on the site. This is due to the same bait can’t work twice to the same people as this malware is being promoted in a similar manner as happened before in August 2008.

Here’s another good news: Despite the ongoing malware attack on Facebook, the issue will be resolved. Trust Facebook.