This was likely intended to bait us into revealing email login information, rather than being the “normal” attack emails with an attachment or link to a malicious file that would install malware on our computers. This is more along the line of traditional phishing attacks to try to trick you into…
2 years agoAugust 11, 2011
I guess the first try at getting us to give up our email logins today failed, so they are trying again. And this is a really juicy email, about the first Chinese Aircraft Carrier formerly called the Varyag (purchased from Russia). It even has pictures! The pictures come from a real BBC news…
2 years agoAugust 11, 2011
Facebook Scam: Amy Winehouse Death Videos
Scammers usually have no shame when it comes to pouncing on natural disasters like the Japanese Earthquake, tragic events like the Oslo bombing and celebrity deaths. Troubled pop-star, Amy Winehouse died this morning and it didnt’ take very long before scammers leveraged her death to make money off of Facebook users.
SHOCKING - Amy Winehouse’s Final Minutes
A video has surfaced of Amy Winehouse’s final minutes.
There are multiple different campaigns spreading. All of them follow similar lures: videos of her death or videos of her partying the night before her death:
The reason why Amy Winehouse is dead See the video of death
Warning: Mature Content!
Amy Winehouse Night Before Death Video
Warning : 18+
Leaked Video!! Amy Winehouse On Crack hours before death
Amy Winehouse getting high on crack just hours before she died
Video leaked of amy winehouse’s death!!! Warning: Graphical Content.
Amy Winehouse OVERDOSE VIDEO LEAKED! - RIP AMY
It’s shameless just how low these scammers will go to make money off of the death of another human being. Think back a few months ago, when scammers were using Osama Bin Laden’s death as a lure. And what makes this worse is that Facebook users will click on these links because the headlines are so sensational and because most people are inquisitive.
Ultimately, all of these Amy Winehouse Facebook scam links require users to share the page (or “jaa”) before they can view the supposed content.
After coercing the users into sharing the scam page, the content remains blocked until users fill out a survey, which is how scammers monetize all of their scams on Facebook.
If you see these scams appearing in your news feed, please report them as spam. If you clicked through one of these links, you can also report them as spam from your own page.
Remember that Facebook scammers are very opportunistic. They have no shame and they’ll take advantage of any news story in order to make a quick buck. Be skeptical of these kinds of posts and anticipate that these types of scams will appear following tragedies and disasters.
3 years agoJuly 23, 2011
New Tool for Facebook Scammers: Embedding Content in Comments
Facebook has rolled out a new feature for comments, allowing content to be directly embedded in the comments themselves.
Today we are launching a commenting feature that allows you to embed videos, photos, or web sites in comments just by including a URL. Your comment will include a video player, a thumbnail of a photo, or a brief overview of the web site being linked to. If you prefer your comment without the preview, you can remove the preview with one click.
My first thought upon reading this announcement was that current Facebook scammers will find this new feature extremely useful. A new tool in their arsenal, so to speak. I’ve already noticed some Facebook scams where compromised accounts post comments on other status updates saying, “Is this video of you?” with a link to a Facebook phishing site. This new feature will likely extend the usage of that scam, along with bringing in new types of comment scams and spam.
While this feature is brand new and has not been tapped just yet by scammers, I have created an example of what Facebook users might expect to see in the coming weeks using a Facebook scam that’s currently in circulation:
Always use caution when clicking on links posted by friends. Understand that scammers are crafty individuals with one sole purpose - to make money off of Facebook users. Survey scams is the monetary vehicle of choice for scammers and why users continue to see these scam links in their news feeds. Having the ability to spam users with content within comments will help these types of scams spread even further.
3 years agoJuly 20, 2011
AnonOps Colombia: Social Media Account Takeover
In the last few days, I’ve posted about the compromise of the Facebook pages of Walmart Careers and Pfizer. These have been noted as two separate incidents, the latter being attributed to a group called Script Kiddies. Today, an arm of the collective known as Anonymous compromised the Twitter account of former Colombian President, Alvaro Uribe and the Facebook page of current Colombian President, Juan Manuel Santos.
Twitter page of Former President Alvaro Uribe’s Twitter:
Facebook page of President Juan Manuel Santos:
I’m afraid this is only the beginning. I anticipate more and more Facebook pages for brands, celebrities and public figures to get compromised in some way, shape or form. Compromising Social Media accounts is the new website defacement.
3 years agoJuly 20, 2011
Exclusive Interview with Tweepsect creator Andrey Petrov
Context: This post is a follow-up to my previous post: Twitter Phishing Scam: FIND OUT WHO STALKS YOUR TWITTER! THIS NEW APP ROCKS!
The following is an interview I conducted with Andrey Petrov, the creator of the Twitter application called Tweepsect. According to Petrov, his application was abused by scammers in the “StalkTrak” phishing scam on Twitter. The recent version of the “StalkTrak” application has copied the results page from Tweepsect to give it enough authenticity to fool unsuspecting Twitter users.
Satnam: You mentioned you encountered this scam a few weeks ago. How were you alerted to it?
- I received a bunch of @mentions telling me that my app is sending people DMs. This wasn’t true, my app doesn’t do this, but it prompted me to investigate further.
- I received an alert on SocialGrapple (another service I created after Tweepsect) that Tweepsect is being mentioned *a lot* more than usual on Twitter.
- I received an alert on Google Analytics that I had unusually high amount of incoming traffic. The traffic increase began on the night of June 25th (it was in full throttle on the 26th).
Satnam: You mentioned that you alerted your users after they were proxying through TweepSect. Did you alert Twitter’s Trust and Safety team?
Andrey: Yes. First I made sure that he wasn’t exploiting something in Tweepsect. At first I didn’t know there was a fake OAuth page somewhere redirecting traffic, so I thought there might be an exploit in Tweepsect to spam DMs. As soon as I was sure it wasn’t my fault and I couldn’t do something about it, I contacted @twitter and @twitterapi.
While waiting for a response, I noticed that the phishing scam was using Tweepsect as an endpoint exit to increase credibility (instead of showing a static results page like it does now), so I put up a big fat warning telling people that if they came in through StalkTrak that their login information was compromised and they should immediately change their password and revoke access to suspicious applications. The warning was up until yesterday.
I never heard back from Twitter, so later that night I emailed [redacted] personally. He replied to me within 7 minutes saying he forwarded my email to the appropriate team.
Satnam: How long did this last before the scammers got the hint?
Andrey: I noticed the first change in the attack after about 3 days since the beginning, that’s when he put up a static snapshot instead of redirecting to Tweepsect to circumvent my warning (which I put up on day 2 of the attack, as soon as I noticed it).
Satnam: Did you know about the newest version of the scam that’s using a static HTML page instead?
Andrey: Yes, this version has been active since Day 3 of the attack.
Satnam: Do you have any advice to Twitter application developers on how to detect scammers trying to proxy through their applications?
Andrey: Monitor your analytics (I use intelligence alerts for Google Analytics).
Satnam: Any additional thoughts you’d like to add?
Andrey: I wish Twitter would get back to me about their efforts on this. I’m still seeing spikes in traffic based on these attacks and I don’t know if they’re doing anything about it or not.
Here are some things I think Twitter should do:
- Block all outgoing links to [redacted phishing url], especially in DMs
- Check all accounts who sent DMs with links to that site, force password resets on those accounts (they’re probably compromised)
- Revoke access to any suspicious apps that may have been granted in compromised accounts (no idea if this is the case)
It should be noted that the StalkTrak phishing scam is still spreading. While Andrey wasn’t able to provide me with any figures on just how many users might have fallen for this scam, considering the timeline he gave, I believe it’s safe to assume thousands of Twitter users were phished by this fake application.
Walmart Careers Facebook Page Compromised
Earlier this evening, Walmart’s Careers page on Facebook was compromised.
Two suspicious posts appeared on the Walmart Careers page.
Walmart will no longer be accepting applications from anyone of African-American decent, read more here: http://walmartstores.com/careers
In regards to our last update, our studies in the past have shown that “African-Americans” tend to steal more often and have a significantly worse work ethic than those of Mexican, and Caucasian ethnicity’s.
In addition to these posts, Walmart’s main profile image for their careers page was defaced with an “X” mark over the face of an African-American employee featured in the photograph.
Walmart employees and loyal devotees to the brand became suspicious and reported the activity.
Within a short amount of time, the images disappeared, but the offending posts remained. Not long after the images were taken down, the Walmart careers page was taken down entirely. It is uncertain whether Walmart employees were involved in the takedown or if those behind the compromise removed the page themselves.
Facebook Pages and Admins
Over the last few years, big brands and small businesses have adopted social media into their marketing strategy. One of the key features that Facebook pages offer these brands is ability to have multiple administrators for a page. These administrators are granted access through their personal Facebook accounts. Therefore, it is likely that whomever obtained access to the Walmart Careers page did so by compromising an administrator’s Facebook account.
Whether to Phish or to FireSheep?
Uncertain as it may be to determine the exact method used to compromise an admin account, there are a few likely suspects (note: this is my own speculation):
Phishing - This method requires a little more work but, if a Walmart employee that was an administrator for this page was phished on their personal account, the scammers would gain access to the Facebook page with relative ease.
FireSheep - This is a free Firefox extension that gives users the ability to hijack unencrypted sessions on public WiFi networks. It is possible that an administrator of this page was browsing Facebook without HTTPS enabled on a public WiFi network, such as a Starbucks. A scammer may have been sitting on the network and discovered this account was tied to the Walmart careers page.
Don’t forget to Enable HTTPS
This incident should serve as a reminder to many marketing employees as well as Facebook users in general. If you haven’t done so already, enable HTTPS for all of your social networking accounts.
And please advise your fellow employees and/or administrators for brand pages to do the same.
Twitter Phishing Scam: FIND OUT WHO STALKS YOUR TWITTER! THIS NEW APP ROCKS!
There is an on-going phishing scam targeting Twitter users. This scam follows a similar lure: profile/page stalking.
FIND OUT WHO STALKS YOUR TWITTER! THIS NEW APP ROCKS!
The link that’s included in the tweet directs the user to what looks like a legitimate Twitter Application.
This page borrows the same template that is used to authorize Twitter applications legitimately. The scammers have made a few changes here, such as inserting a bullet point for “View Who Is Stalking Your Twitter” as well as informing the user that this application will no longer be able to access direct messages after June 30th, 2012. Legitimate Twitter applications recently lost permission to access direct messages on June 30th, 2011, which required users to re-authenticate these apps.
Users who enter their Twitter logins will have their credentials phished and the same tweet posted above will be seen by their followers.
The scam continues by redirecting users to a fake page to give it some authenticity. The usernames associated are made up and do not represent any type of stalking activity.
Upon further investigation, I was able to determine that the scammers are using the same user interface elements of a legitimate Twitter application called tweetspect.
Here is an example of TweepSect analyzing a Twitter profile:
If you or someone you know fell for this scam, the most important thing to do is change your Twitter password: http://twitter.com/settings/password
Whenever you come across scams like these, report them to Twitter and warn your friends and followers about them. You can reach out to Twitter’s Safety team by sending a reply to @safety.