In a second attack, extremely reminiscent of the one that took place this weekend, Facebook users have once again been victimized by cybercriminals. Reports started surfacing this afternoon of yet another rogue Facebook application posting notifications to user profiles that said: (Name on my friend’s list) has just reported you to Facebook for violating our Terms of Service. – This is your official warning! – [Click here to find out why you were reported!] – Request Facebook look at what has happened and rule immediately.

Figure 1. Facebook notification

The link in the notification led on to an application named f a c e b o o k – - closing down!!! which, once installed, would proceed to spam all of the affected user’s friends with the same message. It may also harvest personal information along the way.

In the short time the account was active, it had enough impact to cause the generation of a Facebook group for victims:

Figure 2. Facebook group

Surely these two events in just a single week mean that it’s about time that Facebook reviews its application hosting policy. Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed. Users are advised to exercise extreme caution when surfing. It’s always good to research first, to ask, like what one Facebook user did on Yahoo! Answers:

Figure 3. Posted question on Yahoo! Answers

UK Justice Secretary Jack Straw had his web-based email account compromised last Thursday. Jack Straw, former Home Secretary, used a Hotmail account as his sole public email address.

Figure 1. Jack Straw’s contact information from http://www.jackstrawmp.org.uk/contactus.asp

In a variation of a theme currently being used on social networking sites, 419 scammers used the compromised account to send hundreds of email messages to Jack Straw’s constituents and others in his address book and inbox. The bogus message, purporting to be from Mr. Straw, claimed that he had lost his wallet while in Nigeria promoting a charity called “Empowering Youth to Fight Racism” and asked the recipient if the could help him out by sending $3,000 to fly home.

“It was an issue for constituents, not the government. We are checking all that and I am assured there’s no evidence that confidentiality of constituents was affected,” the MP told the Telegraph newspaper in the UK.

Aside from the fact that constituent confidentiality was clearly breached, in that their email addresses were all available to, and used by, the hacker and clearly any emails in the Hotmail inbox or filed away in online folders would have been visible, it surprises me that he was using Hotmail in the first place. The service is routinely abused by e-criminals for this kind of email scam. Of course, as a past Home Secretary who set up the High Tech Crime Unit, he would have been expected to know better. But the real issue here is: why isn’t the UK Government adopting the same strict guidance given by the US Government–don’t use anything other than anything other than a government email address for parliamentary business?

These accounts are neither under the control, security protocols or jurisdiction of any government IT program, will not be backed up or indexed by government and almost certainly will not be subject to any Freedom of Information request made against the government data. In addition, shouldn’t privileged communication between Member of Parliament and constituents be routinely encrypted, especially given that Identity-Based Encryption services now offer the opportunity to send encrypted email to anyone with no need for any kind of pre-enrolment or key management?

Over the weekend, an application of extremely dubious intent was released on Facebook. Called “The Error Check System“, this said application appears to be non-destructive, but spread very quickly and very widely and could in the process have collected thousands, hundreds of thousands even, of personal details.

The application sent out notifications to Facebook users stating that one of their friends “has faced some errors when checking your profile” and prompted them to click a link to “View the Errors Message.”

Figure 1. Fake notifications.

Exploiting users’ fears, uncertainties, doubts, and of course their trust in their friends, ensured the fast spread of this application in the span of time it was available on Facebook.

Facebook applications need to ask the user’s permission first to access the personal information in their profile. A normal Facebook application installer screen looks like this:

Figure 2. Facebook application installer.

The “Errors Message” application redesigned the standard content of this screen to appear like the image below, making no mention of seeking permission to access the user’s information and friends list:

Figure 3. “Errors Message” installer..

Once the rogue application is Activated or rather installed in a system and has access to all profile information, a user sees the following screen:

Figure 4. Note the poor grammar (again).

The application finally helpfully suggests that the user might want to check friends’ profiles for errors, so in essence, the propagation continues:

Figure 5. Friends of an affected user may be future victims..

An interesting side note to this whole affair is what happened on Google search during the time this application was spreading on Facebook. The search term “Error Check System” returned results that were actually pointing to malware and rogue AV applications.

It appears then, that the purpose of this Facebook application, other than to steal profile information, is to drive people to Google where dangerous links are ready and waiting. This seems like another case of Search Engine Optimization (SEO) poisoning.

Google searches for the string gmail down (after a Gmail outage) yielded top results that led to malware earlier this week. These series of attacks again show that cybercriminals are intent on exploiting the trust users have on search engines and the results they give back.

Note: All images in this blog post come from http://www.allfacebook.com and was used with permission.

Xbox Live users, specifically winning players, are being targeted by hackers. Researchers believe that the attacks are done so other Xbox Live users could get back at the players who beat them in a game.

A BBC report explains that the tools used in this hacking attack do not target the Xbox Live network but the IP addresses of players hosting games. Hackers first try to find out what a target user’s IP address is, and when successful doing this, they are able to stage attacks commonly done on websites.

Denial of service is an infamous line of attack where hackers flood sites to make it inaccessible to visitors.

This attack again presents an opportunity for cybercriminals to offer their services, for certain amounts of money of course. That is, if they were not already involved in the first place. Sniffing for IP addresses is the hard part of this operation. Imagine irate users paying money to get that information so they could get their revenge.

It is interesting to note that more than a year ago several Xbox Live accounts were hacked, where the goal appeared to be information theft.

Microsoft, which operates Xbox Live, is already investigating this online threat. The company has also made it clear that malicious activities like this violate the Terms of Use of the gaming and digital media service. Users caught participating in this attack could thus be banned.

The Gmail downtime experienced today may have caused a nasty ruckus by frustrated users, but unknown to these users is an issue bigger than not being able to access email messages.

In the midst of the commotion brought about by the outage lasting only a few hours, cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users.

During the downtime, searches for the string “gmail down” yielded a Google Group page also named Gmail down as the top result. Trend Micro Researcher Loucif Kharouni reports that the said page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. But what’s more dangerous is that links in the said webpage lead to malicious files.

Figure 1. Google Group website set up to distribute malware

Figure 2. Malicious links found on the Gmail down Googe Group webpage

The link Really young good looking teenager-547b4.html redirects to two different URLs. First, the URL hxxp:// {BLOCKED}worldx.com/software/f352d5ac52/10410/1/Setup.exe prompts the download of a file detected as TROJ_PROXY.AEI. Kharouni reported that TROJ_PROXY.AEI drops two files—a BAT file and a DLL file. The BAT file is used to load the DLL file, which in turn modifies the registry entries related to proxy server settings. This causes the results to user queries to be redirected to remote sites mostly related to advertising.

Figure 3. A sample query for Trend Micro

Figure 4. The website displayed when clicking the first result

The second URL, hxxp:// {BLOCKED}cktube.com/new/n/Exclusive+Free+porno/3913744, leads to the download of a malicious file detected as TROJ_AGENT.FAKZ. Our researchers are currently analyzing this file to determine its routines.

On the other hand, the link The Dark Knight torrent.zip leads to the download of the BAT file main_movie_torrent.bat. The said file modifies the attributes of the following files:

c:\autoexec.bat

c:\boot.ini

c:\ntldr

c:\windows\win.ini

It displays a popup message stating “Virus Activated,” then deletes the abovementioned files, which are all critical files related to loading Windows. After doing so, another pop-up message is displayed, this time stating “Computer Over. Virus=Very Yes.” The computer will then shut down after 10 seconds, and will no longer be able to boot into the operating system. This file is now being studied for detection. Please stand by for updates.

The said Google Group was already deleted, and was reported up for about 25 minutes. Meanwhile, all malicious links are already blocked through the Smart Protection Network (in fact, one of the domains in this incident is already tagged as malicious even prior to today).

This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunites to distribute their malicious files.

Update as of February 26 2009, 2:00 AM PST
Analysis by Trend Micro researchers reveal that TROJ_AGENT.FAKZ installs itself as s BHO on the affected system, and when executed connects to the Internet and displays the following website through Internet Explorer.

Figure 5. Displayed instance of Internet Explorer

Clicking the Download Free Movie link displays the following message.

Figure 6. Displayed instance of Internet Explorer

Clicking either Yes or No on the dialog box redirects the user to a URL to download a rogue AV detected as TROJ_FAKEAV.ANI.

Furthermore, the BAT file contained in the The Dark Knight torrent.zip link is now detected as BAT_DELWIN.AA. Below are screenshots of the previously mentioned messages displayed after the execution of this malware.

Figure 7.First message box

Figure 8.Second message box