We recently discovered a Facebook attack that uses the business-related social networking site, LinkedIn as redirector site. The attack begins with a wall post that bears the subject, “The Video That Just Ended Justin Biebers Career For Good!” Clicking the URL in the image creates a similar wall post on affected users’ accounts.

This Facebook attack using LinkedIn is new, as cybercriminals normally employ URL shorteners and Facebook fan pages to point users to malicious sites. The use of a legitimate site definitely increases the possibility that users will dismiss any suspicions that the post might be a malicious threat. In the past, we also reported various attacks that employed URL shorteners here:

• Facebook Spam Spreads Through Multiple Features
• Bogus Twitter Spam Hits Inboxes
• Shortened URLs in IM Apps Lead to a Worm

Although Facebook prompts a warning about the possible malicious URL activity, the said malicious URL can still be accessed via the site.

Read the rest of this entry »

Trend Micro researchers recently discovered attacks on the social networking site Multiply. The cybercriminals behind the said attack created new Multiply user accounts then sent malicious personal messages to other site users.

The personal message contains a greeting with the target’s Multiply user name and a video that the recipient is supposed to watch. Clicking the play button redirects users to the malicious URL http://yourtube.{BLOCKED}loring.com/video2/video.php?q=1289224873.

The page then asks the recipient to download a codec to view the video.

These sorts of attacks have been occurring for some time.  Users should avoid downloading new codecs to watch videos posted online, as these are frequently malicious. Trend Micro detects the downloaded file in this attack as TROJ_KATUSHA.F. In addition the URL where the malicious video is located is already blocked by Trend Micro products.

Trend Micro has discovered a new scam spreading via Twitter that uses gift vouchers as bait. Users are repeatedly retweeting a message with a shortened URL that promises they will receive a free gift voucher from various online shops:

The shortened URL leads to a website (http://{BLOCKED}voucher.net) that entices users to complete surveys and refer their friends to the site to earn points. The points they would supposedly earn depend on the difficulty and language of the survey.  However, the survey site is not related to any of the legitimate sites that are mentioned on their page.

If users try to take a survey, they will get a window which shows their IP address:

We did not proceed any further, as it was clear that this site was engaged in suspicious behavior. Examination of the site’s WHOIS information revealed that the domain was only registered in late October, indicating that the site may have been set up to take advantage of the upcoming holidays. Twitter has also suspended the main account shown earlier, raising even more suspicions. We have since classified the website as a spam site and blocked it in order to protect users.

Trend Micro users are already protected from this threat via the Smart Protection Network™. Users are also advised to be wary about what they retweet, lest they spread information that is just plain wrong.