Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Listen to Rik Ferguson talk about this threat attack on BBC Radio 4

    Just recently, I received an intriguing post on my Facebook wall from a friend, someone I know and trust. The post contained the following message:

    Has anyone messaged you to let you know your face book pictre is all over {BLOCKED}.com

    To be honest, even the spelling and grammar sounded like my friend, but I’m fairly certain that was purely coincidental. Given that the days when I might have had a shot at a modelling career (hands only) are now firmly behind me, I was skeptical that my picture might be all over anywhere.

    Once I had let my friend know that their PC was probably compromised by some kind of information stealing malware, I thought I had better go and investigate this website.

    So in a clean test-environment, (don’t try this at home folks) I followed the link to the website, only to be greeted by an alarming pop-up:

    Figure 1. A quite odd nonetheless alarming popup

    I didn’t upload any photos that I remember; so I clicked through to find out more. What do I get? A computerised voice that immediately intones Attention please. Your profile picture has been detected on this website. Attention please. Your profile picture has been detected on this website and this page displayed on the browser:

    Figure 2. The displayed page contains a rather ironic disclaimer

    I love the little disclaimer at the top: Privacy note: We never send SPAM to your email address. We never sell your personal info. This is NOT a MySpace or Facebook login page. MySpace/Facebook users are not authorised to participate on this website.

    So anyway, back to my personal pictures. I need to see them and ask that they be removed surely? So I give them my name and email address and click Submit:

    Figure 3. A password request to view the alleged pictures

    Now they are asking me to create a password in order to be able to view “my pictures”. The small print here is helpfully telling me that I shouldn’t use the same password I may have previously used on this site, or the same password I use to access other sites, but of course this is entirely the behaviour the scammer is hoping for. I see a box asking for my password, I think “I’m going to need to remember this password. I know I’ll use my standard one” in it goes, and I click Submit again:

    Figure 4. Don’t worry about Dave Daveness, that’s the name I entered in the previous pop-up

    OK, I understand, a little market research, no problem, I click OK:

    Figure 5. Users are asked to choose the website that reffered them

    Well I got this from Facebook so I choose that link, and what a shame:

    Figure 6. Facebook and Myspace users are not served

    Looks like I’ll never get to see those pictures. But I’m really concerned about them. I’ll just hit the Back button in my browser and pretend not to be a Facebook user:

    Figure 7. The name of my friend I typed at Figure 2 is stated.

    I click on OK and there goes that voice again “Attention please. You must participate to retrieve your final results. Attention please. You must participate to retrieve your final results.”

    And yet another pop-up, saying that my good friend reserved a special offer for me, as well as finding these pictures I need to see:

    Figure 8. The picture seems to be unavailable

    It looks like the content of that window isn’t available right now though, and if I use another browser window to look at the origin of where the content is supposed to be coming from, all I get is a page with a single word on it profitsource. Interesting.

    So I’ll try to close the currently broken window down to finally get to my picture:

    Figure 9. Another pop-up?

    Here we go, here’s what all the fuss was about…

    Figure 10. Finally! My picture!

    I’m clicking, I can hardly wait!

    Figure 11. Obviously not me

    So what happens if I found that whole process so funny I can hardly wait to share it:

    Figure 12. Harmless? Really?

    Some interesting points relating to all of this:

    • The person who is registered as owning the domain name I was originally sent to in that Facebook wall post, also owns several hundred other domain names. Now I haven’t tried them all, but I have tried a good few, and they all lead back to this same email address harvesting site.
    • Interestingly, the email address of the registered owner (the only part of the registration information I really give much credence to in this case) is listed as Bulletinpics is a slightly older Spam & Scam campaign with shady international links. Here is a graphic example of the kinds of “service” Bulletinpics carry out, where he recruits CAPTCHA cracking cybercriminals:

      Figure 13. Forum post by CAPTCHA-cracking criminals

    • Finally, all of those different domains registered to the person with the bulletinpics email address, when I visit them; show up in the browser address bar as one particular domain name. If I do a search to see which sites link out to that one particular domain name, I only get one result, a Chinese “Pay to Click” MLM site, that on investigation, doesn’t have the rosiest of reputations.
    • Another thing those different domains appear to all have in common is the registrar Moniker Online Services Inc. who appear to have a very interesting history all of their own.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice