Fake Flash player scams have been around for a long time, but remarkably they still haven’t gone away. Now, they’re targeting users in Turkey.

A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update ; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle.

This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey.

The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would not work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.

As we noted earlier, this threat is cyclical. The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K.

In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:

Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users.  In addition, this attack’s behavior – blocking antivirus sites – is not actively harmful to users, although it would leave them vulnerable to future attacks.

Facebook is working diligently to prevent users from encountering these types of attacks. We protect users by detecting and blocking the files and sites related to this attack. Users can also protect themselves further through these simple tips:

• Don’t click or access any strange and unfamiliar URLs that pop up on your wall, profile, or from a private message.
• If you’re asked to update any software, go to the software vendor’s site directly, and not through any other supplied link.
• Get a security solution that automatically blocks malicious downloads and fraudulent websites.

With analysis from Anthony Melgarejo and Paul Tiu

More than a week has passed since Typhoon Haiyan made landfall over the central Philippines, leaving thousands dead or injured, with millions more in need of humanitarian assistance. More than US$248 million in relief has been given both by governments and the private sector to date.

Unfortunately, many scams have already taken advantage of this disaster. For example, fake Facebook pages (like this one) ask for donations via PayPal, which end up in the hands of would-be scammers rather than the hands of legitimate charities:

Figure 1. Facebook page for Haiyan-related scam

This particular Facebook page actually asks users to visit the scammer’s own blog, which asks users to make a “donation” via PayPal. They go so far as to take them to the PayPal payment page – where it becomes clear that the user is sending money to somebody’s personal account and not a legitimate charity.

Fake Facebook pages aren’t the only type of scam that took advantage of the calamity. We spotted several spammed messages with Typhoon Haiyan as the subject. These messages often required the recipients to give their personal information or send money via wire or bank transfers.

Figure 2. Typhoon-themed spam

While it might seem deplorable to take advantage of natural disasters, it’s simply business for cybercriminals. In previous disasters – like the 2011 tsunami/earthquake in Japan – attackers have taken advantage of the tragedy to create phishing pages, spam attacks, and blackhat SEO attacks.

How can users protect themselves from these scams and make sure that their donations end up in the right hands? Here are some useful tips.

• Give to organizations you know and/or trust. Some scammers will try to pass themselves off as new charities established expressly for this disaster. Instead, donate to well-known charities that have been around for years. Alternately, smaller organizations that you personally know and trust to be reliable can also be a safe choice.
• Be careful about appeals from social media and e-mail. Appeals to donate to various charities are spreading both via social media and e-mail messages. While many, if not most, of these are not scams, some will be. Some may be appeals from fake charities; others may just be lures to direct users to malicious websites. In either case, be careful about listening to these appeals. If you do decide to give to an organization whose appeal you saw here, go directly to their site by typing their URL into the address bar or using a search engine. This will help minimize the risks from potentially malicious links.
• Check the payment site carefully. If you’re making a donation online, check the payment site as carefully as you would any other online payment. Whether it’s entering your credit card information directly, or using some other online payment site (like Amazon, Google, or PayPal,) be aware that these can be phished as well.

There are many charities that could use your donations, but this is not the time to let your guard down. These tips can help ensure that your donation gets to where it is needed the most. We also note that you can make donations to the American Red Cross from inside Facebook itself; details can be found in their official blog.

With additional insights from Merianne Polintan

Early this August, we wrote about cybercriminals using a well-publicized vulnerability in Android to launch an attack against users who do their online banking on their mobile devices through an app. This time, we discovered a mobile phishing attack that not only attempts to steal users’ login details, but also asks victims to upload an image file copy of their government-issued ID.

This particular phishing campaign resembles the typical scenario: it involves a spoofed website of the bank’s mobile online banking login site, with a URL that closely mimics the original banking site.

Despite the similarities, though, there are some noticeable differences, such as the support for SSL protocols. Thus, the phishing site does not have the usual security symbol nor the HTTPS:// protocol that usually identifies a secure website. There are also graphical differences between the two:

Figure 1. Legitimate site vs. spoofed page

The phishing page asks for the user’s login details – but it doesn’t stop there. After entering their login details, the user will be sent to another spoofed page that then asks for their e-mail address and password. This is presumably so that when the user tries to recover their account by changing their login details, the cybercriminals responsible will be notified and thus still be able to access the said account.

Figure 2. Phishing page asking for email credentials

Not yet satisfied with all of this stolen information, the scam goes on to lead the user to another spoofed website that then asks the user to upload a scanned image file of their government-issued ID.

Figure 3. Phishing page that asks for an image of a government ID

Assuming that the user does supply such a file, they will be asked to continue to their account via a link – but the link, of course, only leads to a dead website.

This is an unprecedented level of phishing here, as not only does the cybercriminal get access to the victim’s bank account and email account, but they also get the victim’s identification card – which could be used for all sorts of scams and fraud involving identity theft.

While phishing attacks that actually ask for scanned copies of real-world identification is new, the barter of such material isn’t. In our paper about the cybercriminal underground in Russia, Russian Underground 101, we talked about how copies of victims’ identification documents s are bartered and sold not only for profit but also for use in identity theft, with prices that range from US$2 to US$25, depending on the type of document. These documents could be identification cards, passports, to working VISAs.

Mobile phishing is on the rise. We’ve reported as much early this year, as well as how the cybercriminals dabbling in it are using the limitations inherent in the platform to carry out their deeds (such as the small screen size hiding URL discrepancies and security symbols). With smartphones being as popular as they are and being powerful enough to do most tasks we usually devote a desktop to, it’s not surprising that cybercriminals are taking advantage of the platform to nab more victims and milk them dry for personal information.

Thankfully, users can protect themselves from this kind of cybercriminal activity. Some practices the user can keep in mind:

• Bookmark frequently-visited websites. This eliminates the chance of being routed to a phishing website through typographical errors in the URL bar.
• Always verify first. Users should verify first with the institutions involved (such as their bank) whenever encountering strange and unexpected procedures in their transactions.
• Use a security solution. Security solutions immediately block phishing websites, preventing users from mistakenly accessing them.

Trend Micro users are protected from all the elements involved with this phishing threat, with the URLs of the fake website blocked.

Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.

Figure 1. Spammed Facebook post

However, we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site.

Figure 2. Users are lead to this site that host fake Adobe Flash plugin

From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US.

Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs. We already blocks access to all the URLs related to this threat.

Read the rest of this entry »

Possibly the most common sham seen on social networking sites, survey scams have certainly figured prominently in this year’s Web threat story. Phishing scams aimed at sites like Facebook are also prevalent this year. Before we bid 2012 goodbye, we give you a rundown of some Facebook-themed scams and threats we saw during the last week of December.

Choose Your Facebook Theme Scam

Possibly an incarnate of last February’s fake Facebook Valentine’s theme, we saw two scams that peddle new color themes for Facebook. The first scam promises a red or black Facebook theme. This scam was even found spreading on Tumblr.

Read the rest of this entry »