Tuesday, December 6, 2011

New Facebook scam

A new Facebook scam is spreading today, 6th of December. The interesting thing is that I have seen it posted in Dutch as well.

The method used is the same as in previous Facebook scams, see for example my earlier post:
New Facebook scam

Here is the post in question (in Dutch):

Classical scam post to lure users into clicking the link.

Here's what it reads:
WOW! Mijn profiel is ALLEEN VANDAAG AL 12 keer bekeken.. en ik kan zien dat er behoorlijk wat stalkers bijzitten LOL! Kijk zelf wie jou allemaal in de gaten houdt op #removed#

In English:

WOW! My profile has been seen 12 time ALREADY ONLY TODAY .. and I can see that quite a few stalkers are included LOL! See for yourself who's keeping an eye on yoy on #removed#

The link has been shortened by the bit.ly URL shortening service. While this service is not malicious on itself, it can also be used by persons with malicious intent, whether it would be hackers, malware authors, ... Or in this case scammers.

Let's review some stats for the bit.ly link first:

98 clicks on this link in the last hour

Top countries, including: France, Germany, The Netherlands

Facebook.com is the most referring site

At the moment of writing, there have been over 1,000 clicks on the link so far. I have already reported it to bit.ly and it should be taken down soon.

UPDATE: bit.ly has already issued a warning for when you click on the link. (12/07/2011)

Now let us analyse where the bit.ly link is taking us. The link can redirect you to different websites, but they will all (so far) redirect you to a page similar to this one (depending on your location):

Who is viewing your Facebook profile ?

You probably don't remember my post from February this year, but the concept is the same: you can supposedly view who's been "stalking", or viewing, your profile. This to attract users on clicking the link. Who doesn't want to see this, right ? Here is my post from early this year:
Facebook rogue applications still lurking around

You can presented with a screen like this (I have several, but I will only post one as example):

Are you the "lucky" winner ?

As stated previously, the concept is the same. Before you can see who's been viewing your profile, you need to fill in a short service to continue.

You may have won a prize, you may have won an iPad, you may have won free ringtones, you may have won a free iPhone application, etc, etc, etc, .... This is of course all a lie.
Remember: if it looks too good to be true, it probably is !

You have to fill in your email address and/or phone number to continue as well. At the end you will end up losing a lot of money, leaving your email address in the open and maybe worse.

Remember: if you click the link while logged in to Facebook, it will also post it on your own wall.


Conclusion is pretty straightforward: do not click on any of the links ! If in doubt, send your friend on Facebook (or if someone sent you the link) via PM if he or she knows what this is about.

To remove this from your or your friend's wall, click on the X on the message, and choose to "Report/Mark as spam" or "Remove Post".

You can also use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/

To get some information on a bit.ly (or other URL shortener serivce) link, you can use any of the following websites:
- http://www.getlinkinfo.com/
- http://longurl.org/
- http://www.longurlplease.com/ (includes Firefox extension)

To report a malicious bit.ly link use:

For any other question, do not hesitate to post a comment !

Friday, September 2, 2011

Increase in malicious spam

Rodel Mendrez from M86 Security labs has made an excellent post on a Massive Rise in Malicious Spam:

As he notes in his conclusion, "It seems spammers have returned from a holiday break and are enthusiastically back to work."

So I decided to check out if I had received some spam as well. Jackpot ;-) !

UPS notification

Re: End of July Statement Required

Your credit card has been blocked

ACH Transfer Review

Most of the files are displaying a Word or PDF icon to trick
the user in opening the file:

Some examples of attachments, with their respective
VirusTotal results:

MD5: cf0397bb622e4ed9dfdeb07fcbfa9687
VirusTotal Report

MD5: 0b7eba77dd4bcea3c670c4a664e98778
VirusTotal Report

MD5: 17f9148b130a94ab1f50030ebbf2415a
VirusTotal Report

MD5: e18d8cb2a4264a3c559d7967b3c6ab99
VirusTotal Report

When opening either of these files, you can end up with a rogue.
One example rogueware I got was "System Repair":

System Repair rogueware

The dropped file that is launching the rogueware:

MD5: 27077c2058983bb76bd09cdad69f7bde
Result: 36/44 (81.8%)
Anubis Report


Conclusion is pretty simple: Do not open any attachments from unknown senders.
If you happen to be infected with System Repair, you can for example use the guide on Bleepingcomputer:

Sunday, June 19, 2011

New Facebook scam

There's a new Facebook scam actively spreading.

Titles as "Monstrously Erotic blonde", "This chick is awesomely crazy" and "Shows her boobs on national TV!" may appeal to the imagination.

Here's some examples:
Example #1

Example #2

Example #3

However, if you click on the link, it will not take you to a Blogger page but instead will redirect you right away to a page where you can see the "video":

You need to click "Jaa" twice to confirm you're over 18

It looks like a legit Facebook page and a Youtube video, but in fact it is all fake. If you click on "Jaa" (which appears to be Finnish for "Share"), you'll see the following page:

Ultimately you need to fill in a survey to see the video

Haven't we seen this type of scam before on Facebook ?
It is similar to the "See who stalks you on Facebook" application that was pretty viral some months ago.
I also made a blog post back then:

You need to fill in a survey to see the video. Of course you might be attracted by the chance of winning an iPhone, but it is all fake.

The purpose of these scams are for you to send expensive text messages to 'unlock' the video. Don't be fooled, you'll only lose money by sending text messages !
Additionally, it will also make the same post on your wall (subject & link may vary), so your friends are targeted as well.


Pretty straightforward: do not click on any of these links, how tempting they might be ! Ask your friend if he or she knows what it means, and slightly hover over the post until the 'X' becomes visible. You can then mark the post as spam, and it will be removed from your friend's wall.

It might also help to install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.
More information and to download WOT: http://www.mywot.com/


Although it's been a while since I encountered these types of scams, keep in mind that they may pop-up on your wall one day.

If so, follow the prevention tips mentioned above and all should be fine.

Tuesday, April 26, 2011

Technoviking ? I am not amused

So yesterday I was looking on Google Images for the 'Technoviking'. I'm sure most of you know the guy/meme but just to be sure:


In case you're wondering, I do not remember why he flashed in my mind all of a sudden, but I was listening to some music on Youtube and I suppose there was a Suggested Video wink .

Either way, some of the Google Images were in fact redirecting to a scareware page, urging you to download a file to "clean" your computer. Some of the images that were infected:

Some infected Google Image results

If you click on any of them, you would get the following message:

"Windows Security" will perform a fast scan of system files

... and when clicking on "OK" you'll get the well-known fake scanning page:

Fake Scanning page finding numerous infections

The following file was downloaded:

Result: 18/41 (43.9%)
MD5: e705b657f5830eb2a43eee3a32f549c3
VirusTotal Report
ThreatExpert Report
Anubis Report

Today I checked again and the scareware/rogueware campaign is still active. I was now presented with another file that has a very low detection rate on VirusTotal:

Result: 2/41 (4.9%)
MD5: 56ce5479183913f2082bf0fd790dbaea
VirusTotal Report

The payload is a rogueware called 'MS Removal Tool'.

When executing the dropped file (BestAntivirus2011.exe) :

MS Removal Tool fake scanning screen

It is interesting to note that you would only get redirected when using Internet Explorer or Google Chrome. Neither on Firefox 3.6 or Firefox 4.0 the redirect would commence.


- Be careful when visiting any webpage. A useful trick is to check the real URL behind the image. Most of the times you can verify this by checking in the left corner of your browser:

Clicked on a picture and started loading this website instead of the original one

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons for Google Chrome are for example VTchromizer, NotScripts and WOT .

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:
  • a) For Google Chrome: chrome.exe or chrome.exe *32
  • b) For Mozilla Firefox: firefox.exe or firefox.exe *32
  • c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32


If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

Remove MS Removal Tool


Don't be fooled by Google's preview of images, you can still get infected even though the site appears to be safe.

Follow the above prevention tips to decrease the chance of your computer becoming infected.

Wednesday, April 13, 2011

Facebook Support. Personal data has been changed!

There appears to be a new malicious email being sent out with the subject: "Facebook Support. Personal data has been changed! ID75300"

In a previous post I already explained a similar campaign:
Your FaceBook password has been changed

First of all, you would receive an email similar to this one:

Email claiming your personal data has been changed.

The email content is the following:

Dear user of FaceBook.

Your password is not safe! To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for your attention,
Administration of Facebook.

Your password from Facebook appears to be unsafe and you need to verify attached document to view your new login information. There is a file attached called "New_Password_NU44133.zip"

Inside the ZIP file you will find a file called New_Password.exe:

The file New_Password.exe is in fact not a Microsoft Word document, as you may suspect from the icon, but is in fact a malicious executable:

Result: 19/42 (45.2%)
MD5: 99a7cc6e674b94fbecef52f520c03dc3

The file also drops the following executable on the system:

Result: 39/42 (92.9%)
MD5: 4531d9d75dab83c957122538b6fc92ba

The executable also tries to connect (called "phoning home") to download additional malware. However, at time of writing the URLs were offline.


If you receive emails like this, you should already be alerted:
"Why would Facebook send me an email my password has been changed ?"

The answer is simple: they don't. Whether you have Facebook or not, instantly delete the email and don't look back.