FortiGuard Advisory (FGA-2008-08)
Spam 2.0 Moves to Facebook Like most social networking sites, Facebook has a "Wall" feature, allowing users to post comments on friends' profiles. This is currently being exploited by spammers to post deceptive messages, linking to typical spam sites such as (but perhaps not limited to) online "pharmacy" shops.  Figure 1: Spam 2.0 Paradigm Figure 1 above shows a typical Spam 2.0 message posted on a Facebook profile. The user who posted was verified to not be a spammer; rather, her account was hijacked by identity thieves who likely later sold (or rented) it to spammers. The means utilized by the identity thieves to hijack this victim's account are not known, however, in such cases, the phishing hypothesis prevails: A phishing worm was spotted spreading on Facebook earlier in the year[1] and both incidents may be related. Please note that although this has been rarely seen on Facebook so far, it is fairly common on MySpace. Further details about the whole process and the economics behind it were given at VB2007 Conference[2], and are summarized here. One of the spamvertised links has been confirmed to resolve to a web host that also serves content for several pill pushing sites, involved in a criminal fraud ring. Included in this ring is Canadian Pharmacy - an analysis of which can be seen here. (More details on this criminal ring will be published shortly in a second analysis.) The Fortinet Global Security Research Team advises social networking site users to be wary of phishing attempts: when confronted by a login page or upon clicking a link contained in a friend's message, carefully check the login page URL. Legitimate login pages are hosted on the original social site domain (here, Facebook.com), while rogue login pages cannot be. Also, mental tricks may sometimes be utilized to trap users (eg: Facebook.com.dsfsafdf.cn, Facebook-login.com, Facebopk.com, etc.), as it is frequently the case in phishing schemes. For these reasons, leveraging adapted security gear that integrates real-time blackhole lists of known phishing sites is pertinent. Beyond that, wall posts containing links must be handled with care. While hijacked accounts have not been proved to be utilized for anything beyond posting relatively innocuous spam 2.0, it is not a stretch to think that links to drive-by-install malicious sites could be injected at some point. Following links contained in wall posts is therefore not recommended. Facebook has been notified, and is looking into this issue. Update (04/17/2008): More spam has been spotted on Facebook advertising penis-enlargement pills. The site is a typical pharmaceutical online scam, and also serves VPXL content involved with the Canadian Pharmacy Group. This site contains material, including full frontal male nudity, which may be inappropriate to younger audiences (such audiences are not uncommon to Facebook). It confirms the trend noted above, further highlighting the fact that social networking phishers rent their compromised accounts to a broad range of spammers. Figure 2 below shows the aforementioned spam post:  Figure 2: Spam linking to material containing nude images Acknowledgment:
[1] http://www.wired.com/politics/security/news/2008/01/facebook_phish [2] Menace 2 the Wires: Advances in the Business Models of Cybercriminals, Guillaume Lovet, VB2007, Vienna Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. |
