CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 20th, 2008

Facebook Attacked By Viral Social Networking Spam From China

Websense Security Labs published a research of recent Facebook phishing email picked up by their “Honeyjax” system recently. Websense has been tracking various Facebook attacks for years, althoughh attacks on Facebook and MySpace in the last few weeks are nothing new. There have been continual, targeted Facebook attacks for some time now.

The attack starts with an enticing spam email, letting you know that something had been written about you, and that you’d probably want to read more about it. An average user would probably want to know what was written about them, especially because it’s on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high.

The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was “friends” with, and writing a comment on the test user’s wall. Writing on the wall triggered an automatic email to the test user’s email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam.

Like most malicious Web pages these days, the source code of the blogspot Web page is obfuscated. De-obfuscating it shows us that they are using javascript to change the URL location and automatically redirect a user to the phishing site.

Interestingly enough, this particular attack has been going on for over six months. The phishing URL above was registered in July 2008, but several domains have been used in this ongoing attack. It’s nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages:

A record:

IP 202.111.175.39

Route 202.111.160.0/19 CNC Group CHINA169 Jilin Province Network

NS record:

ns2.xinnet.cn, ns2.xinnetdns.com

IP 123.100.7.203, 202.10.71.53, 123.100.7.207, 202.10.71.57

Route 123.100.0.0/21, 202.10.64.0/21 Temporary Obj for CNC-H

The attack is spreading by viral social networking. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends’ walls, allowing them to spread within the walls of the social networking world.

As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we’re going to see more and more MySpace, Facebook, and other social networking attacks, says Websense. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.

Share this item with others:

More on CyberInsecure:
  • 30 Percent Of New Major Social Networks Accounts Are Fraudulent
  • Friendster Social Networking Users Attacked By Malicious Spam
  • Malicious Facebook Application Might Create A Powerful DoS Botnet
  • New Cross-Site Scripting Vulnerability Found On Facebook
  • Another Phishing Assault Hits Facebook Users

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Facebook Attacked By Viral Social Networking Spam From China

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word