‘Baby Born Amazing effect – WebCamera’ scam spreads virally on Facebook

Facebook scams are on a sprawl. Almost everyday we’re seeing new scams and spams popping on Facebook and using social engineering techniques on the ubiquitous social network to trick users into clicking malicious code. The latest messages that are spreading rapidly across Facebook trick users into clicking on links claiming to show an amazing video of a big baby being born, reports Sophos Labs.

The messages are spreading with the assistance of a clickjacking scam (sometimes known as likejacking) which means that users do not realise that they are invisibly pressing a “Like” button to pass the message onto their online friends.

A typical message looks as follows:

Baby Born Amazing Effect – WebCamera

[LINK]

Big Baby Born !

“The links we have seen so far all point to pages hosted on blogspot.com, and appear to contain a video player that you are urged to click on. The pages are headlined: “Baby Born Video – Amazing Effects”,” explains Graham Cluley, senior technology consultant at Sophos.

See the message at the bottom of the page? It reads:

If Play Button don’t work please click on the Like button and Confirm, then you can watch the Video.

It’s at this point that the clickjacking scam plays its part. If you try to play the video then you will be secretly and unwittingly saying that you “Like” the link, and sharing it with your friends. In this way the link spreads virally.

It’s a shame that Facebook’s own security measures don’t warn about this clickjacking attack.

If you were running anti-clickjacking protection, such as the NoScript add-on for Firefox, then you would see a warning message about the attempted clickjacking:

Unfortunately, thousands of Facebook users appear to have fallen for the scam – and are helping the links spread rapidly across the social network.

Sophos suggests the following steps to clean-up your Facebook page.

Find the offending message on your Facebook page, and select “Remove post and unlike”.

Unfortunately that doesn’t completely remove the interloping link. You also need to go into your profile, choose Activities and Interests and remove any pages that you don’t want to “Like”.

Users need to be careful before ‘liking’ any page on Facebook as this is a trap that’s a little complex for a non-techy user to come out of. Facebook recently  added new features to combat clickjacking techniques, but evidently that doesn’t seem to be a deterrent for spammers and scammers.

Be wary of online romance scams: IC3

FBI’s Internet Crime and Control Center, IC3 is warning the public to be wary of romance scams in which scammers target individuals who search for companionship or romance online. Someone you know may be “dating” someone online who may appear to be decent and honest. However, be forewarned: the online contact could be a criminal sitting in a cyber café with a well-rehearsed script that scammers have used repeatedly and successfully. Scammers search chat rooms, dating sites, and social networking sites looking for victims. The principal group of victims is over 40 years old and divorced, widowed, elderly, or disabled, but all demographics are at risk.

Scammers use poetry, flowers, and other gifts to reel in victims, the entire time declaring their “undying love.” These criminals also use stories of severe life circumstances, tragedies, deaths in the family, injuries to themselves, or other hardships to keep their victims concerned and involved in their schemes. Scammers also ask victims to send money to help overcome a financial situation they claim to be experiencing. These are all lies intended to take money from unsuspecting victims.

In another scheme, scammers ask victims to receive funds in the form of a cashier’s check, money order, or wire transfer, claiming they are out of the country and unable to cash the instruments or receive the funds directly. The scammers ask victims to redirect the funds to them or to an associate to whom they purportedly owe money. In a similar scheme, scammers ask victims to reship packages instead of redirecting funds. In these examples, victims risk losing money and may incur other expenses, such as bank fees and penalties, and in some instances face prosecution.

Victims who have agreed to meet in person with an online love interest have been reported missing, or injured, or in one instance, deceased. IC3 complainants most often report the countries of Nigeria, Ghana, England, and Canada as the location of the scammers. If you are planning to meet someone in person that you have met online, the IC3 recommends using caution, especially if you plan to travel to a foreign country, and, at the very least:

•  Do not travel alone.
• Read all travel advisories associated with the countries you will visit. Travel advisories are available at http://travel.state.gov/.

Even though it seems to be contrary to the thought of starting a new romance, do not be afraid to check a new acquaintance’s story online. Remember, like most fraudulent schemes, scammers use whatever personal information you provide to quickly paint themselves as your perfect match. If your new friend’s story is repeated through numerous complaints and articles on the Internet, it is time to apply common sense over your feelings. To obtain more information on romance scams and other types of online schemes, visit http://www.LooksTooGoodToBeTrue.com.

How to avoid scams and malware during the Royal Wedding

There are few non-sporting events that draw as much attention from all over the world as the wedding of an heir to the British monarchy. When Prince Charles married Diana, television told the story. For the marriage of Prince William and Kate Middleton, the Internet will not only broadcast the images it will also allow us to engage in a global conversation in real-time.

Until the ceremony takes place on April 29 and for a few days after, you’ll probably see the word “wedding” more often than an avid reader of Jane Austen does. Most of the headlines and links featuring “the wedding” will lead to legitimate sites—but some will invariably lead to a variety of scams and malware. This is true when celebrities die, when disaster strikes and you can expect the same when Catherine says “I do” to William.

If you’re actively avoiding the wedding, you’ll avoid most of the risks. But for you royal watchers out there, here are a few tips for avoiding digital wedding crashers from F-Secure:

1. Follow the official site, Twitter, Facebook, Flickr and YouTube pages.

• http://www.officialroyalwedding2011.org/
• http://twitter.com/clarencehouse
• https://www.facebook.com/TheBritishMonarchy
• http://www.flickr.com/photos/britishmonarchy/
• http://www.youtube.com/user/TheRoyalChannel

These official sources are going your safest sources of information. Of course, users can post links in the comments. So avoid links users post unless you trust the domain being linked.

2. Search for Royal Wedding news using Google and Bing’s News Filters.
Google has recently changed its algorithm to deliver safer, higher quality results. However, during breaking news rogue sites use the dark arts of search engine optimization to zoom up search results. This doesn’t happen, however, in Google and Bing’s news sites. Why? The news sites listed there have all been vetted and verified. Click on news, if it is available in your area, and click without worry.

3. Make sure your PC is patched and protected.
Every month, at least, Microsoft, Apple, Adobe and the world’s biggest software makers release updates to their products that plug security holes. These updates are often crucial for your online safety.

“My Top 10 stalkers” Facebook scam targets users in specific countries

A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook. This one, however, has some interesting twists to it.

A Websense blog has reported that the core of the campaign involves a Facebook app that claims to know who your “Top 10 stalkers” are.

It works by creating an album – “My Top 10 stalkers” – with the description “Check who views your profile @,” followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user’s friends in the photo.

The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates.

Hackers have already switched to using a new app. The first illegitimate app was deleted by the Facebook security team. Both apps use exactly the same mechanism to post spam profile messages in Facebook. Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user’s home address, e-mail address, or phone number.

If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a “SPAM-free market research survey to gain access to this special content.” Special it may sound, but it is definitely not spam-free!

As always, if a page forces you to Like, Share, or install an application in order to view it, DON’T DO IT! Chances are, it’s spam.

New tax year for UK brings new scams

Symantec has reported a new phishing scam that is taking advantage of the new tax year beginning for people in the UK on April 6, 2011.

The message in question was being sent in the name of the HMRC, Her Majesty’s Revenue and Customs, in an attempt to lure users into divulging bank account information with the lure of unclaimed tax overpayment money.

Symantec Security Researcher, Dylan Morss explains, “The path of the message had an international flavor, beginning at what looks like a computer at a hotel business center based in the US, then going through servers in New Zealand, then back to the US through the mail servers of a large free email service, and then presumably into the inbox of a user based in the UK.”

The URLs in the message also contributed to this internationalized scam by utilizing a domain based in Serbia which would redirect users when they unsuspectingly clicked on the HMRC link.

Example: somehijackedwebsite.in.rs/admin/files/hmrc/hmrc/xxxx.htm

“When clicking on the link, a user is given a new page and provided a list of several banks to select from. This presumably would be the bank that their accounts are registered with so that the HMRC can deposit money quickly,” Morss said.

Here is a sample of the original email asking HMRC users to click through to the hidden phishing link to update their information. This information will then be used by the phishers to extract money from bank accounts and participate in identity theft.

It is important to note that according to the HMRC website, users would never be contacted through email regarding a rebate.

“As a matter of policy, HMRC will only ever contact customers who are due a tax refund in writing by post. If anyone receives an email offering a tax rebate claiming to be from HMRC, we recommend they send it to phishing@hmrc.gsi.gov.uk before deleting it permanently.”

The HMRC also provides online security advice for users from their web site at:http://www.hmrc.gov.uk/security/index.htm

“Twilight” game link on Facebook is a scam!

IT security firm Sophos, is urging Facebook users to be cautious following the discovery of a rapidly spreading scam targeted at fans of the popular “Twilight” teen vampire romance movies.

Scammers are pretending to be linking to a game promoting the upcoming movie “Twilight Breaking Dawn” starring actors Ed Cullen and Kristen Stewart. However, by clicking on a “Play Now” link, users are clickjacked into announcing that they “Like” the link, thus spreading it virally across Facebook.

The scam continues with users then being presented with a dialog box, asking them to grant permission for a third party application to access their Facebook account and post messages, updates and photos to their wall.

“Of course, if you’re a fan of “Twilight” you will quite possibly grant permission without thinking,” said Graham Cluley, Senior Technology Consultant at Sophos. “The only problem being that this isn’t a legitimate application request, but is being done by a rogue app which wants to make money out of your devotion to the works of Stephenie Meyer’s series of novels. Predictably, having gained the ability to post to your Facebook account, the scammers then present the final piece of the jigsaw: an online survey which earns them affiliate commission for each person who completes the questionnaire.”

If Facebook users have been affected by this scam, they should clean up their account before any further damage is done.

Earthquake hoax e-mail spreads in New Zealand

Internet users in New Zealand have reportedly received e-mails spreading a hoax that predicts an earthquake on April 17th in the city of Auckland. To make matters worse, the mail nzherald.co.nz, which is a popular news portal in New Zealand leading to a belief that the prediction is actually genuine.

The NZHerald website has however, clarified on their portal that this is nothing but a hoax mail. “The Herald has confirmed it did not send out the scam email and is tracing its origin,” the site states.

Residents of New Zealand would obviously be highly alarmed by such a warning, as the country is recovering from a devastating earthquake which hit the South Island city of Christchurch in February.

Though no malicious links have been found in these mails, these could potentially be a part of a larger scam mail operation trying to leverage the sensitivity of the people who are still terrified with the devastation in the country.

“The Hottest & Funniest Golf Course Video” scam has more than 200,000 likes on Facebook

Right now there’s a scam making its way across Facebook linking to a video titled “The Hottest & Funniest Golf Course Video – LOL” (example screen shot below). During the 15 minutes it took to write this post over 7,000 new users liked the page so it’s clear this is a successful campaign.

This latest scam is very much like a lot of others we see on a regular basis on the world’s most popular social networking site. But this one seems to be especially popular for some reason.

When clicking on the link you’re taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It’s doing this by using standard Facebook APIs.

The page that you are tricked into liking has been liked by over 272,000 users and doesn’t really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote “<name>, are you scared? Of course I’m scared. I’m not Superman” is a quote by the actor Jackie Chan.

After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there’s no video at all. Note that the attackers haven’t even bothered to change the title of the last payload site. The title still says “Look What Happens When a Father Catches her Daughter on Webcam” which is another scam that went around Facebook months ago.