Facebook Phishing - Cant Trust your "FRIENDS"

As I start to write this I am as comfortable as one can be on an airline seat with laptop in front of me, I’ve been reflecting a little on another interesting week in information security and somewhat trying to settle into this blog writing gig. At the request of a very special reader that I was conversing with regarding this somewhat interesting but now common place finding on facebook, I decided to share the following.



As I was trolling facebook earlier this week I came across a posting on a friends page, that is pictured to the left. Upon seeing this posting I decided to do a little digging as the use of shortened url’s has become the norm thanks to twitter links. Upon clicking on the link users were redirected to what appeared to be a facebook login page at 1st glance, however upon looking at the browser URL the shortened link provided in the original posting directs users to a site named hxxp://phasebooklogine.t35.com this site is hosted on a free and quick and easy to setup hosting site named t35.com



This image shows what the login page looks like and as you can see it’s a somewhat convincing page unless you look closer. Most user would type in their credentials without thinking twice, due to what I call blind faith in what appears to be something originating from a “friend”

This site is another example of just one of the attack vectors that are currently widely disbursed on all social networking sites, primarily myspace, facebook, youtube, and twitter. This vector here of course is a modified approach to your standard phishing attacks, phishing attacks usually come in the form of emails from your bank, your friend , etc and use the same tactic of harvesting user credentials via an authentic looking login page that in some instances will do nothing after you enter your creds, and in other cases will forward you on to the legitimate site.

In the case of phasebooklogine.t35.com upon entering any credentials the page would direct you to one of about 5 randomized seemingly legitimate facebook apps.

Consider this part one of this facebook analysis article specific to posted phishing attacks, I will be writing a followup article with more technical details as to my analysis.

Windows 7 Insecure OUT-OF-BOX

Microsoft, has been touting the improved security and updated features of UAC (User Access Control) in Windows 7 but resent findings show that Windows 7 is no different than its older siblings in the Microsoft Operating System family.
I just completed reading a report by security firm Sophos and the the report shows that out of the box with default configuration Windows 7 was vulnerable to 8 out of 10 viruses thrown at it by the testers at Sophos Labs.

User Access Control (UAC) is a technology introduced by Microsoft to its Operating Systems in Windows Vista. It is aimed to improve the security of the operating system by limiting applications from running background processes without interaction from the user. After its initial introduction in Vista it was largely criticized as annoying and in most cases turned of as a result by the users. The improvements made to UAC by Microsoft to make it "less chatty" may have accomplished the less chatty part, however has done nothing for security.

Microsoft does acknowledge and encourage users to install anti-virus software as they do say it is a required piece of software to aid in the securing of Windows workstations. In their report that was released Monday, the Microsoft security team reports that Vista fared better that all other Windows flavors including Windows 7 when it comes to security, Vista SP1 infection rates were 61.9% less than XP SP3.

In conclusion, anti-virus is a must, and with a multitude of freely available ones, that are legitimate its easy and strongly recommended. A recommended free AV for Windows 7 is Microsoft's own Security essentials which is freely available for download on their site.

*Image courtesy of SophosLabs

The threat of "Visual" Social Engineering

The upswing in the use of bogus codec/flash player/video pages, has been a major factor in a assisting the efficiency level and infection rates of malware campaigns. The use of these visually pop ups mimicking legitimate software updates is what I am referring to as Visual Social Engineering, this same tacktic is the single most effective method for many drive by download infections mainly the fake AV software.
Cyber criminals have successfully managed to monetize the use of visual social engineering and as a result of its success there is no end in sight.

The latest attempt to continue monetizing the scheme comes with the release of a social engineering driven web malware exploitation kit that has surfaced on a few cybercrime related marketplaces. The main exploit modules in the kit are in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Codec", and "Codec Required" modules.

These modules represent the most dominant attack vectors for self-infection malware due to the users' gullibility, and the mere quality of the actual spoof.

In one instance that I analyzed upon clicking the video pictured, the end user was redirected to 67.228.143.62 - Email:fullhdvid@gmail.com and then to world-news-scandels .com where the codec was served from execfreefiles .com
Multiple other fake codec domains are parked on the same IPs:

216.240.143.7
sunny-tube-world. com
onlysteeltube. com
fllcorp .com

In coclusion, thanks for reading my 1st blogpost, and research will continue, and the final word is verify before you click...