Vulnerability in a Browser(s) and Users Tricked to Copy-Paste a JavaScipt May Explain The Facebook Wave of Pornographic and Violent Spam.

Article first published as "Browser Vulnerability, Tricked Users May Explain Disturbing Facebook Spam" on Technorati.
By Cesar Ortiz
Facebook claims to have found an explanation of the current wave of spam attacks, including explicit hardcore porn images, videos, photo shop created photos of celebrities like Justin Bieber in sexual situations, pictures of extreme violence and even photographs of animal cruelty. These are among many gross pictures being propagated. Users tend to see the images posted on a friend’s account, visible to everyone but the friend in question. Facebook’s latest statement says the root of the attack is a malicious JavaScript that some users were tricked into copy and then paste to their browser URL address bar. Facebook released this statement:

 Beginning of quote

“Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.

During this spam attack users were tricked into pasting and executing malicious java script in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”

End of quote

Hackers are tricking users to manually do a copy-paste. This cross-site scripting mainly allows an attacker to execute JavaScript code in your browser that can access and control the website you are interacting with. Facebook says that users were being tricked to copy and paste the offending JavaScript into their address location bar in the affected web browser, but does not identify the specific browser.

The modus operandi of the hackers is to entice you to do a copy- paste. Users are manually spreading the scam unwillingly. Users are told to “"Erase everything in your address bar, copy and paste the code below, and press enter" this is not just any URL, its full-fledged JavaScript code that will initiate the posting of the porno and violent spam to your friend’s news feed. Why the scammers use the “copy-paste” option? Scammers are using a java script. Users are in fact entering and executing the script for the scammers. The “click to a link” method makes the whole task very hard and leaves ID traces, therefore the use of the copy-paste option. The hook to prompt users to do the copy-paste is changed constantly, may be “free Starbucks coffee for a month” or to warn fellow media users of “some danger”, etc. If someone, even a friend, in any social media asks you to do a copy-paste, beware!

Who is behind this campaign? Facebook uses the word “coordinated” to describe the attack. It could mean several servers, possibly in several locations, at the same time. This time is not that a hacker or a scammer wants to steal your hard earned money or your identity. This is a concerted sophisticated effort to harm and disgrace facebook.

Users who are victims of this scam should do the following (1) Remove any related items from your facebook Newsfeed wall page (2) Notify your friends and make sure you explain that you sent them the scam posting unwillingly (3) Run your Anti-Virus in full mode and set it to real time scanning.

Name Brands Question My Comments Regarding a Brand Lax Attitude When Scammers Use Their Company Logo On The Internet

By Cesar Ortiz
An exclusive article that I wrote on the Yahoo-ABC News Network titled “Facebook Eat for Free at Pizza Hut! Scam is Spreading Virally” has stirred an out cry from some companies. In the article I comment that Pizza Hut or its parent company, Yum! Brands, Inc, the world's largest restaurant company, had done nothing to warn its clients of a major Internet scam using their company logo. Some other companies jumped into the bandwagon all claiming the same posture as follows; it is not the major brand responsibility to get into the act. It is the Internet Social Network carrier i.e. facebook, twitter or Google+ responsibility to handle the scam. “We are not in the IT business”. These corporate entities might be right on their assertion, but, may I ask, Why not then warn the public that their name brand is being used in a scam in their corporate and social web pages? The more users that are warned, the fewer victims we have. After all, users will curse the social carrier and the brand if their personal identifier data is stolen. One exception is Starbucks who always warns its clients of scams. That was the main objective of my article and still it is. We stand by what we commented on the article regarding some name brands attitude.

facebook: “ Facebook Charging in 2011 ” is a Scam. " Facebook Is Deleting Accounts " is Another Scam

By Cesar Ortiz

Now that facebook, suddenly without a major hint, in the f8Conference in San Francisco, dropped a major change to the way they present their interface to the users with a new platform  concept, scammers are having a field day taking advantage of the sweeping change in the facebook interface. Facebook  introduced its Open Graph platform, including the Timeline front end. Facebook does not need to charge for their portal, they make plenty of money on advertising, game sales and other paid for commission and value added services. This is another scam. A similar scam is that “ Facebook is Deleting Accounts ”.

Friends that fall into the trap will unwillingly send you a message post that reads:

Beginning of quote

“IT IS OFFICIAL. IT WAS EVEN ON THE NEWS. FACEBOOK WILL START CHARGING DUE TO THE NEW PROFILE CHANGES. IF YOU COPY THIS ON YOUR WALL YOUR ICON WILL TURN BLUE AND FACEBOOK WILL BE FREE FOR YOU. PLEASE PASS THIS MESSAGE ON, IF NOT YOUR ACCOUNT WILL BE DELETED IF YOU DO NOT PAY”

End of quote

If you take a look at the facebook login page- below the word “Sign Up”- you will see a statement in small blue type that say “It’s free and always will be.” Enough said.  Users who fall into the “ Facebook Charging in 2011 ” trap will be contributing to spamming or worse. According to HUFFPOST, these are the top nine worse case scenarios to this date that a user will fall into this “Facebook Charging In 2011” or similar scams.

(1)     Clickjacking: Clickjackers on Facebook entice users to copy and paste text into their browser bar by posting too-good-to-be-true offers and eye-catching headlines. Once the user infects his own computer with the malicious code, the clickjackers can take control of his account, spam his friends and further spread their scam.

(2)     Fake Polls or Questionnaires: If you click on an ad or a link that takes you to questionnaire on a site outside Facebook, it's best to close the page. When you complete a fake quiz, you help a scammer earn commission.

(3)     Phising Schemes: Phishers go after your credentials (username, password and sometimes more), then take over your profile, and may attempt to gain access to your other online accounts. Phishing schemes can be difficult to spot, especially if the scammers have set up a page that resembles Facebook's login portal.

(4)     Phony Email Or Message: Facebook warns users to be on the lookout for emails or messages from scammers masquerading as "The Facebook Team" or "Facebook." These messages often suggest "urgent action" and may ask the user to update his account.

(5)     Money Transfer Scams: If a friend sent you a desperate-sounding Facebook chat message or wall post asking for an emergency money transfer, you'd want to help, right? Naturally. That's what makes this scam so awful.

(6)     Fake Friends Request: Not all friend requests come from real people, despite Facebook's safeguards against bots. Some Facebook accounts exist purely to establish broad connections for spamming or extracting personal data from users, so watch out whose friend requests you accept.

(7)     Fake Page Scam: Malicious pages, groups or event invitations aim to trick the user into performing actions that Facebook considers "abusive."

(8)     Rogue Applications: Oftentimes, the apps look convincingly real enough for users to click "Allow," as they would do with a normal Facebook app. However, rogue apps use this permission to spread spam through your network of friends.

(9)     The Koobface Worm: Koobface spreads across social networks like Facebook via posts containing a link that claims to be an Adobe Flash Player update.

Facebook: “ Man in Wheel Chair Falls Down Elevator Shaft ” This Click Jacking Scam is Spreading Very Fast Worldwide

By Cesar Ortiz
Scammers intending to click jack your facebook account to force you to take surveys and take you to malware sites are using this latest attempt to incite facebook user’s curiosity on watching a specific video that in fact, you will never see. This scam is based in a real life incident that happened in Korea, The incident, which happened in August, was caught on security cameras in a shopping centre in Daejon, South Korea. The photo used in this scam appears to have been taken from that news clip. The scam begins when one of your friends sends you a post with what appears to be video with a play button embedded in a still photo of an elevator shaft security camera with the date-time stamped. The following text will appear:

Start of quote

“Man in wheelchair falls down the elevator shaft *SHOCKING VIDEO*
apps.facebook.com[LINK]
This Video is really shocking. a man in a wheelchair is falling down the elevator shaft.”

End of quote

Users who click on the “Play” button of the video are sent to a facebook page with all the looks of a real facebook page. A blank black background of a video with a “Play” button is in the center of the page with the title “Man in wheelchair falls down the elevator shaft “SHOCKING VIDEO1”. As soon as a user clicks on the “play” button, a malicious malware script in the facebook page will tag the post as if you have “Like” it and will send the same message that you received to all your friends from your account, therefore propagating the scam.

After clicking the “Play” button on the “Shocking Video” screen something strange happens; another page will load with the elevator picture video in the background but in front of the video there is “facebook looking” message that says “You will not be allowed to continue until you have completed a survey” “Win an Ipad2!” and a “Complete” blue button for you to go to the survey or surveys or perhaps a high monthly fee cellular phone plan or worse. As I always say, you where taken there by deception, therefore, expect the worse. These guys are not angels.

Users who are victims of this scam should do the following (1) Remove any related items from your facebook Newsfeed wall page (2) Notify your friends and make sure you explain that you sent them the scam posting unwillingly (3) Run your Anti-Virus in full mode and set it to real time scanning.

Facebook: ‘ AWESOME Video Nicole’s Baby Kicking – The Belly View – Unbelievable " Scam is Spreading Virally

By Cesar Ortiz

Scammers are now using a real YouTube Video of a real life Nicole with a baby kicking inside her belly while at the beach as an inspiration for a scam. The real video reached viral proportions and when we saw the real video it had 3,754,503  views. There is nothing wrong with that video. The lady is dressed in a two piece bikini type swim suit. In the scam, users will receive a post from a friend in her or his News Feed wall. The picture shown in the post appears to be a copy- paste of the original real Nicole picture. The post will have the following message:

Start of quote

"AWESOME Video "Nicole's Baby Kicking - The Belly View - Unbelievable"
video.caxbee.com[link]
An amazing view of a baby kicking and moving his way out of the belly while at the beach."

End of quote

If you click on the "video.caxbee.com[link]" to see the video, you are directed to a page with three advertisings (money per click for the scammers) and an embedded video that looks very much like the original YouTube video. The first indication that this is a scam is that the page we are facing is not a YouTube page. The next indication of a scam is that in this page, there is a statement that says:

 "To watch the video" "Click Share and then click on the Share link button"

A big blue "Share" button is shown as the only option. Users who click on this "Share" button will immediately send this message to all the user friends, therefore propagating the scam. YouTube nor Vimeo or others video portals require that you share anything to view a video. There will not be any real video shown anywhere. So far, at the time of this writing, the only damage done is that you are taken to pay per click advertising sites without your consent. Beware that you have been presented this page by deception and that the deception may continue and escalate to more serious damages if you click on one of the advertisings that turns out to be a trap.

Users who are victims of this scam should do the following (1) Remove any related items from your Facebook Newsfeed wall  page  (2) Notify your friends and make sure you explain that you sent them the scam posting  unwillingly (3) Run your Anti-Virus in full mode and set it to real time scanning.

Twitter: "Direct Message From The Twitter Administration" Scam is Spreading Fast

By Cesar Ortiz
This scam is making the rounds by the thousands on Twitter. You receive a message that says:

(Beginning of quote)

“Hi,
You have 2 direct message on Twitter!
http://twitter.com/account/messages/info/LDSV6-7XZ44-522266
The Twitter Team

If you received this message in error and did not sign up for a Twitter account, click not my account.
Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.”

(End of quote)

Unsuspecting users who click on the link are taken to a webpage that claims to be a Canadian Pharmacy affiliate advertising pharmaceutical drugs such as Viagra, Cialis and Levitra.

To remove this hack from your Twitter account, (1) Go to the Twitter Website page, log-in to your profile (1) Click on your user window pull down arrow at the top right of the menu where your thumbnail picture is ( 2) Select “Settings” (3) Select “Applications” (4) “Revoke Access” to any related scam application (if any) (5) Delete all related tweets (6) Contact and help your friends to clean up their accounts (7) Run your Anti Virus in Full Scan mode.