Facebook on Thursday fended off an attack in which multiple identical profiles were created to spread malware.
Antivirus provider AVG Technologies said users of its LinkScanner service detected numerous profiles that were identical except with different names and each included a link to what was represented as a home video but which instead displayed a fake antivirus alert when clicked. The scams are designed to trick people into paying for software they don't need, to get credit card information from victims for identity fraud purposes, and often to install spyware on the computer.
"Clearly, the Data Snatchers have found a way to automate the creation of Facebook accounts, which means they've found a way to bypass the Facebook Captcha," Roger Thompson, chief of research at AVG, wrote in a blog post. Successfully translating a Captcha, a hard-to-read image of letters supposed to ensure that a human is involved, is required for a new account .
The malicious link was blacklisted by the major Web browsers and Facebook was blocking the URL from being shared on its site, said Facebook spokesman Simon Axten. Meanwhile, the company was working to identify all the fake accounts and disable them, he added.
Axten disagreed with the AVG speculation that the Captcha system had been broken.
"We're looking into how these accounts were created, but it's very likely that the sign-up process was manual, or that the person behind the attack farmed out the Captchas to be solved by humans for a price," Axten wrote in an e-mail.
For its Captcha system Facebook uses ReCaptcha, "which was recently acquired by Google and is about as well-regarded a Captcha provider as there is," he said.
When the link in the fake Facebook profiles is clicked a fake alert pops up that tries to convince the user that the computer is infected.
(Credit: AVG)Malware posing as antivirus software is spreading fast with tens of millions of computers infected each month, according to a report to be released on Wednesday from PandaLabs.
PandaLabs found 1,000 samples of fake antivirus software in the first quarter of 2008. In a year, that number had grown to 111,000. And in the second quarter of 2009, it reached 374,000, Luis Corrons, technical director of PandaLabs said in a recent interview.
"We've created a specific team to deal with this," he said, of the rogue antivirus software that issues false warnings of infections in order to get people to pay for software they don't need. The programs also typically download a Trojan or other malware.
PandaLabs found that 3 percent to 5 percent of all the people who scanned their PCs with Panda antivirus software were infected. Using that and worldwide computer stats from Forrester, PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs.
About 3 percent of the people who see the fake warnings fall for it, forking over $50 for an annual license or $80 for a lifetime license, according to Corrons.
Last September, a hacker was able to infiltrate rogue antivirus maker Baka Software and discovered that in one period an affiliate made more than $80,000 in about a week, said Sean-Paul Correll, a PandaLabs threat researcher.
A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day.
"The general consumer doesn't understand" the threat, Correll said. "No legitimate antivirus vendor will start a scan automatically on your computer without your consent."
After all the hoopla about the Conficker threat, researchers seemed almost relieved that it turned out to distribute fake antivirus software instead of something much worse.
Updated 2:45 p.m. PDT with Barracuda Networks warning of Web site promoting rogue program using the Barracuda brand.
Microsoft's Malicious Software Removal Tool was updated this week to detect a generic type of fake antivirus program known as "Win32/InternetAntivirus."
The Microsoft Malware Protection Center gives Win32/InternetAntivirus an alert level of "severe." The software is "a rogue program that displays false and misleading alerts regarding malware, in order to convince users to purchase rogue security software," according to a Microsoft Malware Protection Center blog post. The program also displays a fake "Windows Security Center" message.
This screenshot shows the fake alert the Win32/InternetAntivirus malware displays to try to scare people into paying money.
(Credit: Microsoft)In addition, the rogue program runs a password stealer called "TrojanSpy:Win32/Chadem," which tries to steal FTP usernames and passwords that can be used to compromise servers for hosting malware.
"They use new domain names every day, often registering multiple names at a time, like scanfan4.info, star4scan.info and scanstar4.info," the Microsoft post says. "This is all pretty normal rogue behaviour these days. As always, only use security software that has been tested by a trusted third party."
Fake antivirus programs are very common and provide a way for scammers to make easy money. The scammers prey on the fears of Web surfers who are misled into believing their systems are infected and then pay, typically, $50 for a program that not only doesn't protect their computers, but often turns out to be malicious.
Microsoft and the attorney general's office in Washington state filed a handful of lawsuits last year over so-called "Scareware" pop-up ads that entice consumers into paying for software that supposedly fixes critical errors on a PC.
The Malicious Software Removal Tool is updated every second Tuesday of the month as part of Patch Tuesday.
Separately on Wednesday, Barracuda Networks, a provider of e-mail and Web security products, warned of a Web site using the Barracuda brand to sell a rogue antivirus program. If downloaded, the program performs a fake scan of the computer and installs spyware, the company said.
Updated June 5 10:50 a.m. PST to clarify that scammers were blending their tweets in with legitimate tweets on an already popular PhishTube topic.
Online scammers are targeting people looking for popular topics on Twitter and Google to lure them to Web sites that display fake security warnings and try to sell them antivirus products, PandaLabs said on Wednesday.
This technique isn't new, but seems to be widening on Google and is particularly successful on Twitter where links are spread fast and furiously and people often don't think before they click.
Scammers took advantage of the popularity of "PhishTube Broadcast" on Twitter in order to spread links to sites with fake antivirus malware.
(Credit: PandaLabs)In the Twitter scam, hundreds of fake accounts have been posting tweets that reference the band Phish, which has a cult-like following, according to a PandaLabs blog.
There were so many of the tweets, which say "PhishTube Broadcast," that the term showed up in the Trending Topics list. While there were many legitimate tweets for that topic, scammers posted tweets that contained links that eventually lead to spoof porn pages that infect victims with the fake antivirus malware if they click anywhere on the page, PandaLabs said.
PandaLabs researchers also discovered links to malicious Web sites high up in searches on Google for "Microsoft" and its "Project Natal" gaming technology. The malicious sites display fake messages saying the computer is infected with viruses and offer to sell antivirus software.
The researchers then tried other popular searches and found 16,000 malicious links targeting "YouTube," 10,500 targeting "France" and "airline crash" and thousands of others targeting people searching on "E3," "Sony," and "Eminem" with "MTV Awards" or "Bruno," according to another PandaLabs blog post.
Twitter users were hit with another attack over the weekend featuring tweets reading "Best Video" and a link to a Web site that downloads malware, a security firm said on Monday.
The Web site, with a .ru (Russia) domain, purports to show an embedded YouTube video. Instead, the page downloads a malicious PDF that contains a "flurry of exploits" and if successful downloads fraudware that displays a fake security warning to try to get people to pay money, according to Kaspersky's Viruslist.com blog.
Contrary to earlier reports that the attack was a worm, the Kaspersky blog post speculates that the attackers were using accounts stolen in a phishing attack about a week ago.
Thousands of Twitter users were affected by what looked like a worm-like phishing attack last week, but was instead a site designed to help Twitters increase their number of followers quickly. The TwitterCut site looked like a Twitter log-in page and prompted people to type in their user names and passwords. Site administrators denied the phishing allegations and said they were shutting it down, according to the TrendLabs Malware Blog.
"This attack is very significant," the Kaspersky post says of the latest attack. "It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter, then we can only expect an increase in attacks."
Twitter said on Saturday that it was aware of the problem and working on it. Another message from Twitter on its status page said some legitimate accounts affected by the attack were suspended but would be restored and that no personal information had been compromised.
The 'Best Video' scam displays a fake security warning in order to get people to pay for antivirus software they don't need, Kaspersky says.
(Credit: Kaspersky Labs)
- prev
- 1
- next
