Earlier on, we spotted scam posts making rounds on Facebook from a very fake PlayStation Network profile created only hours ago. The scam post, which sported an image of a PS console, is being shared and liked by thousands of Facebook users, promising that whoever will be chosen to test the new product will get to keep the console after testing. It looked like this, initially.

click to enlarge

Sony needs testers for the new PlayStation 4. You will go to keep the new PS4 after you’ve tested it…..

If you want to be a tester for the new PS4 just share this photo and like our page.

People will be chosen completely at random!

~ Sony

Not long after that, someone was kind enough to point out in the Facebook comment that the new PS4 has touchpad while the one showed in the post doesn’t have one. Perhaps this was what fuelled the scammers to update the image, like so:

click to enlarge

32,656 shares compared to the 30,425 shares before. Facepalm.

There were also those who realized that the profile was a fake (created yesterday) and attempted to help everyone see this as well. Alas, they are none the wiser.

click to enlarge

 Let us then look at the fake Facebook profile in question.

click to enlarge

To the untrained eye, one may not notice immediate that the URL format of the profile page is unlike what we normally see popular brands use and point users to, which is the more straightforward and memorable format, facebook.com/{company, product or service name}. This is because the scammers behind this fakeout used Facebook’s own Create Page feature that can be found in the Recommended Pages section of a profile.

click to enlarge

click to enlarge

The scammers then select Brand or product where the “Games/Toys” category (the “business type” these scam profiles classify themselves) can be found.

Elsewhere, Microsoft is calling for XBox 720 testers!

click to enlarge

Xbox needs testers for the news Xbox 720. You will get to keep the new Xbox 720 after you’ve tested it…..

If you want to be a tester for the new 720 just share the photo and like the The Next Xbox and we will choose people at random.

~ Microsoft.

Or maybe not.

Scammers behind this Facebook campaign are also employing the same tactics used by the PS4 scammers.

If ever you encounter any of the posts we mentioned above on Facebook, don’t attempt to share it further with your network. Ignore it, and inform whoever is sharing the faux “Testers Wanted!” announcement that it’s a scam.

On this day of hearts, chocolates, flowers and (for some) celebration of singlehood, we’ll be highlighting the popular online threats banking on this occasion, most of which are disappearing and resurfacing through the years. After that, we’ll be dishing out some security tips that hopefully you, dear Reader, will be strongly reminded of, not just today but also the days to come.

The Multifaceted Spam

Have you clicked a link in what appears to be a sleek-looking Valentine’s Day e-card from a good friend you haven’t had the opportunity to talk to in two years? If you answer ‘yes’, don’t worry, you won’t be the last to fall for this.

Email spam has been around since the age of ARPANET. Historically, the first email spam was sent during this age in 1978, eight years earlier than the discovery of the first computer virus called BRAIN.

Valentine’s Day spam runs either aim to download malware onto user systems, with or without user consent, or aim to steal information and money. Such campaigns range from fake e-cards; mails allegedly containing links to videos, songs, poetry and pictures; purported promotions for flowers, romantic dinners, jewelry, and other gift-related theme; scammers even went with fake discount codes to make the offer a bit more irresistible.

Online Dating Shenanigans

Data recently released by Match.com four days after the new year of 2013 showed that visitors of online dating sites have peaked, which led some to think that “the very best moment in the entire year [is the most suitable time] to seek out a partner”. Although it has been ill-advised to merely rely on dating sites in finding The One, entertaining and acting on that very probable “what if” isn’t a thing someone can just shake off easily.

Those dabbling in online dating I know consider themselves “cautious,” knowing full-well that with the promise of having a life-long partner also comes the possibility of meeting Mr. or Ms. Wrong, and that’s fine. However, one must also look at the possible dangers that may be encountered online. Threats, such as catfishing, profile spoofing and fraud are huge points of concern within this industry, too. ThreatMatrix published a graphical representation of stats of criminal activities going on in online dating that you may want to check out here.

Moreover, some dating sites fail to keep their users’ personally identifiable information (PII) private while some do keep it safe. Hacked sites? Yes, we’ve seen that happen with eHarmony not so long ago, following the hack on LinkedIn.

Love, Socially

In this age of social sharing, a Facebook post, Twitter tweet and Tumblr reblog can reveal a lot about a person: their thoughts, feelings, cravings. A post, tweet and reblog can also the state of the owners account: compromised, possibly fake, actively spamming.

It has been said before: careful what you share online, but if one can’t tell the difference between a legitimate source from the bogus one, here lies the problem. We’ve seen a sample of this last year when Tumblr users began reblogging free Victoria’s Secret gift cards, and the alleged source being the Tumblr Staff Blog account.

Head Over Heart: The Right Kind of “Love” 

Surely, we can’t stop those from clicking links on e-cards, going to online dating sites in pursuit of true love and not sharing freebies and what-nots during Valentine’s Day; however, what we can do is help those make informed choices before they do something heartbreaking. Here are a couple of tips:

• Trust, but verify. It never hurts to thank and ask this friend of two years you hardly spoke to if they indeed sent the email or not. One doesn’t have to click on links to find out because by then, it might already be too late.This applies to things shared on social networking sites, too.
• Repeat after me: TMI. It stands for “too much information”. Keep it in mind when talking with someone you just met online (may it be on a dating or social networking site or forum) and want to get to know better. A touch of mystery and maybe a pound of paranoia may actually be good allies. After all, some things are still best said face to face.

Imbibe these two simple and practical tips as life lessons if you must. They may not only save you the heartache but also the headache of having your system be rid of malware, reclaiming stolen information or wondering why your soon-to-be partner in life hasn’t called you yet after sending them a huge amount of cash.

Matthew and Robert, two of our researchers in the AV Labs, discovered this upon digging deeper into spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate. Complete email details of these spam have documented in our GFI Software Tumblr site.

The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites.

One of the URLs that the Pony downloader calls back to is a domain served on the IP address 74(dot)91(dot)117(dot)49, which is found to host other malicious files like the Blackhole Exploit Kit 2.0, Medfos (a Trojan downloader that hijacks search results), the Simda rootkit, the WinWeb Security rogue AV, and ZeuS.

The following compromised domains are found to be hosted on the above IP:

• 13(dot)carnovirious(dot)net
• 13(dot)blumotorada(dot)net
• 13(dot)lomerdaster(dot)net
• 13(dot)jonemnominik(dot)net
• 13(dot)zabakarvester(dot)net 

Below is a sample screenshot of one of the compromised sites hosting the fake Google Chrome update:

click to enlarge

And here is a sample screenshot of the malicious IP hosting a fake Adobe Flash Player update:

click to enlarge

When it comes to updating software installed in your systems, it is still best to visit their official websites. Free update checkers, such as the FileHippo program, can also assist users in managing software that needs updating in real-time.

Related posts:

• ADP Spam Campaigns are in the Wild
• This Spam Gives Recipients a Second Chance
• News of Brazil’s Former President’s Death Leads to Malware
• Fake Flash Player Fun

Jovi Umawing (Thanks to Matthew and Robert)

As of writing, the PM looks like this:

click to enlarge

WARNING: Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation. Please confirm your Facebook account below:

[URL redacted]

Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them. Below are screenshots of the pages in the order of how they will appear to users:

1. The first page is a something most Internet users are conditioned to seeing: a “prompt” telling users what they’re about to do and why they have to do it.

   click to enlarge

2. Clicking the Continue button leads users to the second bit where it asks for their basic personal information and credentials (email and password) used to log in to Facebook.

   click to enlarge

3. Next, users might think that this is is a peculiar one as it asks them to select the webmail service the email address you entered in the previous page is under. For example, if the email you use to sign in on Facebook is a Gmail address, then you have to select “Gmail” from the drop-down option box.

   click to enlarge

4. The fourth page is an interesting one: It asks users to enter only the first six digits of their payment card (debit or credit card) number, regardless of whether they have used their card to buy Facebook Credits or not. Unfortunately, there is no option to skip this part.

   In case you’re wondering, the first six digits of a credit or debit card is the Issuer Identification Number (IIN), which identifies the issuer (VISA, MasterCard, American Express, etc.) of the card.

   click to enlarge

5. Just when you think that all that’s needed is the first six digits of their payment card, users find out that they have to give the complete card number after all, and then some more.

   click to enlarge

Once all five “verification” pages have been filled out, dear Reader, consider yourself phished and expect your account to send out the same PM you received to your Facebook network.

Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook—”Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves.

Jovi Umawing (Thanks to Janne for the heads up)

The spam entices users to visit a certain URL to “reactivate” their account. Once the URL is clicked, users are then directed to the following page:

click to enlarge

This phishing page has closely mimicked the look or template of legitimate pages where users can enter their sensitive banking information. The sample screenshot below is just one of several pages in the UnionBank website that uses the template.

click to enlarge

Once users have entered and submitted their information, a confirmation window pops up and then users are redirected to the legitimate UnionBank website.

click to enlarge

Most UnionBank users have their PayPal accounts tied to their banking accounts, so it is very important to steer clear from emails claiming to be from the bank that ask for banking details. If you, dear Reader, are indeed their client, better call them and inquire about the email you receive just to be sure. It also pays to consult this Anti-Fraud and Anti-Phishing Guidelines page from UnionBank for guidance on how to identify phishing pages from the real ones.

Jovi Umawing

Case in point, we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007. Let’s see if any of these bring back memories….

click to enlarge

Familiar? This status message tells visitors that they can get 5,000 free Facebook credits by joining a promo (on a limited offer) and points them to a URL where they can join. Of course, in actuality, there is no promo and no free credits to be given away.

click to enlarge

Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both.

click to enlarge

If you, dear Reader, have encountered the said Facebook scam, it is best to steer clear. If you have already fallen to this scam, it is best to clean your feed by deleting the posts you created and unclicking the “Like” buttons of pages you’ve liked.

***

Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail.

click to enlarge

The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address. My advice? Delete the spam at once.

Jovi Umawing (Thanks for the AV Labs for the spam find)

Today, on the eve of the rumored EoW, it has decided to rear its ugly head once more.

During Profile Spy’s random stints on the Web, we have observed that the criminals behind it have used a number of tactics to make users hand over their credentials or give them money—like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store.

This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared.

click to enlarge

Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser.

click to enlarge

click to enlarge

Based on the Web page’s code, only users from certain countries can download and install the Profile Spy rogue extension onto their Chrome browser once they click “Add to Chrome”. Users outside of these countries won’t be able to experience this. Below is a screenshot of the extension’s page that is being served on the Chrome Web Store:

click to enlarge

File name: extension_1_0_1.crx; MD5: 27f74e08871094fad6446686847b709d.

This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it—

click to enlarge

—secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation—

click to enlarge

—and lastly, it inserts ads, most of them adult in nature, on every website the mark visits. Below are just some sample screenshots:

click to enlarge

click to enlarge

click to enlarge

As a last act of getting as much as they can from their mark, the scammers display a pop-up survey after the extension is successfully installed for the mark to fill in.

click to enlarge

Filling in surveys, of course, generate affiliate commissions for the scammers.

Not long ago, our friends at Webroot documented the rise of the bogus “Change Facebook Theme Color” scam, and its method is similar to Profile Spy’s. Could the two be somehow related?

GFI Labs has already notified Google regarding the rogue Chrome extension, which we detect as Adware.FSpy. [UPDATE: Google has now taken down the Profile Spy page on the Chrome Web Store.]

Watch that mouse pointer, dear Reader, and careful where you direct and click it.

Jovi Umawing (Thanks to Adam for additional screenshots and analysis)

The malicious spam, this time, poses a question then gives a less-than-stellar answer to it, something criminals are counting on that recipients may simply accept and believe. Well, we better not take their word for it.

Here’s what the email looks like:

click to enlarge

From: {bogus email address}
To: {random}
Subject: Join my network on LinkedIn
Message body:
{redacted} has indicated you are a Friend

I’d like to add you to my professional network on LinkedIn.

[Allow button] View invitation from {redacted}

WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA?

{redacted} connections could be useful to you

After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:

click to enlarge

This page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.

click to enlarge

Like we’ve said before, when in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites.

Related posts:

• Fake LinkedIn Mails Lead To Cridex
• New Phishing Campaign Targets LinkedIn Users with Fake Reminders
• Zeus LinkedIn mails still out for delivery

Jovi Umawing (Thanks to the GFI Labs team)

• “Mailbox Upgrade” Email is a Phish. If you’re using Microsoft Outlook or Outlook Express, I’m sure you’re familiar with this kind of email landing in our inboxes, especially if IT has set a limit of how much your inbox can carry.

  click to enlarge

  First off, let me point out two things: one, 20GB of email space is too huge to be believable, and IT normally sets the limit of 2GB; two, IT does not tell their email users to validate anything. What they normally advise is to delete emails or move them to another location to free up space. Users who click the link on the mail is led to a phishing page. Reference here.

• Unsolicited “Adobe CS4 License” Leads to Malware.

  click to enlarge

  I wish there won’t be takers for any outdated Adobe CS4 license any time soon, much less a bogus one.  This leads to a Blackhole-Cridex system infection. Details here.

• Spammers Target Citibank Clients. Citibank credit card users are recently targeted by this spam circulating in the wild, claiming to be their Citi Credit Card statement. Users who click any of the links, unfortunately, may suddenly find their systems infected with the Zbot/ZeuS banking Trojan. More here.

  click to enlarge

If you come across any of these spam emails, it’s best to simply delete them from your inbox.

Stay safe!

Jovi Umawing

According to this study, they have found little progress in the way companies that develop apps for children handle data gathering and notifications. It’s important to note that the FTC has already seen these two problems and published a report last February 2012 (PDF) to reflect all their findings in 2011.

We fear that as the app industry grows bigger and more threats are targeting mobile users, (1) children would more likely be affected if not targeted by the threat itself and (2) this issue on app disclosure will take less priority over other issues.

Some of the data siphoned by apps for kids are accurate geolocation, contact list, the smartphone’s number, call logs, other personally identifiable information (PII) and other stored data. Since most apps share information with third-parties such as ad networks, it’s possible for these third-party companies to piece together data in order to create accurate profiles of children based on how they interact with the apps they’re using.

“Companies that operate in the mobile marketplace provide great benefits, but they must step up to the plate and provide easily accessible, basic information, so that parents can make informed decisions about the apps their kids use.” says Jon Leibowitz, chairman of the FTC. “Right now, it is almost impossible to figure out which apps collect data and what they do with it. The kids app ecosystem needs to wake up, and we want to work collaboratively with industry to help ensure parents have the information they need.”

You can read more about the full report here.

Jovi Umawing