Cyber Criminals Target Valentines Day through Facebook

Bells of Valentines Day Ringing on Facebook! Is it for Celebration? Or Cyber attacks?

It’s never too early to get ready for Valentine’s day, it seems, even when it comes to malicious attacks. Recently, Trend Micro Researchers came across a scam in Facebook that leverages the upcoming occasion.The said attack begins with a post on affected users wall inviting other users to install a Valentine’s theme into their Facebook profile.{Images attached}.

Once users click on this post, they are redirected to another page that urges them to install the said theme. Note that this attack only works on either Google Chrome or Mozilla Firefox browsers. Clicking the Install button on the page will prompt the download of the malicious file, FacebookChrome.crx which Trend Micro detects as TROJ_FOOKBACE.A. When executed, TROJ_FOOKBACE.A executes a script that is capable of displaying ads from certain websites.

It also installs itself on the users’ browsers as an extension named  Facebook Improvement |Facebook.com. Once this malicious browser extension is installed, it will monitor the users’ browsing activities and redirect their page to a survey page asking them for their mobile number. Users who clicked on the post using Internet Explorer (IE) will be redirected to the same survey, without them being asked to download anything.

Upon further analysis, we discovered that the attack is much more effective if the users are employing eitherGoogle Chrome or Mozilla Firefox. It resembles a legitimate extension download, thus requiring less user interaction than in the case where Internet Explorer is used (in which case the user is redirected to surveys).

Suchita Vishnoi, Head – Marketing, Trend Micro (India & SAARC) commented that “The fact that the attack itself is focused on Chrome and Firefox may mean that cyber criminals are targeting extension-compatible browsers, as well as going after more popular browser choices. This is not the first attack of its kind, but considering this the extension-capable browsers are coming to the forefront now” she further added “It is advised users to inspect such Links closely and to never click any of the links provided in these. It is typical for spammers to use prominent events/ brands such as Reader’s Digest, or enticing contests to cloak their malicious schemes. Users should first verify with trusted sources about the existence of these promos to avoid becoming victims of such ruse. Contacting the organization purportedly behind the message by other means such as actual on-site visitation or a call on their hotline should also work as a way to verify if the message itself is in fact true”.

With the focus of the attack mainly built around the concept of pretending to be a valid Chrome extension, we can reasonably conclude that Chrome users are the main target of this particular attack, with the IE redirection as more of an afterthought. But while there may be browser activity monitoring involved, TROJ_FOOKBACE.A does not seem to have any information theft techniques.  It fits the criteria of a clickjacking attack more, where it automatically ‘likes’ several Facebook pages as well as automatically posts a message on the affected user’s wall.

Earlier this Year Trend Micro researchers were alerted to the discovery of Cyber Criminals Targeting Readers Digest India. Trend Micro researchers were alerted to the discovery of a phishing attack that involves creating spoofed versions of web pages that ask for sensitive user information, such as login usernames, passwords and bank account numbers. Entering their information into such a page, the sensitive information is collected and sent to the cybercriminal responsible for the page itself, no doubt for malicious purposes. In this case, users are lead to a page where they must confirm their eligibility to win the supposed Reader’s Digest cash prize, and it asks for their personal details. With the advertised event being confirmed false, it is also confirmed that whatever information is divulged in this page will be sent to cybercriminals.

Trend Micro recently received samples of an email message that poses as a letter from Reader’s Digest India. {Please refer to the pic attached} It informs recipients that they are potential finalists of a supposed sweepstakes. The message then instructs them to click on the link provided in order to access the website so that they could qualify for the cash prize. However, the link instead leads to a phishing site, which requires users to disclose personal information such as their email addresses and the like. Cybercriminals are exploiting the online consumers’ anticipation to cash in on lucrative deals, there are many who may be tricked by this latest phishing campaign.

Sometimes phishing emails are easy to spot with their poor grammar and spelling, completely unbelievable subject lines and misaligned copy. However, increasing amounts of phishing emails display official corporate logos and other designs that make them look quite legitimate. Phishing emails, like spam, are typically sent to large numbers of email addresses.

Some recent examples of the 419 scam include one that purported that the reader won a contest related to the London 2012 Olympic Games, asking the user to supply his personal information. Another example targeted football fans by tricking them into believing that they’ve won an enormous cash prize related to last year’s FIFA World Cup.

Subscribe:   facebook    twitter    SMS    Newsletter