Within days of Facebook rolling out new security features designed to block spam, several new social-engineering attacks were spreading that somehow managed to get by the company's antispam defenses.
The spammers have modified their handiwork so it will get past Facebook's scam detection system, company spokesman Fred Wolens told today.
"There are new methods they've picked up after we put out the protections on Thursday," he said. "It's an arms race. We put out new protections and they come up with new campaigns...When we announced the new security features, they were calibrated for all the self-XSS attacks we'd seen at the time."
The company began turning on a feature last week that displays warnings when it detects that users are about to be duped by cross-site scripting (XSS) and clickjacking attacks. In such attacks, people are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS).
Yet there were several XSS attacks this weekend and today and warnings were not displayed. In one of them, users were tempted with a post that said "Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!" (On a side note, Wolens artfully dodged the question of whether Facebook would ever add a "dislike" button.)
Another attack falsely offered a way to see how many people viewed you on Facebook as an indication of how popular you are and urged people to click the "Scan Profile" link. The links lead to an external site where eventually the user is prompted to cut and paste Javascript code into the browser address bar, said Satnam Narang, a threat analyst at M86. (Facebook does not offer a way to see such statistics on profiles.)
A third attack tempted people with a comment of "WTF!! You look so stupid in this video" or something similar. A Flash file is loaded when the link is clicked and people were encouraged to press the CTRL and V keys and malicious JavaScript would be pasted from the clipboard into the browser address bar, according to this Zscaler blog post.
In all the cases the user action results in the spam messages being re-posted to the victim's Facebook pages and those of their friends. Ultimately, surveys are proffered for the victim to fill out. The spammers get money for each survey completed and the farther the spam spreads the more money that can be made.
Facebook did not disclose exactly what is going on behind the scenes, which could be used to help spammers in their efforts. Narang said he suspected that some of the spam was getting past Facebook's defenses by obfuscating the Javascript. Facebook seems to have made it harder for spammers to create campaigns that automatically execute and spam your friends, so that victims are sent off to external sites and required to cut and paste text into their browsers, he said.
But "the hole is still there because they are still able to generate these posts," by tricking users into clicking links and following further instructions, he added.
Facebook is learning and improving the situation with each new spam campaign and iteration of its defenses, Wolens said.
"Within a few hours of this video (spam campaign) we were able to put that information back into the system to protect people," he said.
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
security-news
