Tag Archives: facebook

Social Scams – Part 2: How to Clean Up Your Browser and Facebook Timeline

During recent weeks, I have seen different scams on Facebook attempt to convince users to install Google Chrome extensions. I have noticed some conversations taking place around the scams; people not sure how to get rid of the scammer photos or how to prevent the scams from spreading further. Some users have unfortunately  gone as far as creating new Facebook profiles for themselves. This is not necessary.

If you have been tricked by one of these scams, here is how you can clean up your browser and Facebook timeline:
 

Remove bad browser extensions

If you have installed the Chrome extension for Facebook Black, Profile Spy (“See Your Profile Viewers”), or Free PS4, you will need to uninstall it from your browser:

  1. Open the Google Chrome browser.
     
  2. Type chrome://extensions into the browser address bar.
     
    image1_0.png
     
  3. Click the trash can icon to delete bad extensions
     
    image22.jpg
     
  4. Click Remove at the confirmation dialog
     
    image33.jpg
     

The Google Chrome extension page can help you identify any bad extensions that you have installed. In this preceding example you can see both the “Get PS4” and “See Your Profile Viewers” extensions that have been installed.

To delete a bad browser extension, just click the trash can icon and confirm.
 

Remove unwanted Facebook pages

The preceding Chrome extensions may be responsible for creating Facebook pages using your profile. Now you should confirm whether or not scammer Facebook pages were created in your account and then remove them:

  1. Click the gear icon at the top right corner of your Facebook profile and select the page you wish to modify.
     
    image4.jpg
     
  2. Once the Facebook page has loaded, click Edit Page at the top.
     
  3. Select Manage Permissions.
     
    image5.jpg
     
  4. Click Permanently delete [NAME OF PAGE] at the bottom.
     
    image6.png
     
  5. Click Delete to permanently remove the Facebook page.
     
    image7.png
     

As you can see in this preceding example, a randomly created Facebook page was found being used by scammers. You can prevent friends from being photo-tagged with scammer spam by permanently deleting these scammer Facebook pages.

After page deletion you should arrive back at your main Facebook profile.
 

Remove scammer posts from your Facebook timeline

In order to keep the scam in circulation, the previously mentioned Chrome extensions have downloaded JavaScript files. These files were responsible for performing scammer activity, including tagging your friends in photos to promote the scam in news feeds.

The last step is to remove the photos the scam extension has posted on your behalf and get a clean Facebook timeline:

  1. Go to your profile timeline.
     
  2. Scroll through your timeline to check for photos published by the scam.
     
  3. Hover over the timeline story item and click the pencil icon.
     
  4. Select Delete Photo.
     
    image8.png
     

Deleting the photos left by scammers on your timeline helps stop promotion of the scam.

However, in another scenario, you may be the one who is tagged by a scammer photo in a timeline. In that case, you should report the scam to Facebook:

  1. Hover over the timeline story item and click the pencil icon.
     
  2. Select Report/Remove Tag.
     
    image9.png
     
  3. Check I want to untag myself and I want this photo removed from Facebook and select It’s spam.
     
    image10.png
     
  4. Click Continue to confirm.
     

And now that you have removed bad extensions from your browser, cleaned up your Facebook profile timeline, and reported scammer spam, point your friends to this blog post so that they can clean up their own browsers and Facebook timelines.
 

Don’t forget to stay vigilant

These clean-up instructions will help you remove scams circulating on Facebook that involve Google Chrome extensions. But, as mentioned before, scammers are relentless; they are likely to change their tactics again and again. Proceed with caution on social networks and avoid installing any browser extensions in exchange for free products or special features.

Symantec customers are protected against these types of attacks by our Web Attack: Fake Facebook Application 3 IPS signature.

Social Scams – Part 1: Reusing Old Scams to Push Browser Extensions

Last year, we talked about scams and spam circulating on Facebook in our whitepaper. Social networking scammers often reuse common lures to trick users, such as offering free products or additional features that are not available on their network of choice. What these scammers do differently is find new ways to get more eyeballs to view their specific links. Whether it is likejacking or even convincing users to paste code (an external JavaScript file) into the browser address bar, these scammers are relentless.

Just recently, we published a blog about the Facebook Black scam that has been spreading. While that scam continued to spread, we found two old lures being reused, and also two identical Google Chrome extensions being pushed onto the end user.
 

“Additional feature” lure

Users of social networks have often requested certain features and wondered whether they would ever be implemented on their favorite sites. One of the most commonly requested features across all social networks has been a way to see who has visited one’s profile. This feature has never been available, yet this lure has been used in scams across many of the most popular social networks over the years.
 

image1.png

Figure 1. Photo-tagging spam claiming additional feature
 

In fact, this lure—commonly found on social networks—is identical to the one used in the Facebook Black scam we posted about recently. Users are redirected through an iFrame on a Facebook page and then taken to a website where they are enticed to install a Google Chrome extension.
 

image2.jpg

Figure 2. Browser extension claiming additional feature
 

Installing the extension does nothing—except present the user with a set of surveys to fill out in order to unlock the additional feature. The feature never gets unlocked. The only thing that happens is the scammers make money off of every survey completed successfully.
 

image3.jpg

Figure 3. Scammer survey
 

“Get something free” lure

Let’s face it: people like free stuff. But free stuff on social networks is not really free. The newest products are the most valued by users and scammers know this. This is why they continue to reuse this lure.
 

image4.png

Figure 4.  Web page claiming to get something free
 

For instance, in February Sony announced their new video game console, PS4. It is not scheduled to arrive in stores until the year-end holiday season. However, that has not stopped scammers from attempting to trick users by offering a free PS4 test unit that they can keep.
 

image5.png

Figure 5. Browser extension claiming to get something free
 

The Web page for this scam claims that users can get a voucher for a free PS4. In reality, there is no voucher. There is just a browser extension created by scammers.

When users install this browser extension, JavaScript files are downloaded onto the user’s computers. These files then perform various actions in the user’s Facebook account, like creating a Facebook page with an iFrame and posting a photo the user’s friends are subsequently tagged in (see previous Figure 1). And this is how the scam spreads.
 

Protection

Symantec customers are protected against these types of attacks by our Web Attack: Fake Facebook Application 3 IPS signature.

Be cautious when you see offers for free products on social networks, especially products that are highly sought after. Also, if a feature is not currently available on a social network, chances are there is a reason that it is not available. Do not install browser extensions from unverified sources—even if they offer free products or access to an unavailable feature—and be especially suspicious of anything that is promoted aggressively on your social networks.

Google, for their part, removes malicious Chrome extensions as they find them and are improving their automated systems to help them detect items containing malware.

However, in the next post we provide instructions on how to remove these scammer browser extensions yourself, and how to clean up your Facebook timeline from all the spam left by scammers.

HELP – My Child is an Online Bully…

Some days my children make me proud and other days, well – let’s just say they give me palpitations! But after 16 years in the job, I have resigned myself to the fact that the big highs and big lows are just part of the parenting rollercoaster ride. But as far as lows go – Read more…

????????: Facebook Black ?????????

      No Comments on ????????: Facebook Black ?????????

Facebook をお使いであれば、3 月 19 日頃、Facebook Black というアプリについて友達からの投稿が増えたことに気づかれたかもしれません。
 

図 1. Facebook の写真用プラグイン「Faecbook Black」(タイプミスがあることに注意)
 

これまでの詐欺と同様、ユーザーがタグ付けされた写真に、外部 Web サイトへのリンクが仕掛けられています。この例では、リンクは説明欄ではなくコメント欄にあります(図 1)。
 

図 2. iframe によってランディングページにリダイレクトされるが、一瞬だけこのページが表示される
 

Facebook へのリンクをクリックすると、Facebook ページにリダイレクトされます。リダイレクト先のページには iframe が設定されており(図 2)、何度かのリダイレクトを経て最終的に行き着くページでは Facebook Black のインストールを促されます。

これまでにシマンテックで確認され、Facebook Black のランディングページへ誘導されるサイトの例を以下に示します。

  • photocurious.com
  • phototart.com
     

図 3. Facebook Black のページ

次にユーザーは、Google Chrome 拡張機能をインストールするよう誘導されます(図 4)。

図 4. Facebook Black の偽の Chrome 拡張機能

この拡張機能を使い、Amazon の Simple Storage Service(Amazon S3)にホストされている 2 つの JavaScript ファイルがダウンロードされます(図 5)。

図 5. 拡張機能によりさらにファイルがダウンロードされる
 

これらの JavaScript ファイルは、被害者のアカウントを通じて詐欺を拡散し続けるために使われます。そのために、被害者のアカウントに新しい Facebook ページを作成します。このページに、ユーザーを Facebook Black のランディングページへリダイレクトするページへの iframe が含まれています(図 6 と図 7)。

図 6. ユーザーアカウントに新しいページが追加される

図 7. 新しく作成された Facebook ページに iframe によるリダイレクトが含まれている([Welcome]タブ

最終的に、この Facebook 拡張機能をインストールしたユーザーには、一連のアンケート詐欺が表示され(図 8)、詐欺師はここから利益を得ようとしていることがわかります。
 

図 8. 拡張機能のインストール後に表示されるアンケート詐欺
 

シマンテック製品をお使いのお客様は、Web Attack: Fake Facebook Application 3 の IPS シグネチャでこの攻撃から保護されています。偽の Chrome 拡張機能は、Trojan Horse として検出されます。

Google は、Chrome 拡張機能のいくつかをすでに削除しており、悪質な拡張機能に対する自動検出をさらに改善するとしています。この詐欺に引っかかってしまったユーザーは、Chrome 拡張機能をアンインストールし、作成された Facebook ページを削除してください。

 

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

The New Black: Facebook Black Scam Spreads on Facebook

Yesterday, Facebook users may have noticed an influx of their friends posting about something called Facebook Black.
 

Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
 
Similar to previous sca…

Is Facebook Making You Feel A Little Down?

Now – it is essential that you are totally honest with me. Promise! So, tell me – do the Facebook photos of your friends’ holidays and ‘fabulous’ social gatherings make you feel a little down or de-energised? Does the talk of restaurants and over-achieving children ever make you feel jealous? Well, if your answer is Read more…

We are looking for another Queen/Kings of AVAST FREEks to join the AVAST team :)

Part time job for a social media agent   Do you blog, comment, respond, post, chat, like, re-tweet, add to circles, pin…? Do you monitor what’s hot on social media in your language? Do you have 2 hours a day that you can fully dedicate to avast! social media? Can you be the eyes and […]

Fake Friends Fool Facebook Users

      No Comments on Fake Friends Fool Facebook Users

The word friend is defined as “one who entertains for another such sentiments of esteem, respect and affection; an intimate associate.” But that definition seems to have gone out the window with the advent of social networks. Studies show 50% of people will accept a Facebook “friend” or LinkedIn invitation from a total stranger. So Read more…

Fake Friends Fool Facebook Users

      No Comments on Fake Friends Fool Facebook Users

The word friend is defined as “one who entertains for another such sentiments of esteem, respect and affection; an intimate associate.” But that definition seems to have gone out the window with the advent of social networks. Studies show 50% of people will accept a Facebook “friend” or LinkedIn invitation from a total stranger. So Read more…