Posted by: Pez
« on: 07. January 2013., 09:51:47 »WARNING: YouTube Video Scam targets Facebook Users.
Be advised cybercriminals are at it again, leveraging the popularity of Facebook and YouTube to scam consumers.We have seen several scams in the past spreading through Facebook promising of some leaked video of celebrities, or free Facebook T-shirts etc. The malware authors are making money by pay-per-click with these techniques. Users are tricked into clicking some links which appear in their friend’s wall. Once clicked Malware authors trick users by zeroing the opacity of malicious script which are loaded and injected in the backend without the user’s concern.All the victim sees is multiple redirections and a survey page which is brought at the end. In the meantime, the injected script steals the Facebook user cookies and post on Victim’s wall without his or her knowledge.
We have also seen some of these scams requesting for fake YouTube and Flashplayer plugins to be downloaded and installed after checking for the browser running in victim s machine. This was done with the help of following script running in back.
larger image
This scam was seen circulating from last week of December2012 which looks to a video shared.
larger image
Scripts are run in the backend to load the Fake YouTube Logo into the Fake Youtube page:
larger image
Fake YouTube Logo is loaded from the above link
larger image
Few calculations are done before bringing up above Fake YouTube page.
larger image
The redirection link brings up a fake YouTube page where it says YouTube Security Verification is being done as shown below.
larger image
The number highlighted which is asked to be entered in the “Type code here” area keeps changing at regular interval of time with the help of random operation performed in the back.
larger image
larger image
Changing the opacity marked above, reveals us a space where comment is asked to be entered.
larger image
By the time , I changed the opacity and entered a comment, the Security Verification Number got changed. The Security Verification Number is generated random with the help of script below.
A few operations are performed before bringing the wordings which promises of the video that appeared on Victim’s wall.
larger image
Some of the very common words seen in these type of scams are:
• OMG!! I Bet you can’t watch this video for more than 10 seconds
• I dare you to watch this video more than 10 seconds , etc
Another script http://j.maxmind.com/app/geoip.js is injected to learn the victim’s location
larger image
Finally it brings up a page which says the victim s account is being verified. But the video is not still being played.
larger image
Viewing the source of the web page gives us more information, about the scripts , Iframes injected and the “Complete the Simple Step Below to Continue ….!” which appears on top of the window.
larger image
We could see a YouTube link. When investigated, it asks for a missing plugin to be installed to view the video.
larger image
When the missing plugin is installed, Victim could see some porn and prank videos.
larger image
Facebook is also continously monitoring malwares and scams spreading across its users. Users can report suspicious post as Scam back to Facebook and they can block the scam from spreading from their end. This can be done by clicking the top right button which appears on every post ”Report Story or Scam”, highlighted in red in the below figure.
larger image
The user is then taken to a page where they can finally report back to Facebook.
larger image
This way the user ensures scam from not spreading among his or her contacts.
Our advice to users is to pay extra caution when they see links which points to a video. Else you could be actually spreading the infection among your friends network. Also these scams come back with different images, different redirection urls and luring words. We also saw an old scam which promises Pink Facebook page coming back this month. In case you think you are being infected, please check your wall or ask your friend to check if any of these scams is sticking. Sometimes the infected user will not be able to see the scam attached to his wall.
No matter how many offers or surveys they complete, or what services they subscribe to, victims will never receive the promised video, gift or profile.
Orginal article: Thursday, January 3, 2013 at 9:22am by Niranjan Jayanand
Be advised cybercriminals are at it again, leveraging the popularity of Facebook and YouTube to scam consumers.We have seen several scams in the past spreading through Facebook promising of some leaked video of celebrities, or free Facebook T-shirts etc. The malware authors are making money by pay-per-click with these techniques. Users are tricked into clicking some links which appear in their friend’s wall. Once clicked Malware authors trick users by zeroing the opacity of malicious script which are loaded and injected in the backend without the user’s concern.All the victim sees is multiple redirections and a survey page which is brought at the end. In the meantime, the injected script steals the Facebook user cookies and post on Victim’s wall without his or her knowledge.
We have also seen some of these scams requesting for fake YouTube and Flashplayer plugins to be downloaded and installed after checking for the browser running in victim s machine. This was done with the help of following script running in back.
larger image
This scam was seen circulating from last week of December2012 which looks to a video shared.
larger image
Scripts are run in the backend to load the Fake YouTube Logo into the Fake Youtube page:
larger image
Fake YouTube Logo is loaded from the above link
larger image
Few calculations are done before bringing up above Fake YouTube page.
larger image
The redirection link brings up a fake YouTube page where it says YouTube Security Verification is being done as shown below.
larger image
The number highlighted which is asked to be entered in the “Type code here” area keeps changing at regular interval of time with the help of random operation performed in the back.
larger image
larger image
Changing the opacity marked above, reveals us a space where comment is asked to be entered.
larger image
By the time , I changed the opacity and entered a comment, the Security Verification Number got changed. The Security Verification Number is generated random with the help of script below.
A few operations are performed before bringing the wordings which promises of the video that appeared on Victim’s wall.
larger image
Some of the very common words seen in these type of scams are:
• OMG!! I Bet you can’t watch this video for more than 10 seconds
• I dare you to watch this video more than 10 seconds , etc
Another script http://j.maxmind.com/app/geoip.js is injected to learn the victim’s location
larger image
Finally it brings up a page which says the victim s account is being verified. But the video is not still being played.
larger image
Viewing the source of the web page gives us more information, about the scripts , Iframes injected and the “Complete the Simple Step Below to Continue ….!” which appears on top of the window.
larger image
We could see a YouTube link. When investigated, it asks for a missing plugin to be installed to view the video.
larger image
When the missing plugin is installed, Victim could see some porn and prank videos.
larger image
Facebook is also continously monitoring malwares and scams spreading across its users. Users can report suspicious post as Scam back to Facebook and they can block the scam from spreading from their end. This can be done by clicking the top right button which appears on every post ”Report Story or Scam”, highlighted in red in the below figure.
larger image
The user is then taken to a page where they can finally report back to Facebook.
larger image
This way the user ensures scam from not spreading among his or her contacts.
Our advice to users is to pay extra caution when they see links which points to a video. Else you could be actually spreading the infection among your friends network. Also these scams come back with different images, different redirection urls and luring words. We also saw an old scam which promises Pink Facebook page coming back this month. In case you think you are being infected, please check your wall or ask your friend to check if any of these scams is sticking. Sometimes the infected user will not be able to see the scam attached to his wall.
No matter how many offers or surveys they complete, or what services they subscribe to, victims will never receive the promised video, gift or profile.
Orginal article: Thursday, January 3, 2013 at 9:22am by Niranjan Jayanand