Given that Facebook is now one of the largest social networking platforms in the world, it is also an opportunity provider for various social engineering attacks, and the perfect platform from which to spread rogue software.
One of the ongoing scams is the pychological manipulation of people into performing actions which better monetize certain websites or services.
One approach is the use of photos depicting humanitarian causes, such as saving an ill baby.
By clicking on the related link, the victim is taken to the target website.
Another approach is the use of real or fake videos which are blocked. If the unsuspecting user clicks to watch the video, he is first obliged to do something in order to unblock it (either sharing the video on his Facebook timeline, or completing a survey, or paying for the video and so on). What all these videos have in common is their eye-catching titles which contain strong phrases like: “SENZATIONAL”, “WOW”, “INCREDIBIL”, “SCANDALOS”, “SOCANT”, “NEMAIVAZUT” all of which are designed to pull people in.
The first example can be found on http://distractie.ro.im. This website contains fake videos which can be watched only after sharing them on Facebook.
Another example is a group of related websites and Facebook pages, where the same social engineering technique as above is used. These are:
- http://www.tonto.ro/ which promotes the Facebook page “Tonto” ;
- http://www.5play.info which redirects to http://www.videoping.info/ ;
- http://www.videoping.info/ which promotes the Facebook page “Zori de zi”;
- http://www.video70.info/ which promotes the Facebook page “Amazing Video”
All of the above Facebook pages have the same content:
Below are a few screenshots:
- www.tonto.ro video blocking:
- “Tonto” Facebook page promoted on www.tonto.ro:
- http://www.videoping.info/ video blocking:
- “Zori de zi” Facebook page on http://www.videoping.info/:
The third example of a video-blocking Facebook scam consists also of a group of websites, meant to compel the user to subscribe to certain mobile-service providers. It all starts with a Facebook video link:
When the victim clicks on the link, they are taken to a fake Facebook page:
In fact, the host domain, www.ghooet.com, contains several fake Facebook pages related to various popular topics. Some of these pages are still active and some are not. All of them follow the same principle: in order to see the video, you must share it. But unlike other fake videos which can be watched after they are shared/liked, on these fake Facebook pages you cannot see the video after you have shared it. Instead you are redirected to http://s3-us-west-2.amazonaws.com/dailycrazyvideos/shangrip.html:
On this webpage hosted on the Amazon S3 data storage web-service, you are instructed over and over again to go to five malware websites one by one in order to unlock the video:
- the first choice is called ” Take an IQ test now” and leads to ro.mobi-master.net. In order to receive the test’s result, you must send a SMSwhich will automatically subscribe you to mobi-master’s mobile services for which you will be charged.
After leaving this second website, the victim cannot watch the video, but instead is asked to go to another site:
- the second choice’s topic is a couple’s matching horoscopes and it leads to >http://ilovemobi.com/. Similarly, you must send a SMS in order to get the results and again you are automatically subscribed to ilovemobi’s mobile services
- the next option:
All of the above options are redirected from http://cpagrip.com/, which offers ad technology such as video lockers. Apart from this, another thing they have in common is that they seem to be randomly chosen from http://aff.ringtonepartner.com/geo. Each time this link is accessed, another social engineering scheme is chosen. There is a common thread: in order for the victim to get something (a game, a ringtone, the horoscope, the results of an IQ test or of a love matching test and so on), he must send a SMS which will automatically subscribe him to a mobile-services provider, such as: http://www.ilovemobi.com/, http://nrs-group.com/, http://mobiplus.me/, http://www.fun2cell.net/, http://www.teracomm.ro/.
Some of the scams that can be found at http://aff.ringtonepartner.com/geo are:
If you find yourself on the ringtone site at some point, the http://aff.ringtonepartner.com/geo link redirects to http://www.mobileraffles.com/welovemusic/download/?oid=35646.
At another point it tries to persuade the victim to download a rogue executable file from http://ilivid.kayako.com/ and run it:
General advice to avoid Facebook Scams:
- If you are asked to share something or complete a survey in order to watch a video, than be assured it’s a scam.
- If you are asked to send a SMS or enter your mobile phone number in order to receive some results or download a game, than it is most probable that this is a also a scam which will automatically subscribe you to a mobile service for which you will pay a fee. In these cases, it is best to: a) read the small footnotes which generally contain the terms and conditions or try to find the terms and conditions; b) search the website on Google. There is probably someone who has already been scammed and who has voiced their displeasure on a forum.
- If you are asked to download and run an executable file by such bogus websites, don’t do it. If you do and you run such an executable, you might end up installing a spyware which can steal your personal information and send them to another entity without your consent. Or you might end up with an adware which will fill your screen with hard to remove banner ads or pop-up windows. Or you might become infected with a more sophisticated type of virus which installs unwanted software, initiates network traffic, spreads to other computers on your network, sends spam emails on your behalf, prevents you from accessing certain websites or from running certain applications, hides your Taskbar or Desktop content, changes your Desktop background, installs a backdoor, hacks your messenger or Facebook accounts and so on.
Always be carefull to check whether the Facebook page you are redirected to is a fake Facebook page or a real one (look at the link in the browser). If it is fake, leave the page.