Zero Day Java Vulnerability Compromises Computers of Facebook Employees

Last month, a number of major companies such as the New York Times, Washington Post and most recently, Twitter had revealed that they were targeted by hackers leading to some form of data breach.

In a recent development, Facebook has also now revealed that some of the computers of its employees were hacked by using a Java exploit. In a blog post penned yesterday, Facebook security team says,

[…] In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware.

The computers were compromised when the victims visited a mobile developer website that was compromised to host a zero day exploit, which installed malware on the victim’s PCs. Facebook contacted Oracle regarding the exploit and they released a patch for the same on February 1st.

Facebook says that other companies were targeted in a similar manner and they are working with the affected companies and law enforcement officials to track the source of the attack.

And most importantly for us, there is no evidence that any kind of user data was exposed. Well, that’s a relief!

Source: Facebook

Facebook Expands Antivirus Marketplace to Mobile Along with Seven New Partners

Earlier in April this year, Facebook, in an attempt to increase the existing level of protection for its huge user base, introduced the Antivirus Marketplace app to keep them safe and away from possible threats and malware attacks, and help share virus free content throughout the Facebook network. This offered free downloads and six-month licenses of security software from Microsoft, McAfee, Trend Micro, Sophos, and Symantec.

Nearly six months after the launch, the social networking giant has announced today that it is offering free antivirus software downloads for mobile users also, as Facebook has reportedly grown its mobile users to 543 million in June, 2012.

Along with the expansion of the Antivirus Marketplace to mobile users, Facebook has announced seven new partners including Avast, AVG, Avira, Kaspersky Lab, Panda, Total Defense, and Webroot.

According to Facebook, nearly 30 million users have visited the AV Marketplace since its launch almost six months ago. Facebook is continuing its effort to make the social networking site a safer place to share and connect with friends.

In a post on its Facebook Security page, Facebook stated:

Our new anti-virus partners bring with them both the latest software and comprehensive intelligence. As with our existing partners, these eight companies will help protect Facebook’s community of more than 1 billion users by improving our URL blacklist system. This system scans trillions of clicks per day, and before each click, the system consults the databases of all our AV Marketplace partners to make sure the website you are about to visit is safe. This means that whenever you click a link on our site, you are protected both by Facebook and 13 of the industry leaders in computer security. We will be cooperating with these partners more in the future, and look forward to announcing new tools soon.

Fcebook Mobile Anitvirus Marketplace

With the new additions to Antivirus Marketplace app along with the expansion to mobile devices, it not only allows the users to download the free trials of the anti-virus software, but also helps Facebook to augment its blacklist database.

In August, Facebook announced the launch of [email protected], with which users can report any phishing or malicious links they have received from their friends, or unknown sources. This would enable the Facebook to investigate and request for browser blacklisting.

Facebook Blocks Comments; Flags Them as “Irrelevant or Inappropriate”

It’s not just Robert Scoble who faced problems while posting comments on Facebook, I faced the same problem and a few other Facebook users as well. For an unknown reason, Facebook’s automated spam filter stopped my comment from being published and flagged it as “irrelevant or inappropriate” comment.

The problem I faced was when a friend of mine on Facebook shared a scam message about “free online recharge,” and I tried adding the comment — “This is a fake offer.” Facebook blocked me right there from posting the comment with the following message:

This Comment Can’t Be Posted

This comment seems irrelevant or inappropriate and can’t be posted. To avoid having your comments blocked, please make sure they contribute to the post in a positive way.

Facebook Blocks Comments

Robert Scoble faced the same problem while posting a comment. However, according to Facebook, Scoble’s comment was specifically blocked because of its length, and the length of the comment thread it was on.

When the issue was reported by major blogs, Facebook stated that it is not censoring comments, but the limitation was caused due to Facebook’s automated spam filter system.

Here’s the official statement that Facebook posted –

To protect the millions of people who connect and share on Facebook every day, we have automated systems that work in the background to maintain a trusted environment and protect our users from bad actors who often use links to spread spam and malware. These systems are so effective that most people who use Facebook will never encounter spam.

They’re not perfect, though, and in rare instances they make mistakes. This comment was mistakenly blocked as spammy, and we have already started to make adjustments to our classifier. We look forward to learning from rare cases such as these to make sure we don’t repeat the same mistake in the future.

Scammers usually target long threaded comments to post malicious links and scam messages. The automated spam filter monitors such threads and makes sure that it filters out spammy comments to keep the thread clean and safe. Of course the system also blocks comments that have inappropriate words, but other types of comments that go against positive conversation, which includes some ASCII art are also blocked.

In my case, my comment was blocked either because I used the word “fake,” or maybe because I tried commenting on a spam post. Facebook also mentioned that “the error message made it sound like the message was blocked because of the content of the message, not because it looked spammy.”

Facebook Introduces Antivirus Marketplace

The social networking giant – Facebook has announced the debut of the new Antivirus Marketplace, a one-stop portal that will offer free downloads and (six-month) licenses to antivirus software and also make use of the URL blacklists, which will help prevent users from visiting malicious links. This is a partnership between Facebook and the world’s biggest antivirus and Internet security companies like Microsoft, McAfee, TrendMicro, Sophos, and Symantec.

The free downloads and six-month licenses available via the Antivirus Marketplace are:

  • Microsoft: Microsoft Security Essentials
  • McAfee: McAfee Internet Security 2012
  • TrendMicro: Smart Surfing and Titanium
  • Sophos: Anti-Virus for Mac, Home Edition
  • Symantec: Norton AntiVirus
Facebook Antivirus Marketplace

“The AV Marketplace enables people to download six-month licenses to full versions of anti-virus software at no charge. Facebook’s global community can now download for free powerful software to protect their computers from current and future viruses, and content security threats providing hundreds of millions of people free access to anti-virus software.”

In addition to this, Facebook also announced that is has partnered with the security firms in order to use their URL blacklist system, and eventually add them to its own security system. This is a very interesting move from Facebook, providing its users an additional layer security of by blocking access to malicious download links and sites.  The partnered companies will also provide essential educational materials via the Facebook Security Page.

Facebook states that, “Our URL blacklist system, which scans trillions of clicks per day, will now incorporate the malicious URL databases from these security companies to augment our existing level of protection. This means that whenever you click a link on our site, you benefit not just from Facebook’s existing protections, but the ongoing vigilance of the world’s leading corporations involved in computer security.”

Through the Antivirus Marketplace app, Facebook expects to keep its users safe and away from possible threats and malware attack, and help them share virus free content throughout the Facebook network. The marketplace is accessible from the Facebook Security Page, or you visit the page by using the link – on.fb.me/FBAVMarketplace.

Facebook “Deactivated Friend Attack” Disclosed by Researchers

A pair of researchers from the University College London – Shah Mahmood (student) and Yvo Desmedt, Chair of Information Communication Technology, have discovered and revealed a “zero day privacy loophole” in Facebook. The duo has named the loophole as “Deactivated Friend Attack”, and revealed details about it yesterday during the IEEE International Workshop on Security and Social Networking SESOC 2012, held at Lugano, Switzerland.

According to the pair, “Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.”

This particular attack is simple enough and easy to execute, however, the main challenge the attacker faces is to trick the user into accepting the attacker as a “friend”. However, once the attacker has achieved this task, he can deactivate the user’s account and also make it impossible for the user to remove him from his friend list.

Facebook Friends

Once the attacker can activate/deactivate the user’s account, he can also access the information contained in the victim’s account. According to the researchers, the attackers have some sort of back entry into the victim’s account and can access the account any time he wants.

“No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions,” the researcher said during the workshop. The “deactivate friend attack” works well, since Facebook does not allows users to keep a count on how many time a user’s account was deactivated and activated. It also does not send any notification to the user’s friend about the deactivation of the account.

To demonstrate how this works, Mahmood and Desmedt made 4,300 Facebook friends and maintained access to their profiles for a period of 261 days. Because most of the time their test account was deactivated, none of the 4,300 individuals was able to unfriend them. The short de-cloaking sessions were enough to get updates about the victims.

Currently, there has been no resolution on this yet, but we expect that Facebook will look into this matter and come up with a feasible solution. Meantime, it is advised that you do not add any unknown person to your friend list. Also, make sure you approve trusted Facebook apps that seek permission to access your publicly available information.

[via]

Fake ‘Facebook Security’ Account Used to Send Phishing Messages

According to a report from the Kaspersky Lab, a new phishing attack on Facebook has been discovered that primarily attempts to steal account information of Facebook users and compromise the account. The attackers then attempt to gather the financial information including credit card data and other sensitive information from the victim.

According to Kaspersky Lab’s David Jacoby, the attackers are not just tricking users to visit a phishing site, but are trying to scare them by sending them warning messages by using a fake “Facebook Security” account. The compromised accounts will be used to steal available personal information and then change both the profile picture and name to try the trick on other Facebook users.

The profile picture will be changed to the Facebook logo and the name will be changed to “Facebook Security” with special ASCII characters replacing the letters such as “a” “k” “S” and “t”. Here is a screen shot of the message sent from a fake account –

Facebook Security Phishing Attack

The message – “Last Warning: Your Facebook account will be turned off Because someone has reported you. Please do re-confirm your account security by: [LINK] Thank you. The Facebook Team,” is used as a warning message sent to users via Facebook Messages and Facebook Chat.

The link used in the message leads users to a phishing site. When we tried opening the page using Google Chrome, the following warning message was displayed – “Phishing sites trick users into disclosing personal or financial information, often by pretending to represent trusted institutions, such as banks.”

The site, however, is designed to look like a Facebook page and prompts the victim to enter the name, email address, password, security question, email account password, country, and date of birth. After having provided with all the information, the victim will be redirected to another page with the heading “Payment Verification” that asks for the first six digits of the victim’s credit card. Accordingly, in the following pages, the user is asked to enter the full credit card number along with the expiry date, CVV code (Security code), and the billing address.

Payment Verification - Fake

If you’re an active Facebook user, then the most important thing that you must know is that Facebook never asks its users to enter their password(s), or credit card details. Check the URL of the site that you’re visiting and make sure it is genuine. Most of the sites that require users to enter any financial information, have a secured HTTPS connection, which are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems, which was not true in this case.

Also Read: Google Chrome Now Blocks Insecure Scripts on HTTPS

If you’ve been warned with such a message on Facebook, then ignore it. Alternatively, you can contact the Facebook Security team here and check if they sent the message or not. We have reported a similar Facebook Security Network Phishing Attack back in August 2011.

“These scams are just getting more popular and we really recommend not giving out personal information, especially not email, password and credit card information over social medias,” Jacoby wrote. “It is also recommend[ed] that you contact your security vendor and the social media vendor if you encounter these sites.”

Ramnit Worm Steals 45,000 Facebook Passwords

If you are a Facebook user in the United Kingdom or in France, then it’s time to change your account password. The infamous Ramnit worm, which earlier was used to gain access to financial credentials, is now targeting users on Facebook. Reports indicate that the worm was first detected 18 months ago, and is now continuing to evolve on the social networking giant.

According to researchers at the Israeli firm Seculert, a variant of Ramnit was found and has managed to steal over 45,000 Facebook users’ credentials, mostly in the United Kingdom and France, and infected over 800,000 systems from September to December 2011.

Ramnit a is malware program that is designed to attack Windows executable files (.exe files), MS Office, and HTML documents. TheFacebook Security malware is used to steal sensitive information such as user names, passwords, FTP credentials, and browser cookies. The malware program can “bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks,” Seculert wrote in a blog post Thursday.

Hackers are posting scam messages with links to bogus sites to spread the malware program. When users visit an infected web page, malware programs are automatically downloaded on the user’s computer, which gathers all the required information, like login credentials and saved passwords. The credentials are then accessed by the hackers to compromise users’ accounts. Once the victim’s account is compromised, it is suspected that the Ramnit download link is posted on the Facebook Timeline.

Learn: How to Prevent Your Facebook Account from Getting Hacked

We at Techie Buzz have warned our readers several times on scams spreading on Facebook, and have also provided tips on how to identify and avoid clicking scam links on Facebook. Facebook has recently added two new security features – Trusted Friends and Application Passwords – which are intended to keep your account secured and keep hackers at bay.

As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you are not sure how to do it, you can always check our guide on – removing apps from Facebook. In addition to that, don’t forget to check out our article about – Avoiding Facebook Lifejacking and Clickjacking scams.

Also Read: Facebook Introduces Sweeping Sharing and Privacy Changes

Bookmark – Techie Buzz – Facebook Scams. We always keep you updated with the latest scams spreading on Facebook.

Dangerous Malware Link Spreading Through Facebook Chat System

A dangerous worm has been spreading through Facebook’s messaging system since last week. It has been trying to hijack users’ chats to spread a download link in an effort to compromise their computers and infect them with a Dorkbot malware program.

The malware gives access to the accounts of the compromised users, which allows it to send a malware-infused JPG download link to friends, according to reports by Sophos Naked Security blog.

It is also reported that the malware is identified as Troj/VB-FRI and Troj/VM-FRJ Trojan horse. However, Sophos reports that Facebook’s own anti-virus isn’t able to detect the malware and is continuing to spread across the social networking site.

The download link points to an image of two blonde women, however, it has been infused with a malicious screensaver. When the malicious program begins to execute, it attempts to download more malware files hosted on a compromised Israeli website. The worm has been developed using Visual Basic 6.0 and “contains numerous Anti-VM tricks directed against VMware, Sandboxie, Virtual Box, etc.,” according to the Dutch CSIS Security Group, which first detected the spread of the worm.

Sophos reveals that the link shared by the malware has a sub-domain “facebook.com” through which users on Facebook are easily tricked. Clicking on the link will download and install the Dorkbot malware on your Windows computer.

Facebook Chat Malware

With over 800 million users, Facebook can’t afford to let scammers spread links which are harmful to its users. Although the Facebook anti-virus isn’t able to detect the malware, Facebook needs to take precautionary measures by blocking the link on the site and prevent it from spreading further. However, make sure that you DO NOT click on irrelevant links on Facebook. Also, its advised that you have your computer scanned for any malware installed on your system.

As a precautionary measure, always check which applications you use and remove unwanted or suspicious ones. If you aren’t sure how to do it, you can always check our guide on  removing apps from Facebook. In addition to that, don’t forget to check out our article about  Avoiding Facebook Lifejacking and Clickjacking scams.

Bookmark  Techie Buzz Facebook Security. We always keep you updated with the  latest issues and scams spreading on Facebook.

Beware of ChatSend App on Facebook

If you are one of those users on Facebook who have downloaded the ChatSend  application, you may notice that the application has been acting shady of late.  The application has been linked to spammy Facebook message and is enticing Facebook users into installing the application that inaptly  advertises itself.

What is ChatSend Application?

According ChatSend, the application –

…creates advanced, innovative technologies to efficiently deliver large files across the Internet. Our innovative clientless peer to peer file sending platform, enable us to virtually send files without having the cost of heavy infrastructure, thus we provide the service for FREE .

Now, according to a report by GFI Labs, messages that link to ChatSend’s Facebook page started to appear on Facebook users’ inbox, which were posted without the user’s knowledge. The application not only posted a message, but also sent the same message via Facebook chat (if enabled) to all users in the list.

ChatSend Messages

Although the Facebook Security team has blocked the ChatSend” app, it is reported that the app is still promoting itself among friends of users who had installed it.

The app download link has been spreading in a way similar to how scam messages spread – by sharing or “liking” the post. It was noted that the app had received more than 134,000 likes. The message contains a link to download the ChatSend application and upon installing the app on the user’s computer, it may lead to installing a browser toolbar for Chrome, Firefox and Internet Explorer that will set the default search engine to “Web Search.”

ChatSend Installation

While installing the app, you will notice under the Terms and Agreements, three boxes which are already checked by default, each of them validating the installation of toolbars, search engines and predefined URLs as homepage. Once the installation is done, the app starts sending automated messages to your friends on Facebook, each of which contains a unique link pointing to the download site.

If in case you have installed this application by mistake, you can remove it from the Add/Remove Programssection of the Control Panel. Also, it is recommended that you run a full system anti-virus scan, just to make sure that there no Trojans or any the malicious programs installed. If you  receive  any message  related  to ChatSend, then DO NOT click on any links provided in the message and be sure to delete it immediately.

It is always advised that you avoid clicking links on Facebook, which may cause a potential threat your Facebook account or your system. If in case you really want to click on a link or try out some new programs, then make sure that you have read enough reviews about it before installing it on your computer.

Read:  How to Avoid Facebook LikeJacking Scams

A Look at Facebook’s Security Infrastructure

25 billion actions a day or 65,000 actions a second! That is the volume of actions generated by Facebook’s 800 million users. And Facebook this week, released some information about its massive Security infrastructure called the Facebook Immune System or FIS that scans all of these actions for any kind of suspicious activities.

As New Scientist explains,

It protects against scams by harnessing artificially intelligent software to detect suspicious patterns of behaviour. The system is overseen by a team of 30 people, but it can learn in real time and is able to take action without checking with a human supervisor.

The system was developed over a three year period and the numbers released by Facebook shows that it has been pretty effective. The number of users affected by spam has been reduced to less than 1%. Even though that 1% accounts for about 8 million users, with a little bit of caution from the end user while using Facebook, that number can be reduced even further.

Microsoft Research has put forward a PDF detailing the principles of FIS. According to it, the main components of FIS are

• Classifier services: Classifier services are networked interfaces to an abstract classifier interface. That abstraction is implemented by a number of different machine-learning algorithms, using standard object-oriented methods. Implemented algorithms include random forests, SVMs, logistic regression, and a version of boosting, among other algorithms. Classifier services are always online and are designed never to be restarted.

• Feature Extraction Language (FXL): FXL is the dynamically executed language for expressing features and rules. It is a Turing-complete, statically-typed functional language. Feature expressions are checked then loaded into classifier services and feature tailers1 online, without service restart.

• Dynamic model loading: Models are built on features and those features are either basic or derived via an FXL expression. Like features, models are loaded online into classifier services, without service or tailer restart. As well, many of classifier implementations support online training.

• Policy Engine: Policies organize classification and features to express business logic, policy, and also holdouts for evaluating classifier performance. Policies are Boolean-valued FXL expressions that trigger responses. Policies execute on top of machine-learned classification and feature data providers. Responses are system actions. There are numerous responses.

Some examples are blocking an action, requiring an authentication challenge, and disabling an account.

• Feature Loops (Floops): Classification generates all kinds of information and associations during feature extraction. The floops take this data, aggregate it, and make it available to the classifiers as features. The floops also incorporate user feedback, data from crawlers2, and query data from the data warehouse.

clip_image002

Although FIS has come a long way in tackling spam, it should be noted that FIS is still vulnerable to tactics that are new to it, such as,  socialbots. A socialbot works by sending friend requests to random people. The profile data of people who accept this friend request is used for identity theft, phishing attacks etc.

So, it is always up to the end user to remain cautious of these types of attacks in order to protect their personal information.

You can find some of the common tips to protect your Facebook account here.