New affiliate scam strikes Facebook

Filed Under: Facebook, Malware, Phishing, Social networks, Spam

Another scam using stolen Facebook credentials is making the rounds. It is unclear how the spammers are acquiring the credentials, but it is likely the result of phishing, or Koobface. This attack is using the subject "Y o y Tube", supposedly a play on "Youtube."
Screenshot of Facebook scam

You'll notice the URL (which I have censored) is all numeric. This technique has been used for some years and is an alternate encoding of the IP address the link directs you to. Browsers will interpret numeric inputs with no dots as octal, hexadecimal, or Dword values and happily load the content from what appears to be an invalid URL.

bit.ly usage statistics for spam URL For example, http://3575622733 will direct you to Sophos.com. This URL directs you to a Bit.ly shortened link. You can see a number of people have clicked on this random Facebook message.

The shortened URL directs you to a page hosted in Iceland, which again redirects to a domain owned in Canada, hosted in the USA. At this point, you get a chat window with a sexy lady.

Spam chat window It only appears to be a chat window, though... it's really just a Flash video that links you to Adult Friend Finder.
Why go through so many hoops to direct users to Adult Friend Finder? It's known as affiliate marketing. Many spammers and adult content websites issue unique URLs to people and offer them payment for new subscribers, fake anti-virus installs, or purchases of pills making you "stronger in bed".

This attack is another reminder to not click on URLs presented through social media, even if they arrive from a friend. Many different criminal groups are acquiring social media credentials and using your trust in a friend to compromise your computer, or just offer you some adult friends.

This Facebook friend clearly has had her password stolen, which is a reminder of the importance of having unique passwords for every site you visit, especially sites that are high-profile targets. As I mentioned in my blog on the grader.com hack, with so many sites requiring so many identities, consider using a secure password management application to help you sort it all out. Now go change your passwords for Facebook, Twitter, and Buzz before you are the next one apologizing to your friends.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.