The Latest in IT Security

Another Facebook Fake Foto Attack, on Hacked Russian Site

30
Nov
2011

Unlike humans, who usually need a nap after a big Thanksgiving Day feast, our automated modules keep working away. Either that, or malware has zero calories so WebPulse stays hungry… 😉

As I tweeted (@bc_malware_guy) on Saturday, our logs show another “Fake Foto” attack targeting Facebook users, beginning late Friday night (22:43:54 UTC in our main UK data center, to be precise), that was detected and flagged as Suspicious in real-time by one of our “Shady EXE” detectors.

The attack was hosted on a hacked Russian site (pzsm.info), and there was an extra layer of redirection via tinyurl.com. These factors combined to make things difficult for less-nimble Web defenses to pick it up.

Reconstructing the attack from our logs, here’s the timeline:

– pszm.info had very little traffic headed its way in recent months before the attack began.

– The attack began at 22:43:54 UTC, as mentioned, and ran for about 9 hours. (The payload URLs on the Russian site were still there on Saturday, so that part of the attack was still “live” — presumably then, the nine-hour timeframe represents the window of opportunity for the attack, before Facebook recognized and begin blocking it.)

– The detailed WebPulse logs confirm that the traffic was coming from facebook.com, using tinyurl.com as a relay. The URLs within Facebook would have looked something like tinyurl.com/Photo-[random]-jpeg, with both “photo” and “jpeg” lending an authentic look to the bait.

– The tinyurl links led to pzsm.info, serving a payload named like “Photo-[random].jpeg.exe” (again making the bait look more realistic, and taking advantage of the fact that many users won’t realize that, unlike video, your browser doesn’t need special software to display pictures).

– I grabbed a sample of the payload on Saturday, long after the attack was over, and found that it had average recognition in the AV community by then (16 engines on VirusTotal — almost half — detected it as malicious), although some major scanners still missed it. We can speculate that the recognition rate was likely lower at the beginning of the attack, but don’t know for sure.

Recently we’ve been seeing many of these on-going “fake foto” attacks showing up in our logs with the hacked payload sites located in South America, so the Russian location is a bit out of the ordinary, but there’s a clear pattern of the Bad Guys favoring hacked sites for these attacks.

–C.L.

Leave a reply


Categories

TUESDAY, MARCH 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments