On Thursday morning, AVG researcher Roger Thompson, after sourcing some spyware attacks to a series of Facebook profiles, noted that these few hundred profiles were showing up with the same profile image (seen at left) but different profile information. The home video link on these profiles, belonging to Faith / Emily / whoever, points to the a web site that displays scareware dialogs: netmedtest.com/index.php?affid=30500.
Clicking the video url opens up a browser dialog box suggesting the user has viruses on their PC, suggests a system’s check and opens up a scareware dialog. Scareware is software sold or downloaded via creating a perception on the part of the user of a usually non-existent threat to the user that is typically non-functional or malicious.
The URL itself is registered to accounts with temporary or throw away e-mail addresses, amusingly these services like spambob and mailinator that were intended to help uses avoid spam are used by bad actors as the registration and contact e-mails for registering malicious web site URL’s. The site netmedtest is hosted in Haifa, Israel.
Facebook spokesman Simon Axten notes that Facebook is in the process of identifying the fake accounts so they can be disabled en masse. The actual URL used to serve the spyware has been blocked by Facebook as well as the major web browsers already.
A Failure of CAPTCHA
The fact that there are a couple of hundred of these profile pages could suggest an automated setup of the accounts, which would mean a bypass of the CAPTCHA authentication used in account setup on Facebook. Facebook uses reCAPTCHA specifically (a free service that is digitizing the NY Times at the same time they are validating that the user is actually human).
CAPTCHA mechanisms have increasingly been compromised by both automated programmatic means such as the method used to break Google’s CAPTCHA, as well as through manual means where human interaction is used to solve CAPTCHA images (cheap sources of labor spend the day typing in CAPTCHA responses). Given that the fake profiles number in the hundreds, either method is realistically plausible. Facebook’s spokesperson indicates that they believe it is the second case: “Based on our investigation and the relatively small number of accounts created, we’re almost certain that they were created manually, rather than by a bot.”
At the time of writing this example bogus profile of Faith Price is still available on Facebook: http://www.facebook.com/people/Faith-Price/100000305282922.
As previously stated, the major browsers have picked up the malicious link and are blocking it, and Facebook is aware of the problem, so for most users this is not a major issue at this point. As always, note that legitimate anti-virus companies will not advertise to you using scareware tactics and avoid clicking on links provided by persons you do not know. In general avoid drive by downloads by not surfing the web with a user account that has administrative privileges.