Simply Security - News, Views, and Opinions from Trend Micro

Posted on July 25th, 2011 in Underground Economy by TrendLabs | Be the first to comment |

We recently discovered a Facebook attack that uses the business-related social networking site, LinkedIn as redirector site. The attack begins with a wall post that bears the subject, “The Video That Just Ended Justin Biebers Career For Good!” Clicking the URL in the image creates a similar wall post on affected users’ accounts.

This Facebook attack using LinkedIn is new, as cybercriminals normally employ URL shorteners and Facebook fan pages to point users to malicious sites. The use of a legitimate site definitely increases the possibility that users will dismiss any suspicions that the post might be a malicious threat. In the past, we also reported various attacks that employed URL shorteners here:

• Facebook Spam Spreads Through Multiple Features
• Bogus Twitter Spam Hits Inboxes
• Shortened URLs in IM Apps Lead to a Worm

Although Facebook prompts a warning about the possible malicious URL activity, the said malicious URL can still be accessed via the site.

As seen in the warning, the URL to which the user will be redirected to is not really under the LinkedIn domain but is rather a redirector to another URL. We find it unusual that LinkedIn would allow this type of redirector script on its site without performing some sort of check. Clicking Continue leads users to http://{BLOCKED}88.info, which shows a video player-like interface, the supposed video on which shows famous singer, Justin Bieber.

Clicking the Play button redirects the browser to http://{BLOCKED}y.info, which displays a window that asks users to answer a survey before they can view the contents of the said Justin Bieber video. It also informs users that they can get a US$1000 Walmart gift card or a gift from Facebook if they answer the fake survey. The malicious script that performs the redirection is detected by Trend Micro as JS_FBJACK.D.

After completing the survey, users will find that the said video doesn’t exist. Once again, the cybercriminals behind this attack benefit from those who paid to answer the online survey. In addition, this can also pave the way for malware infection and information theft.

Trend Micro protects users from this attack via the Smart Protection Network™ that blocks all related URLs in order to prevent users from accessing the malicious sites.

As cybercriminals consistently find news ways to trick users into participating in their schemes, it is of utmost importance that users know about the nature of these threats as well as how they can protect themselves. Social media users may check our report, “Spam, Scams, and Other Social Media Threats”.

Post from: TrendLabs | Malware Blog – by Trend Micro