Scammers Find Life in the Cloud

Monday, January 30, 2012 @ 02:01 PM gHale


Facebook is suffering from another survey scam that leaves user’s computers infected.

While this incident does focus on Facebook, digging a bit deeper you can see there are security issues facing cloud computing.

RELATED STORIES
Improving Security in the Cloud
Fed Agencies under a Cloud
Report: XSS Flaws Hamper Web Apps
Mobile Embedded Browsers Face XSS Woes

Spammers are now using Amazon’s cloud services for hosting the fake Facebook pages because it’s cheap and because it is less likely Facebook will block links from an Amazon domain.

Users are usually reeled in with offers to see a funny/amazing/shocking video, and click on the offered URL (often a shortened one). In a recently spotted scam users then go to the fake Facebook page where the malware asks users on Chrome or Firefox to install a YouTube plug-in in order to view the video.

Unfortunately, the offered plugin is not what it claims to be.

“Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service,” said F-Secure researchers. “Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pairs gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page.”

These users are, therefore, responsible for propagating the scam further by unknowingly posting the message on their Facebook profiles, and are not asked to fill out surveys.

Users who use other browsers do not inadvertently spam their friends, but instead end up redirected to surveys provided by affiliate marketers, served according the geolocation information given out by their computer.

Users who have fallen for similar schemes should delete the offending messages from their Facebook feeds and remove the fake YouTube extension they installed.



Leave a Reply

You must be logged in to post a comment.