06/06/2012, Author: Sabrina Berkenkopf

A never-ending Facebook story

Resourceful attackers enlarge their ad networks and earn more and more money with it

Most attacks carried out and malware produced have an economic background - someone wants to earn money with it. Advertising networks are a popular way to gain money quite easily without necessarily harming the user, at least not directly. In this current case, we have discovered a sophisticated approach which suggests that this kind of attack really must be worthwhile!

It all starts with a post on someone’s Facebook wall:

The shortened URL leads to a long URL and its only function is to check the visitor’s country of origin. According to the result, the visitor is put into a quite impressive redirection chain with numerous ad services, built-in via iFrames. Each and every “visit” to these sites lets the money roll in for the attacker.
Screenshot of the redirection chain for a German visitor

The redirection chain graphic shows the events happening if someone from Germany clicks the short URL in the fake profile checker wall post. The website checking the visitor’s country of origin distinguishes between three possibilities with three URLs involved:

If country is GB:
arLinks[0] = "the*****ter.com/313/index.php";
arLinks[1] = "the*****ter.com/313/index.php";
arLinks[2] = "the*****fly.com/final2.php";

If country is NL, IE, FR:
the*****ter.com/313/index.php

If country is US, AU, ZA, CA, BE, ES:
the*****fly/final2.php

Any other country:
justforfunapps.com

So, visiting the website from Great Britain, gives the visitor a chance of 2/3 to be redirected to the*****ter.com/313/index.php and a 1/3 chance to see the*****fly/final2.php. All other countries have a fixed destination.
Screenshot of the target website for German visitors

As you can see, the target website reached from Germany is loaded with advertisements for various products and web services. Luckily, none of the embedded links and pictures is malicious, but the attackers can redirect the traffic to any website they like – and this is the point where a good http-filter comes in handy, to protect you and your computer!

On the other websites, we have seen various versions of gift coupon spam and lottery games which as the visitor for personal data such as the mobile number, email address, etc. If you want to know more about this kind of scam, read our previous blog entries, such as “Gift card mania” or “A 50€ gift card for free?! “Hey, I’m no fool!”” – In any way: It’s not a good idea to provide any personal data on these sites!

How does this fake profile checker spread?

The current Facebook app in question is called "Checker".  As soon as someone installs it on a Facebook profile, it will post a very low quality screenshot of an allegedly existing "Recent profile Views" toolbar onto the wall – as you can see above. Such a toolbar does not exist and we warned against those fake announcements numerous times already and Facebook also explains it in the public help section.
As the app does not only post a picture on the victim’s wall, but also tags the profile owner and many, if not all, of his/her friends in this low-quality picture, even the friends who do not see the post on the wall, will get a notification, because they were tagged. This makes it more likely for more users to click the link – messages from friends are often treated as more trustworthy, but even a friend can fall for such a scam and therefore each and every message should be treated with caution.

If you get a request to install an app in your social network profile, have a look at the permission the app requests to function properly. Think about it and then decide whether you really want to grant those permissions!

What you can do:

  • If you have fallen victim to this scam and shared the link on your Facebook wall, delete it as soon as possible! Otherwise, your friends might be tempted to click it and therefore share it as well.
  • If you have installed an app which caused the Facebook wall post, you should make sure you delete this app from your profile as soon as possible. Even better: Check each and every app before you install it - The app displays the permissions it would like to obtain to function. Evaluate if you want to assign these permissions asked for.
  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, http scan and real-time protection. A spam filter, to get rid of unwanted spam, is a must-have, too.
  • Do not click on links or download files if you received a message from a foreigner. The websites and files might harm your PC. Even if the message comes from a friend, but looks different from usual messages, you better ask him and reassure yourself that he willingly sent you this message.
  • Do not surf the Internet while you are logged in to services like social networks simultaneously in the same browser. Fraudsters can manipulate your browser session and use your social network account to spread unwanted messages, etc.
  • Always log-out after your visit in social networks. Especially if the computer you are using is used by several other people or is a public machine, e.g. in universities, internet cafés, etc.

Share this article

G DATA | Trust in German Sicherheit