The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

What a coincidence! The same day I start tumblring, Tumblr users get hit by what seems to be one of the most publicized phishing attacks the social network has seen so far.

Yet another phishing attack has resulted in thousands of accounts being compromised. Nothing new here. Phishing is a game of numbers – so even though many users are aware of this threat, there still are some of them who fall victim to this old social engineering trick. Therefore, even with just a low efficiency rate in terms of percentage, thousands of accounts can still be easily compromised by cybercriminals if the phishing page is seen by enough people.

So – for those of you out there who still don’t know the basics of avoiding becoming a victim of phishing attack, here are a couple of tips:


There’s nothing new in Brazilian cybercriminals exploiting social networks to distribute their malicious code. Orkut was first, followed by Twitter, and now it’s Facebook’s turn.

Facebook is becoming increasingly popular in Brazil and we are witnessing more and more Brazilian bad guys switching their focus to it. We received some proof this weekend: a Brazilian instant message (IM) worm created to steal Facebook passwords and login, and use the infected profile to spread malicious links among Portuguese speakers.

The worm (md5 d8dd66f2ec659687c56feb31ae1ac692) is distributed in a drive-by-download attack. After infecting the user’s machine a malicious applet downloads lots of different files, including the IM worm responsible for stealing users’ Facebook passwords. The worm is designed to connect to the victim profile via the web service Ebuddy.com or via the mobile version of Facebook, and capable of posting the content of the file fb.txt:


It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be blacklisted.


We are currently investigating a new malicious campaign on Facebook mostly targeting French-speaking users. When visiting infected users’ profiles, you see the following:

Translation: Wow, it really works! Find out who is viewing your profile!

The various links that are used rotate quite fast and lead unwitting victims to a website that explains what they need to do. Here’s what it looks like:

Basically, there are 2 steps.

  • The first one is to copy a Javascript code using CTRL+C
  • The second is to visit Facebook.com, paste the Javascript in your address bar and press “Enter”.

Incidents|Osama's death in Twitter

Vicente Diaz
Kaspersky Lab Expert
Posted May 03, 17:21  GMT
Tags: Social Networks, Twitter

Continuing our investigation on the Osama's death campaign, we were especially concerned about the potential distribution of malware on social networks, because of their speed of propagation. So we have been monitoring Twitter, getting some million tweets and a huge number of URLs too. No surprise here as during the last 24 hours the average was 4.000 tweets per second related to this topic. Here you can see how even Internet traffic was affected.

Analyzing these URLs, we found some interesting stuff.

The first one is a Facebook scam campaign posing as Osama's death video:

Incidents|Osama Bin Laden Spam/Ads on Facebook

David Jacoby
Kaspersky Lab Expert
Posted May 02, 09:15  GMT
Tags: Social Networks, Facebook

I guess the news about the death of Osama Bin Laden is starting to reach everyone around the world. We have noticed that every time something big as this happens, people get curious and start searching on the Internet. This is something that my colleague Fabio also noticed. During his research he found that cybercriminals are spreading Rogueware via Blackhat SEO and Google Images. You can read more about his finding here.

This triggered me to do a quick search on Facebook and see what was happening over there. I directly saw that Facebook ads are already spreading using videos of the death of Osama Bin Laden as a trigger. On one Page we can see multiple users posting the same URL, with the following message:"Sweet! FREE Subway To Celebrate Osamas Death - 56 Left HURRY!" or "2 Southwest Plane Tickets for Free - 56 Left Hurry" and then a link to a short URL service (http://tiny.cc/).


When I was checking Facebook this morning, I spotted some friends posting the same message all over their friends' walls. Well, another likejacking scam I assumed. So I did what I usually do when this happens, I wrote them a quick note telling them to clean up their Facebook apps and delete the wall posts. Nothing spectacular so far, as this happens on quite a regular basis. But wait...

Something's different this time: the whole scam is delivered in German! A really rare occurrence, but something which I expect to happen more often in future. “Why?” I hear you ask. Well, here's my theory:

About 70% of all Facebook users are based outside the US which means more than 350 million people, according to official Facebook statistics. These users don't speak English as their native language for the most part. For cybercriminals, this means that they miss the larger part of their target audience. Since most people in the world understand English, previous scams of this type worked out quite well, but they were also easy to spot outside the US and the UK, because it’s quite odd when people start writing messages in English when they usually don't. At the same time, likejacking scams have become better known among users of social networks. For these reasons the people behind the scams are doing what they started doing with spam years ago: they are localizing the content in different languages to broaden the target audience. While the messages in those days were heavily flawed in terms of language and design, the process with today’s social networks has been perfected much faster, as this example proves:


    The news of the death of Elizabeth Taylor is already being used in social engineering scams on Twitter.
Here is an example of one I saw this morning:

Bit.ly statistics show the same short URL has been recycled since November 2010 for different on-click fraud campaigns (pay per traffic) related to the same affiliate program.

Events|Twitter - Malware through time

Kaspersky Lab Expert
Posted March 23, 15:00  GMT
Tags: Social Networks

Twitter is celebrating its 5th birthday this week. Since its inception in July of 2006 Twitter has grown to become an essential part of many people’s daily lives in just 140 characters. Twitter has also spawned multiple malware campaigns and continues to be a successful avenue of attack to this day.

Security on Twitter has had an eventful history, even considering its relatively young age. There have been all sorts of different types of attacks from trending topics to hacked admins, to account hijacks, just to name a few. In fact, due to Twitter’s popularity and its constant security lapses, the Federal Trade Commission actually brought charges against Twitter in 2010. As a result Twitter had to adopt a number of new security policies, and includes such security options as default SSL connectivity and OAUTH support for external Twitter clients.


Over the weekend, a lot of Facebook users started receiving malicious chat messages from their friends that looked like this:

“Father crashes and dies because of THIS message posted on his daughters profile wall!” - followed by a shortened URL (using the bit.ly URL shortening services). The missing apostrophe in the word "daughter's" - i.e. "daughter's profile wall" – could be a clue that the message is not genuine, or at least that the author is not a native English speaker, but let’s take a look at what would happen to a user who falls for this social engineering trick.