"lolz this blog by you is" - Phishing Scam

"lolz this blog by you is" with random words is spreading viral on Twitter. It's a variant Phishing Scam targeted against Twitter users. In the below given screenshot you could see some of the Tweets found posted on one of the affected user's Twitter timeline. It use @follower name with the tweets to attract others and to spread across.

If you click on the link it will check whether you have logged into Twitter account or not. If found logged in then it will take you to a page like Twitter login. It will say "Your current session has ended. For security purposes your were forcibly signed out, you need to verify your Twitter account, please relogin." to convince you and to collect the login username and password. Before you enter username or password in any website always ensure the website address given in the browser address bar is correct and belongs to a legitimate site. 

Once the username and password is entered, they are sent to a remote server, and the victims are redirect to a real twitter page. In case you're affected by this scam then change your twitter password immediately. Your twitter account is compromised and the scammer can now log into your twitter account and send messages directly to all your twitter followers. The more the followers the more the scam messages or tweets. 

If you see tweets like the following it is a Phishing scam. Don't click on the link. Inform the person who shared the link with you that their account is compromised and ask them to change their twitter password ASAP. If you find any difficulties in changing the twitter password contact the twitter support team.

• "haha I had a strange feeling this was you"
• "haha this blog by you is so funny" 
• "haha this entry by you is crazy" 
• "haha this was posted by you?" 
• "haha u got to see this, its epic"
• "I am lol'n so hard right now at this"
• "Im laughing so hard right now at this"
• "lmao this was made by you?" 
• "lmao u gotta read this, its funny" 
• "lol I had a crazy feeling this is you" 
• "lol I had a crazy feeling this is yours"
• "LOL u got 2 read this, its crazy" 
• "lolz this blog by you is hilarious" 
• "lolz this post by you is odd" 
• "omfg this blog by you is nuts" 
• "omfg this entry by you is so funny" 
• "rofl this was made by you?" 
• "rofl you got 2 read this, its crazy"

WTFF! Friend's Name naked VIDE0 - Scam Installs Malicious Browser Extension

A new type of scam with the title "naked VIDE0" spreading rapidly on Facebook. Many user's attempting to see naked videos of their friends got infected by malware.

Once clicked on, the link redirect users to a malicious page which is designed to look alike YouTube page. It shows the message as "Adobe Flash Player crashed" - update Flash player while visited using Chrome browser and it asked to install the plugin while viewed using Firefox browser. In case of Chrome browser it downloads an executable file with file name FlashPlayerv26.2.1.exe whereas in Firefox browser it just gets installed as browser plugin. 

In the below screenshot you can see the Java script used to identify the type of browser used by the visitor and depending upon that information it will redirect users to appropriate malicious websites. 

Once the executable file is run it will install the "YoutubePremium 14.99" browser extension in Chrome and kills the running Chrome process forcing the user to reopen the browser and the plugin gets initiated. 

Once the browser extension is installed it starts monitoring all your browsing activities and it also takes your facebook profile picture and uses it to post the scam message on your wall with the message name + naked + video. Seeing your photo your friends will click on the malicious link and get their systems infected. In the below screenshot you can see the scripts used to tag your friends on the scam post.

In Chrome browser it prevents the user from uninstalling the browser extension. Whenever user tries to view the extensions installed on browser it will redirect user to Chrome extension store. 

Latest variant of this scam spreads with the title "xxx hot sexy girl strip tease teen ass"

[BREAKING NEWS] Malaysia Plane MH370 Has Been Spotted Somewhere Near Bermuda Triangle.Shocking... - Scam installs Fake Codec Malware

The latest scam post on Facebook claims that the “Malaysia Plane MH370 Has Been Spotted Somewhere Near Bermuda Triangle.” It asks users to click on the malicious link to play the video.

Clicking on the link will redirect to a website like shown below. It asks user to like the video in order to unlock and view the video. Upon clicking the like button it will post the scam message on user’s wall with the malicious link to attract and infect more users’. Once the post is shared it will redirect to another website and pops up a message informing user to install a new codec pack version to improve video performance.

Clicking on ok will display the below the Codec Performer download page. Since it is a bundled setup It requires manual intervention for downloading and installing. Users’ be aware of these fake codecs and always install applications only from trusted and reputed sources.

Its bundled software setup the fake codec performer installs several unwanted applications along with it. Below seen are the unwanted software's installed as part of the Fake Codec installation process. Apart from these setups it also downloads several executable files from internet.

PC Performer is potential malware that utilizes unethical marketing techniques to obtain customers information and to earn money. Once PC Performer is installed the program will begin to scan the computer system for registry errors. It will show misleading results often claiming that a large amount of issues are facing the computer. PC Performer will also claim that is has system settings to optimized and has located unused processes.

Furthermore PC Performer will not allow users to fix all the issues it has allegedly located unless the user registers and purchases the illegitimate product. The results and messages displayed by PC Performer malware should be ignored and is common in most Windows Optimizer scams.

To stay away from Scam posts:

• Avoid unsafe or suspicious websites that ask you to click on links, complete a survey or download extra plugins to access the video you are looking for.
• Never download files from unknown sources or click on emails or posts from unknown senders or spam

"(Shocking Video) 16 People dead after roller coaster crash." – Phishing Scam

A message on Facebook saying that 16 people or 17 passengers confirmed dead in a roller coaster accident in Universal Studios Theme Park Orlando, Florida is the recent scam message circulating on Facebook. It will install a Fake application and also steals your Facebook username and password. 

Clicking on the link in the Scam post will install an application and request for your permission to access your basic information and to post on your Facebook wall. Once the required permission is provided it will post the scam message on your wall to attract your friends and to spread.

The Scam is a targets Facebook user belonging to US region. If the user belongs to US region then it installs the fake app and redirects the user to the Phishing website. Otherwise, the user will be redirected to a website with roller coaster image. In the below screenshot you could see the JavaScript used to find the user's country.

Once the fake app is installed and the scam message is posted on your wall then it will redirect you to a website like shown below. It will inform you that the login information is incorrect and asks you to renter your login details to steal it. It's a fake website designed to look alike Facebook login page.

Once you enter the login information it will send the details to another website. In the below screenshot you can see the network communication how it sends the email and password information to another website.

Once the login credential is collected it will redirect user to a website like seen below. This is another fake webpage with just the roller coaster image. So it is clearly identified that this is another variant of the scam which collects user login information and installs a fake app.

Below seen are similar variants of the scam,

"Receive a FREE $250 Wal-Mart Shopping Voucher Today!"

"Claim your Free $250 Wal-Mart Now. Only a few left."

"Get a Free $250 Wal-Mart Gift Card. (373 Left)"

"Claim your $500 Victoria Secret Gift Card Now. Only a few left."

“Get a Free $500 Victoria Secret Gift Card. (221 Left)"

"Get a Free $500 Victoria Secret Gift Card"

Be aware of these scams and always stay protected. Never click on suspicious links and don't ever install or grant permission to unknown apps. If you're affected with these scam please change your login password. Report to Facebook about the app so that they can't block the app and prevent others from installing or getting affected. Then uninstall the fake app using the app settings provided on Facebook.