Facebook Attacks - an in-depth analysis


Published on

Published in: Technology
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Facebook Attacks - an in-depth analysis

  1. 1. A STUDY OF MALICIOUSATTACKS ON FACEBOOK Maria Patricia M. Revilla Commtouch, Philippines October 2011 Copyright is held by Virus Bulletin Ltd, but made available on this site for personal use free of charge by permission of Virus Bulletin (http://www.virusbtn.com).
  2. 2. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA A STUDY OF MALICIOUS The popularity, number of subscribers, and level of activity have made Facebook an attractive tool for attackers who use ATTACKS ON FACEBOOK social engineering in order to spread malicious content or earn Maria Patricia M. Revilla money unethically. Over the years, social engineering has been Commtouch, Philippines enormously effective as it succeeds in convincing users to unknowingly act in the interests of cybercriminals. Spam and email scams have been used to deceive users, for example, Email Patriciar@commtouch.com offering seemingly legitimate employment, while putting victims to work as money mules who unwittingly help launder stolen funds. It has also been used as a tool to start and forceABSTRACT the spread of worms by including attachments disguised as normal documents.Social networking sites have, beyond doubt, made it intotoday’s popular culture. They have apparently become the The use of fake file icons such as those used for Windowsprimary resource for the masses when it comes to socializing folders, Word documents, text files, media files and others are afor the sole reason that they generally measure up to what the subtle form of social engineering, letting users think that amodern populace claim to demand – something fast, easy and malicious application is just a normal document. Instantaccessible. Facebook is a perfect example. messages on Yahoo! or MSN use convincing phrases promising must-see pictures or videos to trick users into clicking maliciousFacebook has become undeniably popular. With 600 million links that may point to phishing sites or rogue software. Rogueusers to date, it could be considered to be the most widely software or fake anti-virus products are themselves a form ofused social networking site in the last decade. People patronize social engineering. By scaring users with ‘detected’ malware,Facebook for its simple, but rather functional features, which they convince them to pay for products that they believe willrange from public messaging through wall posts and private actually help them remove the ‘infection’. Sophisticated socialmessaging, to sharing photos, videos and URL links, to engineering attacks use emotion and human desires to trickgaming, and even marketing and advertisements. It even users. Protecting users from themselves is a tough job and it ismakes a good online outlet for thoughts in the form of ‘status something that a computer cannot really do.updates’ which can be changed as often as one wishes. In 2008, the Koobface worm spread through social networks,With its popularity and effectiveness, Facebook has also including Facebook (where its name came from). It may bebecome a hot spot for attackers. Over the years, social considered to be one of the most successful worms as newengineering has been reported to effectively spread malicious variants are still being encountered – over 20,000 variants [4]programs which are hard to prevent, especially granted that by April 2011. Aside from the Koobface worm, there havethey are designed to trick human thinking. been other forms of attacks – clickjacking, phishing, spams,This paper will seek to study the social engineering attacks scam messages, links to rogue applications, and others thatthat have been identified to spread malware through Facebook. help cybercriminals earn money. It is certainly alarming to seeBy tracking down the distribution methods/mechanisms for how these forms of attack have increased.spreading malware, and the current preventive and defensive Based on the number of active users and activities performedmeasures, this paper aims to give an insight into the challenges by Facebook users, it is clear that Facebook has become anthat are being faced in terms of protecting users. effective social networking site with people benefiting from its integrated functionality such as photos and messaging. At theINTRODUCTION same time, attackers have successfully taken advantage of this functionality to turn Facebook into a channel for spreadingFacebook has become enormously popular, reaching over 600 malicious content. Even a small percentage of compromisedmillion users to date [1]. Users have increasingly integrated users would equal a large attack base given the number ofsocial networks into their lives, spending a reported 700 active users on the site.billion minutes per month on Facebook [2]. Every 20 minutesapproximately 24,857,000 actions are performed which may Security companies have developed tools and have improvedbe broken down into: scanners to detect and prevent intrusion of malicious programs. Solutions range from single file detection to generic and heuristic detections, and even cloud-based technologies. 10,208,000 comments made As these protection technologies have improved, attacks have 2,716,000 photos uploaded grown more sophisticated in an attempt to evade new and existing security measures. Attackers usually take advantage 2,716,000 messages sent of commonly used software and/or popular sites combining 1,972,000 friend requests accepted social engineering with exploits of vulnerabilities in programs like Adobe Reader or Internet Explorer. Our observation is 1,851,000 status updates that attackers have achieved the most success in bypassing 1,587,000 wall posts security measures by employing sophisticated social engineering methods. 1,484,000 event invites This paper will focus on analysing social engineering attacks 1,323,000 tagged photos on Facebook and will try to present the preventive measures 1,000,000 links shared the industry has provided to users, defensive measures/tools that are available for users, and the challenges faced in Table 1: Facebook activity statistics onlineschools.org [3]. preventing users from becoming victims. VIRUS BULLETIN CONFERENCE OCTOBER 2011 1
  3. 3. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA THE PROBLEM – FACEBOOK SOCIAL itself as a photo album application. Following the link to ENGINEERING ATTACKS the fake application, the user was prompted to download the file ‘FacebookPhotos#####.exe’, which is the A trusting user in a social network environment wouldn’t malicious executable. Newer variants used different suspect that a friend (deliberately added to a friend list) would filenames such as ‘Facebook-pic[number].exe’ (e.g. send any harmful content. This trust turns a very popular and Facebook-pic000751357.exe) [8]. widely used social networking site like Facebook into a huge opportunity for attackers. Users are drawn to action by Clickjacking ‘friends’ – following a message, links, or an invite – without suspecting that this will undermine security. Another type of social engineering attack is clickjacking. This method tricks a user into allowing a malicious script or a code Worms: Koobface and Palevo to execute without his knowledge by enticing the user to click on seemingly normal objects on a web page, such as buttons, The Koobface worm has been around since 2008 [5]. It was links, or images. On the Facebook platform, attackers were first encountered through Facebook messages that enticed a able to find ways to exploit some of its functionalities such as user to view a video from a link that looked as though it came the ‘Like’, ‘Publish’, and ‘Comments’ buttons when writing from YouTube. Alluring messages like, ‘You must see it!!!...’, comments on photos, videos or links. were the first step of its social engineering tactic. Users who clicked on the link were prompted to download newer A worm that spread on Facebook through a clickjack attack versions of Adobe Flash Player – the second part of the social was successfully executed using an invisible IFrame. It engineering attack. The downloaded file ‘codecsetup.exe’ was basically exploited the ‘Publish’ button that posts a link to the actually not an Adobe Flash Player, but a malicious user’s wall. The link points to a page that contains an invisible executable. Once the executable is installed, the infected IFrame shown in the code in Figure 3 (from jsunpack.jeek.org). machine turned into a bot used for spreading more messages The user is unaware that a click anywhere on the page is with malicious links and for other malicious purposes. actually a click on the ‘Publish’ button. This results in a post Later, when users became aware of a worm that spread using on the victim’s wall, which will then be seen by the victim’s a fake YouTube-like video, a new variant was encountered friends, probably causing them to click as well, and in this which used a Blogspot link sent through messages of friends way continuing the spread of the malware. This worm was [6]. The message had the same video-related theme, but the first reported by F-Secure in May 2010 [9]. changed destination to a Blogspot link reduced the suspicion. Following this attack, a lot of other clickjack attacks followed The Blogspot pages included JavaScript redirects to pages by exploiting the famous ‘Like’ button, also known as a again requiring the installation of a so-called video playing ‘likejacking’ attack. When a user ‘likes’ a certain page, video, component (as with the initial version). As before, the ‘video photo or a website on Facebook, it enables the user to share playing component’ was in fact a malicious executable. In this this content with friends. It’s almost the same as suggesting it case, the infected machine opened new Blogspot accounts and to friends as the liked page appears on the user’s newsfeed distributed the malicious links to friends. Figures 1 and 2 causing friends to see it and probably to click it themselves. show some examples. This attack works especially well when the link has a descriptive text specially crafted to attract users, such as messages promising a ‘video of Justin Bieber’, or ‘pics of Miley Cyrus’, or any current newsworthy event [10]. An example of the actual code used for this attack is shown in Figure 4 (from pastebin.com). The code basically uses the same method as an invisible IFrame which follows the user’s mouse. Any click on the page will be a click on the ‘Like’ button, without the user’s knowledge. Figure 1: Blogspot post example (1). Another attack exploited the ‘Comment’ functionality. Once a user ‘comments’ on a photo, a video or a link on Facebook, it will appear on the user’s wall or newsfeed, causing friends to see it and, as before, probably attracting them to see and click on it as well. Here again, the messages included text with famous names such as Justin Bieber. Clicking on the link led to a page with a question and text entry box for the answer. The text box was actually a Facebook comment box which would result in the posting of a comment on the victim’s wall, or a message on the victim’s newsfeed, causing it to be shared Figure 2: Blogspot post example (2). and seen by the user’s friends. This attack was reported by Sophos in April 2011 [11]. Palevo is another worm that has been known to spread through social network chat messages or instant messages including Facebook [7]. This worm has exploited Facebook Scam and spam messages on Facebook chat and Facebook application functionality. It tried to Facebook has also become the target of scammers and spread by sending chat messages to friends and disguised spammers. Unethical and illegal advertisers have predictably2 VIRUS BULLETIN CONFERENCE OCTOBER 2011
  4. 4. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA Figure 3: Clickjack sample using IFrame tag (1). Figure 4: Clickjack sample using IFrame tag (2).taken advantage of the large number of Facebook users. Onemethod of scam and spam has spread on Facebook through amanual cross-site scripting (XSS) attack (also called aself-XSS attack). The concept of an XSS attack is not new,but the interesting thing here is the social engineering usedthat convinces the user to manually enter the malicious scriptin the browser address bar. The topics were varied [12, 13]: • Promises of 500 free Facebook credits (something that does not exist) Figure 5: Self-XSS instruction to users (1). • An application to see who had been viewing a user profile • Video of Osama Bin Laden’s assassination.These all led to pages with instructions such as these:Just follow these 3 steps: Figure 6: Self-XSS instruction to users (2).1. Copy this code (highlight and press CTRL-C):javascript:(a=(b=document).createElement(‘script’)). a user ends up viewing ads that are not really related to thesrc=’//[omitted]/f.js’,b.body.appendChild(a);void(0) subject of the link that they originally clicked. Most of these2. Delete the actual address from the url field in focus on methods to earn easy money, earn points/credits,your browser and paste the code instead. view gossip or the latest news and events, and others.3. Press Enter and wait for a bit, it can take up to Having hijacked the user’s Facebook session, the script alsoa minute to complete. sends the scam messages through almost all means ofThat’s it! reaching out to a victim’s friends including: chat, wall posts,If you are having trouble with these instructions, status updates, event invitations and private messages. It alsotry viewing the instructions here: http://[omitted]. makes use of shortened URLs in order to avoid immediateinfo/?sg2lq suspicion from users.it’s where I learned it Figure 7 shows an example of a fake event invitation. NoticeAttackers even provided step by step image guides showing that the subject is ‘Official App: See Who has Viewed yourhow to perform the self-XSS attack, as shown in Figures 5 Profile? Find out here! [bad shortened link]’. Many users willand 6. notice that this doesn’t really sound like an ‘event’, but the idea is to catch the user’s attention and draw them intoIt is quite remarkable that there are users who fall for scams following the link.which require them to manually copy and paste code intotheir browser’s address bar. Once the code has been pasted as An example of spam code shown in Figure 8 illustrates howper the instructions, the user is redirected to a ‘survey page’. the messages continue to spread widely. The code uses anThis is an affiliate link where rogue affiliates earn money for obfuscation technique to hide the routine using encodedbringing users to partner sites. At the end of the survey page, function calls stored in an array of variables – in this sample, VIRUS BULLETIN CONFERENCE OCTOBER 2011 3
  5. 5. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA var _0xb65. Looking at the rest of the code gives us a clue as to its real purpose since it uses the XMLHttpRequest API, which is used for sending HTTP or HTTPS requests directly to a web server. Decoding the variable _0xb65 reveals what the routine is all about (Figure 9). Basically, once the script is executed, messages will be sent to the victim’s friend with texts based on the variables settings in the code as shown in the additional code below. Aside from posting a message the script will also make a comment on the posted message and will also ‘like’ the post it created (Figure 10). Figure 11 shows how the resulting post, comment and Figure 7: Fake Facebook event invitation. message will look. Figure 8: JavaScript spam code (1). Figure 9: JavaScript spam code (2). Figure 10: JavaScript spam code (3).4 VIRUS BULLETIN CONFERENCE OCTOBER 2011
  6. 6. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA Following the links leads to the sites shown in Figures 16 and 17, enticing users by promising results as well as a discount when they buy the product. Figure 11: Resulting post made by the spam code.Money-mule and credit card scamsMoney-mule scams have also made their way into Facebook.As with other platforms, scammers attract people withpromises of easy money. Money-mule recruitment usuallystarts with Facebook groups (which can be started by any Figure 16: Scam post advertisement sample (1).Facebook user). These groups often attract large followingsbecause people do not know what they are getting into [14].Other frauds have also appeared, such as credit card scams.These start with messages designed to attract users byproposing ‘money-making jobs’, or books about ‘how to earnbig money’, ‘how to win the Lotto’, or ‘guides on how to beattractive’. The example in Figures 12 and 13 shows the firstpart of such an attack using an ‘easy money making’Facebook group. Some of the posts on the group’s wall areproducts being sold, relating to books for winning the Lottoor attracting women (Figures 14 and 15). Figure 17: Scam post advertisement sample (2). Once a user accepts the offer, the payment is made via a credit card transaction as shown in Figures 18 and 19. Figure 12: Scam group page sample (1). Figure 13: Scam group page sample (2). Figure 18: Payment scam sample (1). Figure 14: Scam post sample (1). Figure 15: Scam post sample (2). Figure 19: Payment scam sample (2). VIRUS BULLETIN CONFERENCE OCTOBER 2011 5
  7. 7. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA The site ‘complaintsboard.com’ shows that the site seems to be a fraud or a scam (Figure 20). Figure 23: Facebook lottery email scam. Figure 20: Complaintsboard complaint comments. Fake email notifications – more scam, spam and malware attachments Spammers promoting pharmaceutical products have also used Facebook as an opportunity. Fake Facebook email Figure 24: Fake Facebook email password notification (1). notifications trick users into clicking links leading to online pharmacy sites [15]. An example of a fake email notification is shown in Figure 21. Figure 21: Fake Facebook email notification leading to online pharmacy site. Figure 25: Fake Facebook email password notification (2). Following the link leads to the pharmaceutical store page shown in Figure 22. Figure 22: Pharmaceutical store page. Lottery scams have also been very common, using fake email notifications describing surprise lottery wins such as the ‘Facebook Africa Jackpot Promo’ shown in Figure 23 [16]. Figure 26: Fake Facebook email password notification (3).6 VIRUS BULLETIN CONFERENCE OCTOBER 2011
  8. 8. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLAThe email has all the signs of an advance fee fraud scam,promising a huge sum of money, requesting detailed personalinformation, and requiring secrecy.Malware writers have also taken advantage of fake Facebookemail notifications. Emails include subjects relating to:‘Facebook Abuse Department’, ‘Facebook Security’, andothers (Figure 24).In the examples shown in Figures 25 and 26, variants of themalware detected as Oficla (aka Bredolab) are sent asattachments with the email describing a password reset due tospam. Subjects include, ‘Spam from your account’.The attachment names include: ‘Attached_SecurityCode.exe’, Figure 30: Facebook phishing sites statistics.‘Facebook_DOCUMENT.EXE’ and ‘Facebook_PASSWORD.EXE’. These are all malware executables thatuse misleading file icons in addition to their misleading file Fake applicationsnames. The use of trusted icons is a common social Many Facebook users enjoy Facebook applications and gamesengineering tactic to trick a user into executing the malware that exist within the social network such as FarmVille andfile. Below are examples of the Oficla executables with CityVille, and attackers have also taken advantage of thismisleading filenames and icons: functionality. The problem with applications on Facebook is that they have the ability to access some or all of the user’s profile information. Rogue applications can therefore post messages on a friend’s wall, send messages, and even extract Figure 27: Oficla attachment file (1). information from user profiles to be used for any malicious purpose. Attackers usually use catchy subjects such as: ‘who viewed your profile’. A further issue is that the verification process for application writers is relatively simple. Figure 28: Oficla attachment file (2). PREVENTIVE MEASURESPhishing Prevention is always better than cure. The trusted networkGenuine Facebook user accounts are very valuable for nature of Facebook has made some cybercrime much easier.cybercriminals since they provide them with access to a On the other hand, Facebook has improved its securitytrusting network of friends. Facebook users have therefore measures and settings to protect its users. These measuresbecome a natural target for phishers. Many fake pages have have included partnerships with security organizations to helpbeen launched (fed from fake email notifications) in order to improve the site’s security tools. Although these systems aresteal users’ login information. Cybercriminals can then use not perfect, they are worth noting as they do contribute to userthese stolen accounts for many of the malicious purposes security.described in this paper. Attackers have become skilled atmimicking the actual Facebook login page, as in the example Spam, scam and clickjack prevention systemsshown in Figure 29 [17]. Facebook has implemented security checks in order to protect users from phishing attacks. In the example below it was able to detect an attempt to log in from a page outside Facebook. When a user tries to visit a page that does not belong to Facebook, but requires a login to Facebook, the warning message below appears: Figure 29: Facebook phishing page sample.According to PhishTank.com statistics [18], Facebook hasconsistently been in the 10 top sites targeted by phishing.From September 2009 until March 2011, 11,211 counts of Figure 31: Security notice from a login attempt outsidephishing attempts were recorded (Figure 30). Facebook. VIRUS BULLETIN CONFERENCE OCTOBER 2011 7
  9. 9. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA In the example in Figure 32, the mechanisms were also able Facebook has automated the detection of suspicious ‘like’ to detect a suspicious phishing site that used a shortened behaviour, which can prevent a clickjacking attack. This is URL. An example of a warning message is shown. good on some level, however, in cases where the behavioural pattern of a clickjacking attack changes, then chances are that new attacks might slip through [19]. Facebook has also automated detection and blocking of suspicious content including giving warnings why certain content has been blocked. Using information from user reports and common patterns of spam and scam behaviour they have been able to prevent users from opening and accessing malicious content [20]. However, spam writers continually try to evade spam detection systems. For instance, one script included the following code: Figure 32: Facebook suspicious link warning. In some cases, Facebook security tools are able to check and prevent spammers and scammers from creating fake user accounts. Examples of some of these security checks are shown below: Figure 36: JavaScript spam code. A common indicator of a spammer account is of course the large number of messages sent. In the code above, the variable nfriends is actually the number of friends the spam and scam messages will be sent to. Although it seems strange that messages are sent to only 15 of the victim’s friends (as opposed to all the victim’s friends), this is one way of trying to avoid detection based on the volume of sent messages. In addition, in order to avoid detection based on message content, the encoding of some characters of the words inside the message body has been altered. Figure 33: Account security check (1). Facebook apps As described above, malicious apps have access to the user’s profile information and can take control of some actions such as posting on walls. As of this writing, an app creator must first verify an account by supplying a phone number or credit card number. The image below shows the verification pop-up Figure 34: Account security check (2). window: Figure 37: Facebook verification on application creation. This is helpful to a degree. After supplying the information, an application can be created for the Facebook platform. The problem here is that, after the account has been verified, the developer can instantly publish any application without going through some approval from the Facebook team. Therefore, any malware writer can write an application on the platform Figure 35: Account security check (3). and publish it without going through any security check. CAPTCHA verifications are designed to prevent automation of account creation by non-humans. When this CAPTCHA Facebook security settings verification pops up, a user can optionally verify an account in Facebook has enabled secure browsing by implementing order to avoid CAPTCHA verifications in the future. This HTTPS on its platform. This adds protection and prevents verification requires a phone number. These checks are helpful, hackers from being able to steal identity information while it but they open the issue of user privacy and sharing of sensitive is in transit – especially when a user logs in from a public information. Security check messages may also pop up in place such as a coffee shop or library. However, this security some cases of clicking the ‘Like’ button of certain group pages. option is not enabled by default.8 VIRUS BULLETIN CONFERENCE OCTOBER 2011
  10. 10. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA other anti-virus companies can enlighten customers about new threats that are found on the social network. Many of these blogs are very illustrative and informative, allowing users to easily understand, and be aware of the types of threats they might encounter on Facebook. These also provide Figure 38: Facebook HTTPS browsing setting. tips on strengthening security and account settings.Another security tool is the Facebook activity monitor thatenables remote logout. A user can see the latest activities in DEFENSIVE MEASUREShis account by checking the Account Settings which include Facebook generally blocks known malicious content or pagesan indication that the account is active through a different that are reported to it. Facebook reporting tools include linkslocation or device. The screen below shows a single account such as ‘Mark as Spam’ and ‘Report/Block this Person’.signed in on different computers. The user may end any activelogin from a different computer or location that he is not Another defence available to end-users is a locally installedaware of. This is helpful in tracking if someone else is using security product, such as URL and spam filtering software,an account. and an anti-virus product. Anti-virus firms have also responded to the new threats by ensuring detection of new variants of Facebook worms, Oficla, and the increasing number of malicious scripts used for spamming. At the same time, security groups have created their own Facebook pages for users to view the latest threats including advice about how to remain secure and protected. Several companies have also released software specifically for Facebook. CONCLUSION As it has gained in popularity Facebook has also been increasingly used for malicious purposes, and its name, functionalities and features have been vastly exploited. The security industry is continually working to keep pace with new cybercriminal tricks on Facebook. In addition, Facebook has taken several steps to protect its users while working with security groups in order improve its defence systems and the security tools on the platform. As shown by the many examples above, attackers employ numerous social engineering tactics to help spread malware, Figure 39: Facebook activity monitor. scams and spam. Indeed, the key security problem with Facebook lies in the trusted nature of friend connectionsFacebook security and safety page which are so easy to exploit with social engineering.Educating users about Internet safety is another important Education of users is therefore a key part of enhancingpreventive measure – particularly since most of the attacks Facebook security.rely on social engineering. The Facebook security pageprovides: ACKNOWLEDGEMENTS • Information such as how to protect a user account, and I would like to express my sincere gratitude to Commtouch how to take action when an account has been VirusLab and to the hands of the people that God used to compromised and used for sending scams or spam. make the completion of this paper possible: Robert • Information about the threats that a user may encounter Sandilands, Rommel Ramos, Avi Turiel, Rebecca Herson, on Facebook and helpful tips to avoid scams, spams, Catherine Lor and Jinky Suarez. And whatsoever ye do, do it hacks and malware that may be spreading on the heartily, as to the Lord, and not unto men; – Colossians 3:23. platform. • A way of reporting a possible security vulnerability REFERENCES allowing Facebook to work on improving security [1] http://www.socialbakers.com/Facebook-statistics/ measures. ?interval=last-week#chart-intervals. • A safety page that explains Facebook as a community in [2] http://www.Facebook.com/press/info.php?statistics. which everyone has a shared responsibility of keeping it [3] http://www.onlineschools.org/blog/Facebook- as a safe environment. This gives an insight for parents, obsession/. teens and teachers who are using Facebook and helps them understand the environment as well. [4] http://blog.Facebook.com/blog.php?post= 68886667130.Security blogs [5] http://www.kaspersky.com/news?id=207575670.There continue to be numerous blog posts written about [6] Commtouch Trend Report 2010 Q4.Facebook threats. Commtouch’s security blog and those of http://www.commtouch.com/download/1934. VIRUS BULLETIN CONFERENCE OCTOBER 2011 9
  11. 11. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA [7] http://blog.commtouch.com/cafe/malware/malware- spread-via-Facebook-chat/. [8] http://nakedsecurity.sophos.com/2011/01/09/ Facebook-photo-album-chat-messages-spreading- koobface-worm/. [9] http://www.f-secure.com/weblog/archives/ 00001955.html. [10] http://athansj.blogspot.com/2011/03/Facebook- likejacking-attack.html. [11] http://nakedsecurity.sophos.com/2011/04/30/ Facebook-comment-jacking-omg-i-cant-believe- justin-bieber-did-this-to-a-girl/. [12] http://blog.commtouch.com/cafe/malware/500-free- credits-from-Facebook-%E2%80%93-malware/ #disqus_thread. [13] http://blog.commtouch.com/cafe/malware/ %E2%80%9Cosama-bin-laden-dead-%E2%80%93- actual-video%E2%80%9D-new-Facebook-malware/. [14] http://www.thenewnewinternet.com/2010/06/01/ Facebook-used-to-find-money-mules/. [15] http://blog.commtouch.com/cafe/spam-favorites/ spammers-vote-Facebook-%E2%80%93- %E2%80%9Capplication-of-the-year%E2%80%9D/. [16] http://blog.commtouch.com/cafe/anti-scam/harry- potters-magic-money-foundation-and-more/. [17] http://blog.commtouch.com/cafe/phishing/avoiding- Facebook-phishing/. [18] http://www.phishtank.com/stats.php. [19] http://nakedsecurity.sophos.com/2011/03/30/ Facebook-adds-speed-bump-to-slow-down- likejackers/. [20] http://blog.Facebook.com/blog. php?post=403200567130 (spam prevention systems). [21] http://www.securelist.com/en/blog/208187962/ Facebook_money_mule_or_credit_card. [22] http://en.wikipedia.org/wiki/Clickjacking. [23] http://www.personalizemedia.com/the-count/. [24] http://www.Facebook.com/security. [25] http://www.Facebook.com/blog.php?post= 486790652130. [26] http://blog.Facebook.com/blog.php?post= 436800707130. [27] http://blog.Facebook.com/blog.php?post= 389991097130.10 VIRUS BULLETIN CONFERENCE OCTOBER 2011