Can you really see who viewed your Facebook profile? Rogue application spreads virally

Once again, a rogue application is spreading virally between Facebook users pretending to offer you a way of seeing who has viewed your profile.

As we’ve described a couple of times before, plenty of Facebook users would *love* to know who has been checking them out online.. but unfortunately scammers are aware of this, and use the lure of such functionality as a way to trick you into making bad decisions.

Messages spreading rapidly across the Facebook social network right now say:

OMG OMG OMG... I cant believe this actually works! Now you really can see who viewed your profile! on [LINK]

OMG OMG OMG... I cant believe this actually works! Now you really can see who viewed your profile!

If you’re tempted to click on the link you’re taken to a webpage which encourages you to go a little deeper and permit an application to have access to your Facebook profile.

See who viewed your profile!

Rogue application requests access rights

But do you really want complete strangers to be able to email you, access your personal data and even post messages to any Facebook pages you may administer?

If you’ve got this far then you really shouldn’t go any further. Scams like this have been used to earn commission for the mischief makers behind them, who have no qualms about using your Facebook profile to spread their spammy links even further.

Because if you do continue, you’ll find that your profile will be yet another victim of the viral scam – spreading the message to all of your online Facebook friends and family. And no, you don’t ever find out who has been viewing your profile.

OMG OMG OMG... I cant believe this actually works! Now you really can see who viewed your profile!

Ever wondered how many people fall for a scam like this? Well, the figures can be shocking. This current campaign is using a variety of different links – but via we can see that at least one of them has already tricked nearly 60,000 people into clicking.

Stats for link

I’ve informed the security teams at both and Facebook about these links, and requested that they be shut down as soon as possible.

Always think before you add an unknown application on Facebook, and ask yourself if you’re really comfortable with ceding such power to complete strangers. Rogue application attacks like this, spreading virally, are becoming increasingly common – and do no good for anyone apart from the scammers behind them.

If you’ve been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites.

And don’t forget to warn your friends about scams like this and teach them not to trust every link that is placed in front of them. You can learn more about security threats by joining the thriving community on the Sophos Facebook page.

Source: Can you really see who viewed your Facebook profile? Rogue application spreads virally

Posted in Naked Security, English-Italian Translations by with no comments yet.

SpyEye latest features include Man-in-the-Browser

Less than a month ago, S21sec e-crime detected a new threat that defeats the second authentication vector based on SMS.

Today, we’re back to announce a new technique which, although is already known, is affecting some organizations during the last weeks: Man in the Browser.

Briefly, this new technique (MitB), is implemented by a trojan that infects and controls a web browser, having the ability to modify pages, transaction information, etc. stealthy performing all its actions to both the user and the bank online application.

In this incident, the trojan is not the well-known ZeuS/Zbot, but his “competitor” known as SpyEye. By the end of 2009, a new banking Trojan called SpyEye made its appearance on the underground world. It is written in C++ and the supported systems range from Windows 2000 to Windows 7. It works in ring3 (user-mode), as its competitor ZeuS does, although this is not the only similarity between both Trojans.

SpyEye is sold in several forums as it is said to be undetectable by most anti-virus software; it also hides several files as well as registry keys. SpyEye implements many of the ZeuS’ features, though it is still in development. The distribution package of this Trojan is similar to Zbot/ZeuS and other fraud kits usually distributed in forums of Eastern Europe and Russia.

The main features of previous SpyEye’s versions are the following:

  • Form Grabbing: It captures the data filled by the user in the fields of the forms submitted by the browser.
  • Code injection: This technique involves the injection of HTML code in the victim’s browser to get additional information the organization wouldn’t ask for. In the configuration files analyzed, the requested information is usually the full security code.
  • Stealing FTP and POP3 credentials: Includes network traffic monitoring, hooking into the API functions of filtering and credentials storage, mainly to monitor the traffic and looking for “USER” and “PASS” values.
  • Basic http authentication Theft: A similar approach to the FTP and POP3 credentials theft.

In the version discussed in this incident, it also includes the following features:

  • Screenshots: in the configuration file you can set up the URLs that will trigger a screenshot capture, configuring a specific screen zone with its dimensions.

    An example is:* 500 200 10 60

  • Ability to do Man in The Browser (MitB).

We have noticed an increase in the number of SpyEye samples in the wild since the past September, which led us to think that this trojan campaign started on this month:

The first fraud incidents were detected around the middle of October, with at least two different trojan samples. It is important to say that we have only seen this technique affecting to one of the affected organizations. Although this attack is completely functional, our feelings are that it’s still in its testing phase.

We are still working on the analysis of the binary, but the behaviour observed is the same one we detected in the binary discovered last February. Nevertheless, some improvements have been noticed in relation to his config file encryption algorithm. The samples detection is 62% and 20% respectively.

The main and most worrying feature is the HTML injection. In this incident, the injection is entirely done with javascript code, allowing the binary to do the MITB feature:

  • The trojan gets the data from the accounts and sends them to the C&C server
  • If the account balance exceeds a certain amount of money, it returns the data account in which must perform the fraudulent transfer (mule), using the following format:

    "trans" = 1,
    "info"  = [
    "check" = [
                   0 = XXXX,
                   1 = XXXX,
                   2 = XX,
                   3 = XXXXXXXXXX
    "sum"     = 493,
    "name"    = "Peter",
    "address" = "12 street, nº1 1ºA",
    "city"    = "NY",
    "comment" = "Transfer"

  • The trojan fills in the form with these details and stays in waiting mode.
  • Several details are requested from the user, for instance the signature key.
  • With the data fetched, it sends the transfer form to the bank.
  • It modifies the account balance in order to hide the fraud.

As you can see, by intercepting the legitimate user’s session, the fraud is commited in a much more difficult way to be detected by the organization

In the tests analyzed, it seems that three differents accounts are used to perform the fraudulent transfer. In this incident, all of them belong to spanish organizations.

S21sec e-crime will keep you updated as soon as we have additional information of this new technique.

Santiago Vicente
S21sec e-crime

Source: SpyEye latest features include Man-in-the-Browser

Posted in S21sec, English-Italian Translations and tagged , , by with no comments yet.