NEWS FROM THE LAB - Thursday, January 26, 2012

Facebook Spammers Use Amazon's Cloud Posted by ThreatInsight @ 13:48 GMT

Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered).

So, what's an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of "cloud" services.

Using Amazon's S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon's S3 web service is pretty inexpensive to set up, therefore they can still earn from the surveys. Number 2, because Facebook has been pretty successful at blocking suspicious URLs linked to spam, hosting their scam's code in a safe and popular domain such as amazonaws.com gives them a better chance to sneak through Facebook's protections.

The diagram below basically shows the whole flow of the agenda.

Facebook, Amazon S3, Spam diagram

All browsers other than Chrome and Firefox are served with a survey page, thereby ending in actual monetization if the spammer's surveys are filled out and submitted. This monetization happens within the Cost Per Action (CPA) marketing model, which is behind most social media spam. Geo-location techniques are used in an attempt to broaden the spammer's survey completion rate. Depending on the location, the fake Facebook page issues a survey that redirects to a specific affiliate marketer.

Father Melts Baby's Brain With Motorboat Sounds

Firefox and Chrome are used as avenues to further spread the scam via Facebook by use of a fraudulent YouTube browser plugin. A fake Facebook page displays a plugin installation if visited from either of those two browsers.

Spammers recently began using plugins as part of their cat and mouse battle with Facebook.

Father Melts Baby's Brain With Motorboat Sounds

Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service. Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page.

Perhaps, in an attempt to confuse defenses, it also produces a random non-existent domain using the format wowvideo[random number].com. However, only the Amazon S3 web service and bit.ly URLs are working links.

Below is the structure of the post:

Title: [Video] Father Melts Baby's Brain With Motorboat Sounds

  •  hahaha this video will bend your mind
  •  have you all seen this yet?
  •  stop it! his eyes are going to pop out!!
  •  Its eyes are black because it has no soul
  •  must be experimental technology from mother russia!
  •  im afraid i have some bad news
  •  i want you to all see this

Summary: Total meltdown! I bet you have never seen this before!
Main URL: www.wowvideo[random number].com

Here's an example:

Father Melts Baby's Brain With Motorboat Sounds

The offending add-ons can be removed using "Uninstall" in Firefox and "Remove" in Chrome:

Chrome Extensions

Firefox Extensions

On a side note, the Firefox plugin which was distributed… was archived on a Mac.

Mac OS X

Just in case you thought this was a "Windows" problem. ;-)

Threats Insight post by — Karmina