The Barracuda Labs Internet Security Blog

by Nidhi Shah, Security Researcher

Have you ever encountered  people selling designer shoes on Facebook for prices that are too good to be true?  Check out these links if you have not (here, here, and here…).  The interesting things about these links is that the profile owner almost always is a hot chick with lots of male friends with regular posts about expensive shoes for sale.   The order links mentioned on the shoe photo go to many different domains which   ultimately lead to one store, kicksbay.com.

e.g.

The above three are just an example.  We searched Facebook for similar shoe products and found it smothered with such links.

http://www.facebook.com/photo.php?fbid=126073080809309&set=p.126073080809309&type=1

http://www.facebook.com/photo.php?fbid=126073527475931&set=p.126073527475931&type=1

http://www.facebook.com/photo.php?fbid=126159517467316&set=p.126159517467316&type=1

http://www.facebook.com/photo.php?fbid=126217434128151&set=p.126217434128151&type=1

http://www.facebook.com/photo.php?fbid=126300230786487&set=p.126300230786487&type=1

http://www.facebook.com/photo.php?fbid=126408794109113&set=p.126408794109113&type=1

http://www.facebook.com/photo.php?fbid=126460707436911&set=p.126460707436911&type=1

http://www.facebook.com/photo.php?fbid=126460854103563&set=p.126460854103563&type=1

http://www.facebook.com/photo.php?fbid=126804947401822&set=p.126804947401822&type=1

http://www.facebook.com/photo.php?fbid=126940920719740&set=p.126940920719740&type=1

http://www.facebook.com/photo.php?fbid=127046007377110&set=p.127046007377110&type=1

http://www.facebook.com/photo.php?fbid=127894873957922&set=p.127894873957922&type=1

http://www.facebook.com/photo.php?fbid=128218357259011&set=p.128218357259011&type=1

http://www.facebook.com/photo.php?fbid=128361313909783&set=p.128361313909783&type=1

http://www.facebook.com/photo.php?fbid=129208183824889&set=p.129208183824889&type=1

http://www.facebook.com/photo.php?fbid=129476437132948&set=p.129476437132948&type=1

http://www.facebook.com/photo.php?fbid=129489630463165&set=p.129489630463165&type=1

http://www.facebook.com/photo.php?fbid=129981733747345&set=p.129981733747345&type=1

http://www.facebook.com/photo.php?fbid=130090707069591&set=p.130090707069591&type=1

http://www.facebook.com/photo.php?fbid=130204773726573&set=p.130204773726573&type=1

http://www.facebook.com/photo.php?fbid=131154313629317&set=p.131154313629317&type=1

http://www.facebook.com/photo.php?fbid=133529226726132&set=p.133529226726132&type=1

Most of these profiles are similar enough in execution to raise suspicion.  Each one of them is pointing to a site that leads you to either kicksbay.com or similar site.

How many kicksbay.com site copycats are out there?   Well, here is just a snapshot

one-sweet-pair.info
only-authentic.info
only-designer-goods.info
only-heels.info
only-jordans.info
only-louisvuitton.info
only-lv-heels.info
only-nike.info
pair-time.info
player-jordans.info
player-nike.info
player-pair.info
postjordan.info
postnike.info
postshoes.info
power-time.info
priceless-heels.info
rare-jordans.info
rarejordans.info
reallygoodjordandeal.info
right-jordans.info
right-kicks.info
right-nike.info
rightnike.info
runjordan.info
runnike.info
save-heels.info
sell-jordans.info
sell-nike.info
share-jordans.info
share-nike.info
share-pairs.info
share-sole.info
star-effect.info
star-feel.info
star-hoops.info
star-pairs.info
star-skills.info
thejordan.info
wholesale-jordans.info
wholesale-nike.info
wholesale-pairs.info

Clearly these profiles are fake and shoes they are selling are fake, and real people are getting scammed by it.

So why is this scam so widespread and successful? How are fake profiles able to acquire 1000s of real people as friends to whom they can market these shoes?

This is where Facebook’s “people you might know” suggestion comes into play. We all know that Facebook will suggest you list of people who went to same school, worked with same employer,  lived in same area or are friends of friends.  What about people with whom you do not have any such common ground?

As a test, on one of my profiles I had information about a school that I went to.  So far all the suggestions were for profiles with common school in common class. However on one of the fake profiles I encountered an ad for the “Miss Interenet” Facebook app. As soon as I added that app to my account all of my friend suggestions were for profiles similar to the fake profiles we encountered in shoe scam, girls with suggestive  photos and wall postings. None of them had anything in common with my profile except they might be related to “Miss Interent” app some way (as a user or liker).

Why is Facebook suggesting that? My hypothesis is that everything in Facebook world is identified as an object  with id. That means you, area that you live in, employer that you work for or school you went to are objects and so  is apps you are using, photos you are uploading and websites you are liking. If two people have any common object ID – they can be friends!

by Dave Michmerhuizen and Luis Chapetti – Security Researchers

The spam honeypots at Barracuda Labs have detected new spam that takes social engineering – and chutzpah – to new heights.

Google Pharmacy Email

While Google announces new products and services regularly, the skeptical email recipient will determine that this announcement fails to make the grade.

We do give the spammers an A for their eye-catching addition of Viagra and Cialis to the Google logo.

However, we mark them down with a D for their fractured English, (“pharmaceutical interfaces”) and a resounding F both for their choice of a domain in Russia and for landing on a run-of-the-mill  rogue Canadian Pharmacy website, as shown here

Canadian Pharmacy website

Spammers have long traded on the cachet of the Google name when sending out lottery spam, but presenting Google as a purveyor of Viagra is a whole new level of impersonation.  It has to be especially galling to Google because the company has recently been accused of knowingly accepting advertisements from rogue online pharmacies.  For their part, Google recently went to court to sue some of those same advertisers.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

by Nidhi Shah, research scientist

Many Facebook users have long waited for a Dislike button and this post is  to inform them that their wait is *not* yet over. The latest scam making rounds on Facebook is offering to add a “Dislike Button” to your profile.

However, clicking on the link to Activate or Enable the feature will only lead you to various, and typical, malicious offerings such as likejacking, RogueAV, drive-by downloads or survey scams.

The most interesting thing we noticed with this one is how creative the bad guys are getting about the distribution of their malicious apps. They are no longer simply exploiting a user’s inherent trust on Facebook via an app most likely since that means is getting some attention and risks being taken down. Instead, they are using other venues that have a user’s trust and also  allows them to distribute their apps. e.g. Mozilla add on or Chrome plugin.

Once installed these plugins have the ability to intercept and add code to a user’s Facebook profile and any other website he or she may browse.  One such plugin inserts rotating ads whenever the victim browses Facebook. While these ads may sound benign, ad networks in the past have been compromised and suffer from what is known as malvertisement.

The bottom line? As much as we might like to have it, there is no Dislike button just yet. Facebook users, and those browsing the Web in general, should remain extra careful before giving access to any apps on your browsing machine.