Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1

Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org

Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi

Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1

Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org

Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi

Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

Summarizing Webroot's Threat Blog Posts for November

The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity
02. Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)
03. Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’
04. New vendor of ‘professional DDoS for hire service’ spotted in the wild
05. Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity
06. Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild
07. Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application)
08. Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player
09. Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits
10. Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool
11. Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
12. Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware
13. ‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’
14. Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware
15. Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware
16. Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware
17. Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to Android Malware

A currently ongoing malicious campaign using compromised sites as the primary traffic acquisition tactic, is attempting to socially engineer users (English and Russian speaking) into thinking that they're using an outdated version of their browser, and need to apply a bogus (security/antivirus) update. In reality though, the update is a variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend.

Sample screenshots of the fake browser update landing pages:

Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/ (93.115.82.239; Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: vbistrih@yandex.com).

Known to have responded to 109.163.230.182 are also the following domains:
1mc8.asia
anglecultivatep.in
appallinglyndiscoveries.in
bilious-6biros.in
boathire.pw
cvwv87.pro
dlsdcncnew1.pw
efuv77.pro
familye-perspex.in
farting-meagre.in
flvupdate.in
fringeclamberedk.in
hopefully-great8.in
investment-growsa.asia
money-tree.pw
moon-media.pw
moontree.pw
mountainlake.pw
movingv-relation.in
new-updateronline.org

Sample Android samples pushed by the campaign:
MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners as Android.SmsSend.809.origin; Android.Trojan.FakeInst.HE
MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b40aebc327e1bc6aabe5ccb4f18e8ea4 - detected by 16 out of 48 antivirus scanners as Android:FakeIns-AF; Trojan:Android/Fakeinst.EQ

All samples phone back to dlsdcncnew.net (109.163.230.182; Email: constantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org.

The same email is also known to have been previously used to register the following domains:
downloader8days.in
open-filedownload4.in (known to have responded to 188.95.159.30)
upweight.in
bestnewbrowsers.in
bestowedcomedyb.org (known to have responded to 109.163.230.180)
expandload.in
2012internet-load.in
4interfilefolder.in
99030.in
admitted-6crept.org
rufileserver.in

It appears that the traffic is not segmented -- to affect mobile device users only -- at any point of the redirection chain, an indication of what I believe is a boutique cybercrime-friendly operation. In comparison, the relatively more sophisticated ones would segment the traffic, usually acquired through the active exploitation of tens of thousands of legitimate Web sites, or the direct purchase of segmented mobile traffic.

Interestingly, both novice players in this market segment, and the experienced ones, are implementing basic evasive tactics, such as, for instance, the need to provide a valid mobile number, where a potential victim will receive a confirmation code for accessing the inventory of rogue games and applications, thereby preventing automatic acquisition of the apps for further analysis. Moreover, providing a valid mobile number to the cybercriminals behind the campaign, is naturally prone to be abused in ways largely based on the preferences of those who obtained them through such a way, therefore users are advised not to treat their mobile number in a privacy conscious way.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.