Blackhole Rears its Ugly Head: Facebook and LinkedIn the Tip of the IcebergWritten by Malcolm James on April 23, 2013
It’s no secret that as quickly as we make ways to stop the madness, the spammers are finding ways to pump up the volume. The spam landscape is becoming more dangerous than ever, if that’s even possible, and it seems that the spammers have decided to put their knives and pistols away in favour of anti-ballistic missiles and nukes. Now, if that all seems like hyperbole to you, you’re absolutely right. But exaggeration doesn’t necessarily not make it so, good grammar be damned.
We’ve been reporting for a while now the new sightings of dangerous new spam campaigns, most notably the faux Facebook message that leads you to believe that a friend has tagged you in a photo, and a phony LinkedIn email that tries to suck you into clicking a link to find out why some dude you’ve never heard of is trying to connect with you.
In both instances, the messages are quite convincing. They’re clean and devoid of the obvious stuff that normally tips us off that the messages are from some clown with the language skills of a bearded dragon. They’re personalized, both in the subject line and the body of the message, giving you a name that’s randomized so you rarely get the same message twice. They even give you a little personal information about the fake sender. One recent message comes to mind, where an Anne Johnson, Store Manager at Jos. A. Bank Clothiers, was the ‘sender’. All this, of course, is meant to throw you off your game just long enough so that the itchy little index finger you’ve been clicking with all day falls prey to the centuries-old argument: “shucks, one more click’s not going to hurt nothin’.”
Very devious indeed. But getting you to believe the message is just part of the fun that the scam artists have planned for you. It’s the clicking part they’re really interested in, and a new report tells us just what’s in store for users who’ve been lulled into a false sense of security by promises of making new contacts and cleaning up in the office pool to see who can friend the most people.
It turns out, v3.co.uk is reporting, that a new security report has identified Blackhole as the lurking monster waiting to pounce if you’re unfortunate enough to have been lulled by that friend request. The links, apparently, are legitimate, but the sites have been compromised and polluted with hidden iframes and redirects that affect pretty much any operating system, from “Android to Windows,” the security expert writes, so we can assume that Apple and Linux fit in there, alphabetically. A number of other legitimate firms, like American Airlines, BBC, and Verizon are mentioned as candidates for the spoofed messages, all of them very convincing and similar to what you might expect from the real company.
Interestingly enough, while the tactics and delivery method are similar, the malware payload differs. The report finds that in some instances the infected links will turn your PC into a zombie, while in others, the game is purely for information theft. We might infer from that that while the campaigns are similar, the senders are very different.
That Blackhole is involved in this dastardly campaign isn’t really surprising. We know that the thing has been around for awhile in different variants, with version 2.0 being made available to wannabe hackers late last year. What this news does do for us is remind us that we’re not in Kansas anymore, Toto. If the old playing field was dangerous, the new playing field is littered with razor blades and shards of broken glass, and we’re being sent in to play in bare feet.
If your bones aren’t chilled to ice yet, they should be. What makes this so very dangerous is the seeming innocence and validity of these emails, making even the most educated users click without thinking twice. We’ve seen others, too, most notably, messages about failed package deliveries and one regarding a failed money transfer – both of which aren’t very good and seem to have been crafted by that bearded dragon we were talking about.
In fact, since the first article on the Facebook and LinkedIn scams, we’ve noticed a couple of new campaigns, these ones preying on a very real human emotion: loneliness. Dating services which – saints be praised! – have found local matches for you. Odd, since you can’t remember signing up for a dating service, but hey, if it came from the Internet, it must be for real, right?