Research

Do You Know Who’s Really Viewing Your Facebook Profile?

Lots of bad things happen every day on social networks. Most attacks rely on cross-site scripting or web application vulnerabilities but I recently stumbled upon one particular attack that uses nothing more complex than social engineering to fool the unsuspecting (and perhaps even the suspecting) public. It’s a case that simply proves the old axiom: if something seems too good to be true, it probably is. Here’s how things unfolded.

Recently a friend on Facebook had this post added to her wall:

I’m always skeptical of applications that offer profile tracking services that Facebook itself doesn’t provide. It also seems unlikely an application would be able to track this information. So I thought I’d do some digging. After logging into a throwaway Facebook account, I visited the app page and got this:

Once you click the “Like” button, you’re asked to share the page. I never want to spam anyone, so I declined. Only to find this:

Well that doesn’t seem very friendly, does it? I wanted to know more about the app, so chose to share this app on my wall. I then got sent on to an Activate window which shows what appears to be a Facebook page in the background (more about that page later):

Even though I was pretty sure there was no official affiliation with Ikea, I’ve just moved, so I chose that option. After filling out some (fake) details on a sign-up page, I was told I had to give a valid cell number. Of course, I tried clicking “skip this step” but that just reloaded the page:

I chose to stop there, as whoever’s behind this is obviously up to no good. It’s highly likely that the personal information is being collected to be used for spam or other malicious purposes.

Once I was done, I revisited my wall to find the original post had been added, just as with my friend. So I decided to take a look at the application page to find out more. This is the page which got shown behind the Activate window – turns out it’s a page that’s not even on Facebook, and all the content is fake:

Nothing is clickable and all the testimonial profiles are bogus! The application page is designed to fool you into signing up for spam and providing personal information simply by using familiar Facebook colors and styles.

As I said at the beginning of my post, if it looks too good to be true, it probably is. And the flip side of this? Just because something looks trustworthy doesn’t mean that it is.

Do You Know Who’s Really Viewing Your Facebook Profile?

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox