Your first status on facebook – A SPAM

Posted: 30/12/2010 in Facebook, Technology
Tags: , , , , , , , ,

Scam Signature Message: My first Status was: “random post” . This was posted on [random date]

myfirststatus_wall
Scam Type: Survey Scam – Rogue Application – Like Jacking

Trending: December 2010

Why it’s a Scam:

Once you click on the Wall Post link, you are immediately taken to the Facebook application installation screen:

myfirststatus_app

Here, you are asked to install the “First Status” Facebook application. We have also seen this scam use an application called “Status.” There could be other variations. If you agree to the install, you must agree to give the application developer full access to your basic information and the right to post to your wall. The application wants this access so it can spam the same message to your friends. You should never give a third party application this much access unless you are 100% sure of their intentions and authenticity. If you do proceed with the application install, your account is like-jacked and the scammer’s message is posted to your wall for your friends to see. You will then be taken to the following screen:

myfirststatus_survey

The surveys here often require you to download a game to proceed. These downloads often contain viruses or other malware that can infect your system. Don’t download anything or give them more of your personal information. In the end, you won’t see your First Status, but the scammers will have gained another victim.

How to Deal with the Scam:

If you did make the mistake of installing the application and passing the link onto your friends, you should clean-up your newsfeed and profile to remove references to the application. You also need to access your privacy settings and remove the application.

editappsettings

If you made the mistake of submitting your cell phone number for any of the surveys, then you should contact your carrier immediately to keep any bogus charging from appearing.

This is how it’s spreading according to google analytics:

First source: http://goo.gl/info/ZOu63 (14 hours ago)

Countries
United States
2244
Canada
446
United Kingdom
26
Mexico
16
Jamaica
15
Trinidad and Tobago
9
Hong Kong
5
Guam
3
Dominican Republic
2
India
2
Browsers
Internet Explorer
1025
Firefox
485
Safari
485
Chrome
460
NetFront
24
Opera
24
Teleca
19
UP.Browser
12
Obigo
10
SearchToolbar
7
Platforms
Windows
1971
Macintosh
302
BlackBerry
195
Linux
143
iPod
39
Samsung
26
LGE
14
LG
11
PlayStation Portable
11
KWC
8

Second source: http://goo.gl/info/dVl9t ( 6 hours ago)

Countries
Philippines
450
United Kingdom
378
Australia
315
Belgium
217
Malaysia
200
Lebanon
117
Bulgaria
84
Germany
79
Slovenia
63
Egypt
59
Browsers
Chrome
856
Firefox
854
Internet Explorer
734
Opera
449
Safari
269
NetFront
41
Jasmine
30
Version
29
BrowserNG
8
Mobile
5
Platforms
Windows
2484
Macintosh
177
BlackBerry
123
Nokia
100
Samsung
57
Linux
24
SonyEricsson
13
LG
10
iPhone
8
Other Unix
4
Third source: http://goo.gl/info/ULQbz (6 hours)
Countries
Philippines
411
United Kingdom
407
Australia
326
Belgium
286
Malaysia
188
Lebanon
165
Germany
89
Kenya
78
Austria
75
Jordan
61
Browsers
Internet Explorer
891
Chrome
850
Firefox
776
Opera
469
Safari
266
NetFront
70
Version
29
Jasmine
28
Mobile
6
Teleca
6
Platforms
Windows
2499
Macintosh
199
BlackBerry
136
Nokia
93
Samsung
81
SonyEricsson
18
Other Unix
18
Linux
17
LG
16
iPad
9
What is also clear is that all the scam comes from one source which has the following URL: centerdirection.info/r/g
I have made a DNS lookup, I got the following info:
Domain ID:D36105884-LRMS
Domain Name:CENTERDIRECTION.INFO
Created On:29-Dec-2010 02:44:10 UTC
Last Updated On:29-Dec-2010 03:15:19 UTC
Expiration Date:29-Dec-2011 02:44:10 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:641ea8f96d1f957d
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:8939 S. Sepulveda Blvd. #110 –
Registrant Street2:
Registrant Street3:
Registrant City:Westchester
Registrant State/Province:CA
Registrant Postal Code:90045
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:641ea8f96d1f957d
Admin Name:WhoisGuard  Protected
Admin Organization:WhoisGuard
Admin Street1:8939 S. Sepulveda Blvd. #110 –
Admin Street2:
Admin Street3:
Admin City:Westchester
Admin State/Province:CA
Admin Postal Code:90045
Admin Country:US
Admin Phone:+1.6613102107
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Billing ID:641ea8f96d1f957d
Billing Name:WhoisGuard  Protected
Billing Organization:WhoisGuard
Billing Street1:8939 S. Sepulveda Blvd. #110 –
Billing Street2:
Billing Street3:
Billing City:Westchester
Billing State/Province:CA
Billing Postal Code:90045
Billing Country:US
Billing Phone:+1.6613102107
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:
Tech ID:641ea8f96d1f957d
Tech Name:WhoisGuard  Protected
Tech Organization:WhoisGuard
Tech Street1:8939 S. Sepulveda Blvd. #110 –
Tech Street2:
Tech Street3:
Tech City:Westchester
Tech State/Province:CA
Tech Postal Code:90045
Tech Country:US
Tech Phone:+1.6613102107
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS1.CENTERDIRECTION.INFO
Name Server:NS2.CENTERDIRECTION.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
The attacker is protected against the whois lookup, thus I wasn’t able to identify him.
Advertisements
Comments
  1. Thanks! Linked to this post!

  2. […] Your first status on facebook – A SPAM […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s