Facebook, spammers are in ‘arms race’

Within days of Facebook implementing new security features designed to block spam, several new social-engineering attacks were spreading that managed to side-step the company’s antispam defenses, a Facebook spokesman told CNET May 16.

The company began turning on a feature the week of May 9 that displays warnings when it detects users are about to be tricked by cross-site scripting (XSS) and clickjacking attacks. In such attacks, users are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS).

Yet there were several XSS attacks the weekend of May 14 and 15, and warnings were not displayed. In all the attacks, the user action results in the spam messages being re-posted to the victim’s Facebook pages and those of their friends. Ultimately, surveys are proffered for the victim to fill out. The spammers receive money for each survey completed, and the farther the spam spreads, the more money that can be made.

A threat analyst at M86 said he suspected some of the spam was getting past Facebook’s defenses by obfuscating the Javascript. Facebook seems to have made it harder for spammers to create campaigns that automatically execute and spam users’ friends, so that victims are sent off to external sites and required to cut and paste text into their browsers, he said.

Source: http://news.cnet.com/8301-27080_3-20063434-245.html