Wednesday, August 7, 2013

"Hack Facebook" Site Hacks You Instead! On Blog Spam and SMS Scams

Spammers will do anything to drive traffic to their sites, from sending unsolicited e-mail to posting links on Facebook, Twitter, or Pinterest. They even try to leave spammy comments on popular news sites and blogs.

I find it somewhat amusing when spammers attempt to leave comments on my articles here at the JoshMeister on Security. Usually these attempted spam comments aren't noteworthy enough to merit any mention on this site, for example most diet drug spam or other run-of-the-mill unsolicited advertisements. But this time, someone attempted to link to a site that supposedly allows you to "hack a Facebook account."

pirater-face(dot)com, translated from French; click to enlarge

I've written an article (published at The Mac Security Blog on antivirus firm Intego's site) about my investigation into the various ways this site tries to scam you:

"Facebook Hacking Site" Leads to Costly SMS Scam 

In short, the site tricks wannabe hackers into sending texts to a premium SMS number (81073), which leads to charges on their next phone bill. The site may also collect login details that could later be used to try to hack into the would-be hacker's various online accounts (Facebook or otherwise), and of course once the spammers have your phone number they might also send you text message spam (or sell your number to other spammers). Be sure to read the full article for all the juicy details.

If you don't wish to ever fall victim to a premium text messaging scam, some of the most important things you can do are to avoid visiting sketchy sites, be extremely careful about giving out your mobile phone number, and don't send text messages or replies to spammers.

Some mobile phone service providers like Verizon allow you to opt out of premium text messages, or if nothing else you can dispute charges that you have received. Here are instructions for the most popular providers in the United States; please post a comment to share opt-out instructions or billing contact info for major mobile phone service providers outside the U.S.:
  • AT&T: Forward spam messages to 7726 (SPAM); call 1-800-331-0500 to dispute any charges; more info
     
  • Sprint: Individual short codes can be added to a block list; see the "Blocking text messages" section toward the bottom at sprint.com/premiummessaging; presumably to dispute any charges you would have to call 1-888-211-4727 to speak with a representative
     
  • T-Mobile (U.S.): Forward spam messages to 7726 (SPAM); more info; presumably to dispute any charges you would have to call 1-877-746-0909 to speak with a representative
     
  • Verizon Wireless: Premium SMS can be blocked, and this must be done for each device on your account; see the list of instructions for opting out of Premium Messaging; presumably to dispute any charges you would have to call 1-800-922-0204, or 1-888-294-6804 if you're a prepaid customer
     
  • Regardless of your cell phone provider, you may want to add your phone number to the National Do Not Call Registry at donotcall.gov

If you own or operate a blog or news site, what can you do to prevent spammers from leaving comments on your site? Depending on the site, you may have any of a variety of options.

The most foolproof, assuming you're good at recognizing spam and that you don't get an overwhelming volume of comments, is to enable comment moderation. This usually means that you or another site administrator, editor, or moderator will have to manually approve all new comments before they appear on your site. (In the case of the Facebook-hacking spam, the attempt to post the comment was blocked thanks to moderation being enabled. I saw the contents of the comment and was able to mark it as spam and prevent it from ever appearing on this site.)

You can also implement features such as requiring commenters to log in to a blog/comment platform, or with an OpenID. Put another way, you can disable anonymous commenting. This may not necessarily be the best option for your site or blog, depending on your content and the type of people who might be interested in posting legitimate comments. Requiring commenters to log in may deter some spammers, but it could also inadvertently scare off some privacy-conscious humans as well. (Incidentally, the Facebook-hacking spam attempt came from a logged-in Blogger/Google+ account; read the next section below for details.)

Another option is to require commenters to type the words from a CAPTCHA or a similar test to try to prove that the commenter is a human rather than an automated program (a spam bot). One potential problem with CAPTCHA-like systems is accessibility; regardless of whether you try to decipher the default visual code or listen to an audio variation for the visually impaired, some humans find the task tedious or frustrating and may avoid posting legitimate comments because of it. Furthermore, some spammers would be willing to type in a CAPTCHA to spread their spam instead of (or in addition to) using a spam bot to spray comments all over the Web.

If your blog or news site uses WordPress and you get a high volume of spam, you may consider using a WP add-on like Akismet or Bad Behavior; see also this article by F-Secure's Sean Sullivan (@5ean5ullivan) for more WordPress security and anti-spam tips.


So what about this particular spam and the person who posted it? The spammer was signed in with a Google account registered to an "Elizabeth J. Neal" (most likely not the spammer's real name). The Blogger profile URL (http://www.blogger.com/profile/01824134730760179008) redirects to a Google+ account (https://plus.google.com/117406979534609059211). The account has been submitting spammy posts linking to various dubious-looking sites since May 1, 2013 (mistakenly assuming in every post that links on Google+ are made using HTML "a href" tags, when it should have been clear after the first post that Google+ creates a link automatically whenever there's a URL in a post; this leads me to wonder whether the Google+ account is operated by a bot rather than a human).

The same account has successfully left spam comments on various blog sites in May, June, July, and August. In some cases, the spammer returned to previously spammed blogs and posted a second comment at a later date.

I blocked the Google+ profile and reported it to Google as a spam account, but so far Google does not appear to have taken any action.

The user's Google+ profile picture is in reality a photograph of Mary Killman, an American synchronized swimmer who competed in the 2012 Summer Olympics in London. (I've also reported the account to Google for celebrity impersonation, but given that the account name doesn't match the celebrity photo, I'm not sure whether Google's spam team will recognize this as a celebrity impostor.)

It's not uncommon for spammers and scammers to use photographs of other people, including celebrities; see the comments posted by "Yip Man" and myself on this Sophos article written by Graham Cluley (@gcluley) in November 2012.

Incidentally, there's a Facebook account (https://www.facebook.com/profile.php?id=100005859514726) with exactly the same name and profile photo as the Google+ account. The account was created on May 4, 2013, just a few days after the Google+ account started posting spam.

The site to which this particular spam comment attempted to link was pirater-face .com (see the Web of Trust report). This site already had a "red" rating on WOT because hpHosts blacklisted it on July 20th in its "fraudulent software and websites" category. According to URLVoid, only one other blacklist currently seems to be blocking this domain, namely Spamhaus DBL (Domain Block List).

Stay safe out there, and avoid visiting sites to which spam links!


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .