Spammers are now using Facebook Events to trick users into completing online surveys, taking part in online contests and perform other tasks which allow spammers to generate commissions. In some cases, users are also tricked into giving up their mobile phone number, which is then automatically signed up for expensive premium services.

According to multiple security firms, spammers using Facebook Events to promote their links have been highly successful in their efforts to dupe unsuspecting users thus far. According to a report from TrendMicro,”tens of thousands” of users had mistakenly registered for one spammer’s event. Meanwhile, Sophos found an example where over 10 million Facebook users had been targeted, and over 165,000 had accepted.

TrendMicro’s fraud analyst Paul Pajares says that spammers have turned to Facebook Events instead of posting their links to users’ walls where they can “easily get lost in the News Feed.” These bogus events often have tantalizing, link-bait titles like “How to Find Out Who’s Viewing Your Profile” or “Who Blocked You From His Friend List?”

Example of fake event.

For the record, Facebook doesn’t allow you to track profile views or blocks, either through its own user interface and feature set or via third-party Facebook applications. Facebook even explains in its own online Help documentation that “blocking someone is completely confidential,” and that no one will ever be notified that they’ve been blocked. It also does not permit third-party applications to track this information, either.

In addition, any application that claims it can show you who’s been viewing your profile should be reported, Facebook says in a separate FAQ (frequently asked question) available here.

However, the Event spam is new enough that Facebook has not yet updated its Help documentation to refer to both applications and events. The pages only mentions apps.

That said, any links promoting such activities should be avoided at all costs, no matter the source.

How these scams work:

Once on an Event’s page, users visiting the “More Info” section  are provided with instructions on how to find out the answer to the question the event promotes (e.g. who blocked you, who’s viewing your profile, etc.) The final step, of course, is clicking the spammer’s link.

This link is obfuscated using a URL-shortener like bit.ly, which takes a longer link and compresses it into a shorter one that redirects to the site in question. Bit.ly and other services like it grew in popularity thanks to Twitter, which limits the number of characters in its status update field to 140 characters. For Twitter users sharing news and other links with each other, these services are invaluable. However, for spammers, the shorteners can hide what would otherwise be questionable domain names and URLs from potential scam victims.

As a best practice, you should avoid any event invitations of a similar nature, even if you see a friend promoting them on their own Facebook Wall. The tricky, bogus events being used by these cyber criminals also automatically reshare the Event’s link to victims’ own Facebook pages. If you see something like this, you may want to inform your friend that they were a victim of a spammer.

Chinese PC manufacturer Lenovo is the latest high-profile company to be compromised. Sometime over the past weekend, its support pages, which allowed users to download drivers and manuals, were compromised with the addition of a malicious iframe.

The website in this malicious iframe led to the download of a BREDOLAB variant detected as TROJ_BREDOLAB.BY (by Trend Micro). This malware family is well-known for being a downloader of other malware onto affected systems, particularly ZBOT and FAKEAV variants.

BREDOLAB first gained prominence in late 2009 when the number of reported infections significantly grew. Upon investigation by senior advanced threats researcher David Sancho, it was found that BREDOLAB was a new malware family similar to earlier PUSHDO variants.

Later investigations by senior advanced threats researcher Loucif Kharouni established the key role BREDOLAB plays in the criminal underworld. As mentioned earlier, cybercriminals running pay-per-install (PPI) scams frequently use BREDOLAB to infect user systems.

Botnet Model

Lenovo has acknowledged the incident on its official forum and has indicated that the affected pages have now been cleaned. Reports from Vietnamese antivirus vendor Bkis indicated that the pages have been infected since at least Sunday afternoon. Some users also reported getting antivirus warnings while visiting Lenovo’s download website since Saturday.

Users who did go to the Lenovo pages to download support materials from late on June 18 (Friday) to June 21 (Monday) may have been affected by this compromise and should check their systems accordingly.

This further proves the point that you should always have an antivirus program running on your computer at all times (and make sure its updated as well!). Even websites that you think are safe can fall victim to these types of attacks leaving everyone at risk. So be safe out there… cause the internet is one crazy place!

Within days of Adobe’s release of out-of-band security updates for both Acrobat and Reader, word now comes from security researcher Aviv Raff, of another new vulnerability in an Adobe product.

The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.

Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that they have resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onwards are safe; everyone else is advised to removed the Adobe Download Manager entry in the Add/Remove Programs applet in the Windows Control Panel.

This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January of this year, a remote code execution vulnerability in the application was among those Adobe patched.

This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.

Security Has a Price—Problems with Security Updates

Trend Micro researcher, Rajiv Motwani, notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.

Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.

The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat applications while only 19 percent had updated Flash versions.

These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.

As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raises the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.

There is a new bot in town and it seems that it has set out to rival the notorious ZBOT botnet. Trend Micro threat researchers recently came across a new spyware detected as TSPY_EYEBOT.A. Certain EYEBOT behaviors cause us to believe that this could lead to a new bot war similar to the worm wars we saw years back between NETSKYand MYDOOM.

EYEBOT is still just a “newbie,” but should the ZBOT criminal minds choose to respond, there is some potential for a Bot war to ensue.  However, at this stage, we cannot be certain what if any response, the ZBOT criminals are likely to make. On the other hand, both EYEBOT and ZBOT use rootkit technology even though the former behaves more like a “backdoor.”

The new spyware exhibits routines similar to ZBOT, aka “Zeus” variants, which are considered some of the most dangerous malware in relation to information, financial, and identity theft. The EYEBOT spyware steals account credentials by logging users’ keystrokes. It is also drops a configuration file similar to those ZBOT uses to monitor bank-related websites. EYEBOT likewise utilizes rootkit technology to hide its malicious files and processes from affected users, which helps it avoid detection and consequent removal.

Originating from Russia, this spyware also acts as a server to a graphical user interface (GUI)-based client, which is one of its notable differences from ZBOT variants. While ZBOT variants are usually standalone programs, the EYEBOT has to receive commands from a remote malicious user. In this regard, the EYEBOT acts much like a typical backdoor program, which gives cybercriminals access to affected systems.

What further sets it apart from its more experienced counterpart, however, is its capability to terminate ZBOT-instigated processes. A closer look at its binary file reveals that the spyware was designed to monitor known ZBOT mutexes, _AVIRA_ and __SYSTEM__.

Only time will tell if anything comes of this or if this will just become another small player in the ever-growing fight against growing botnets.