Fake Celeb Profiles in Spam Attacks

Just one day after hackers broke into the accounts of 33 Twitter users, including President-elect Barack
Obama, spammers have launched attacks using fake profiles of celebrities.

One attack is on the LinkedIn social networking site for professionals, where the spammers put up a nude picture with a celebrity’s name and a fake profile and links supposed to take visitors to three nude videos of the celebrity. Security software vendor McAfee (NYSE: MFE), posted an example on its Avert Labs blog.

However, the links redirect visitors’ browsers to a site containing malware.

Another attack, discovered by security vendor Sophos, has spammers putting up pages with photos of celebrities on Google (NASDAQ: GOOG) Blogspot that redirect visitors to sites offering scareware — fake anti-virus software.

Celebrities featured in the LinkedIn attacks include actresses Kate Hudson and Kirsten Dunst, and wrestler Hulk Hogan.

But the spammers have become tricky – instead of sending victims to one site, the links send them to a traffic management system that points to a different domain every time someone clicks on the links, according to McAfee Avert Labs.

This makes it more difficult to track the spammers, and helps hide the malicious site from the Web site’s owner or administrator, helping keep the infection undetected for a longer time, McAfee Avert Labs said. It also ensures visitors are automatically redirected to sites where their local language is used.

“When you combine clicking attacks, which always work, with back end sophisticated technology like traffic management, where you get redirected to a site in your own language, you make attacks more effective,” Dave Marcus, security research and communications director at McAfee, told InternetNews.com.

Celebrities whose images have been used in the Blogspot attacks include retired Playboy Magazine publisher Hugh Hefner, country singer Shania Twain, actor Warren Beatty and actress Barbara Hershey, according to a post by Paul Baccas, writing as Pob on the SophosLabs blog.

Bad guys Google too

The sites contain the Troj/JSRedir-F malicious script which redirects visitors to another site where scareware is downloaded onto their computers. SophosLabs is working with Google to shut down the sites, which are all hosted on Google Blogspot, Baccas said.

“We are aware of this particular issue and are working now to resolve it,” a Google spokesperson told InternetNews.com by e-mail. “Google takes the security of our users very seriously, and we actively work to detect and remove sites that serve malware.”

“The bad guys have two objectives – protect themselves and make it as difficult as possible to prevent them from spreading their malware,” Randy Abrams, director of technical education at antivirus vendor ESET, told InternetNews.com.

The spammers are using different types of attacks on the rogue LinkedIn profiles. McAfee Avert Labs detected an IFrame attack, while Graham Cluley, senior technology consultant at security and antivirus vendor Sophos said on his blog that SophosLabs detected the malicious Troj/Decdec-A Javascript code on them.

Malware authors are increasingly expected to use IFrame attacks. An IFrame is an HTML element that lets users embed an HTML document inside another.

Although spammers are expected to become increasingly sophisticated as they leverage Web 2.0 technologies, today’s attacks were relatively simple because they work well, ESET’s Abrams said.

Also, they tap into one of the most basic human motivators – lust, Abrams said.

“People fall for so many scams on the Web out of greed, and lust is just as powerful as greed.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web