Miley Cyrus fake “Sex Tape” worm on Facebook

I noticed a stream post on facebook yesterday supposedly about a leaked Sex Tape with Miley Cyrus, that I (though very carefully) clicked on. The images looks like a screen cap from a tv channel, its fictitious however, even though there are tv channels called TVN.

Facebook_post_obf

The link in the article is as usual a short url to hide where it is actually going, some of the urls that are used include the following, I think that the site uses a random distribution between different sites, even though all are hosted on Google appspot, e.g.

miley-sex-video.appspot.com, miley-vid9.appspot.com, celeb-tv.appspot.com, celeb-hunter.appspot.com

Whatever site you end up at, the resulting page looks suspiciously like Youtube but displays an “age verification” dialogue (even the sad face icon is stolen from Youtube)

 

This is actually a cunning trick to make the user authorize the application without noticing and revealing the information to the page.

Age_verification

The “click to verify” url goes to facebook.com with a referrer-hiding service (href.li) included probably so that facebook cannot easily determine where the request comes from. (the yellow warning bar displayed above comes from Request Policy addon, this is not displayed in a normal browser)

Success_obf

The resulting page just says success and the page address contains an access token for facebook that the user “has to” pass back to the application. The application then has access to the users stream and posts the image again as mobile upload and tags random friends in the image so that the image and link show up in different users streams that do not even have a friend relation to the compromised user.

Fake

The actual image that is supposed to be from the sex tape is shown a brief moment when visiting the page, this should probably look like the video is loading but is blocked due to the age verification, this could be a screen cap from a generic porn movie or even photoshopped, I’m not sure, its however likely not Miley Cyrus

Twirler

After passing the fake age verification page, the page just displays the twirler symbol as if it has problems loading the video, depending on how desperate you are to actually view the video, you could even try to reload the page and try the authorization once more, posting the worm image once again to a different list of friends.

Wating

Sometimes the loading image is displayed waiting for age verification, further adding to the impression that this times out and you could just try again later.

 

I have tried to analyze the html code of the pages a bit, it looks like the people who wrote this had some rather smart ideas to pull this off, it uses a plethora of free services to host the whole thing (google appspot, dropbox, bit.ly, imgur, whos.amung.us, googleapis, maxmind), they are even distributing between different instances of appspot to cheat the daily limit of cpu time and traffic.

 

Since Friday, Facebook has apparently noticed this attack and removed the stream posts and is now displaying a warning on the html success page to keep users from disclosing the access token:

Success_new_obf

I checked the first image with Tineye and it came up with an unmodified version of the image, this is from a blog post about “famous o-faces” from 2010, the original image is probably taken from a video by Miley Cyrus

Famous_ofaces_640_36

 

Two updates (at 10/1/2012):

the same thing has been reported by somebody else yesterday coming to the same conclusions: http://www.breakthesecurity.com/2012/09/miley-cryus-sex-tape-real-or-fake.html

(for the benefit of users finding this article with google): the worm may return as a Selena Gomez/Justin Bieber “Sex Tape” scam, though I haven’t found evidence that it is really running around Facebook

 

After watching this Keek, I feel sortof old

I watched this video yesterday of Victoria Justice playing Ms Pacman, I can help feeling a bit old, she is way younger than Pacman, in fact she is 3 years younger than the Game Boy.

Ms_pacman

http://www.keek.com/VictoriaJustice/keeks/Lde3aab

(I should mention that I’m 11 years older than Pacman)

before anybody complains: I know it is Ms Pacman, but you get the point I hope

Bonus question: if you are older than Pacman, do you even know what a “Keek” is? I didn’t until about a week ago.

 

Twitter phishing/spam worm

I got a few DMs recently purporting to be warnings from people you follow about abusive posts from somebody else.

2012-09-06_22_28_35-twitter_interactions

The bit.ly link in the message goes to a phishing page most likely posting new messages again if you disclose your account.

2012-09-06_22_29_44-sign_in_to_twitter

Even though the scam is quite obvious, there are probably enough people still falling for this.

 

(The taget url is blacklisted by bit.ly now, however)

Update (2012-09-26):

The story has now been reported by cnet: http://news.cnet.com/8301-1009_3-57519494-83/twitter-users-may-be-victims-of-…

Update (2012-09-26):

There are a few variations of the actual message and the redirect urls sometimes use .tk domains, e.g.

Did you see this tweet about you? XYZ.TK

hilarious pic! XYZ.TK

Twitter might start to charge soon, sign this petition to keep the service free! bit.ly/xyz

HIGHEST QUALITY REPLlCA WATCHES & JEWELRY 15% Off bit.ly/xyz (this may have been a normal spam url)