Anonymous not behind vulgar Facebook spam attack: researcher

The recent spam attack that planted pornographic images on Facebook was not the work of Anonymous, a security researcher said Thursday.

On Tuesday, Facebook confirmed what it called”a coordinated spam attack” that resulted in sexually explicit images,as well as photos of extreme violence and animal abuse, spreading onmember’s pages.

Earlier that day, some had speculated that Anonymous — the hacker collectivebest known for conducting distributed-denial-of-service (DDoS) attacksagainst Visa, MasterCard and other firms that had stripped WikiLeaks ofpayment processing rights — was behind the Facebook attack.

According to Romanian security vendor BitDefender, Anonymous crafted aclassic Facebook worm, codenamed “Fawkes Virus,” last July, and hadpledged to use it to celebrate Guy Fawkes Day, Nov. 5 — a promise thegang later withdrew.

Guy Fawkes was arrested Nov. 5, 1605, for his part in the GunpowderPlot to assassinate King James I of England. Anonymous has often used amask of Fawkes as a logo for its hacking campaigns.

BitDefender’s find of Fawkes — which it announced Nov. 12, just daysbefore the Facebook porn storm — prompted some, includingComputerworld to speculate that Anonymous’ malware was the cause of thefast-spreading offensive images.

Not the case, said BitDefender.

“It looks like other Facebook attacks,” said George Petre, a seniorsocial media security researcher at BitDefender, in an email reply toquestions, referring to the porn attacks against the social networkinggiant.

“These are ordinary scams and we believe Anonymous would use somethingmore sophisticated,” Petre continued. “We expect the Fawkes virus to besomething related to malware, and to have complexmechanisms.”

Facebook has said that the attacks were conducted by exploiting what itcalled a “self-XSS browser vulnerability.”

That label — self-XSS — has been used by other researchers todescribe a ploy where spam messages tell recipients to copy and pasteJavaScript into their browser’s address bar. The script, however, is infact malicious and exploits a bug to hijack the account, post images ontheir news feeds, and spread the images to others.

The same tactic has been used against Facebook members before, notablylast May when a campaign baited the trap with a promise of videoshowing the death of Al-Qaeda terrorist Osama Bin Laden at the hands ofU.S. special forces.

Just days after the Bin Laden attacks, Facebook touted security improvements, including one designed to stymie some self-XSS attacks.

“Now, when our systems detect that someone has pasted malicious codeinto the address bar, we will show a challenge to confirm that theperson meant to do this as well as provide information on why it’s abad idea,” said Facebook. “[And] we are also working with the majorbrowser companies to fix the underlying issue that allows spammers todo this.”

Yesterday, Facebook admitted that the pornographic self-XSS attacks hadsidestepped those defenses.

“We had since adapted our systems to the Bin Laden self-XSS variant[but] this attack used a previously-unknown spam vector,” said aFacebook spokesman in an email Wednesday. “We have now tweaked oursystems to better detect and block this variant.”

Facebook also said that it had identified those responsible for theattacks, and was “working with our legal team to ensure appropriateconsequences follow.”

As BitDefender threw cold water on the idea that Anonymous plotted theattacks, other researchers said they were still in the dark about howthe hackers duped users or who had created the spam.

“We still do not have solid information or screenshots,” acknowledgedCommtouch, whose researchers have previouslydiscussed self-XSS attacks . “The spread of the images makesit difficult to determine the originating users who actually, orunknowingly, started the attack.”

Users can prevent self-XSS attacks by refusing to copy and pasteJavaScript — or anything else — into their browsers’ address bars,experts have advised.

Share on LinkedIn Share with Google+