Monday, October 8, 2012

Facebook virus alert: eventforyous "www .vidolaughs. com"

To remove this Virus go HERE. (opens in a new window)

I think most of my readers (maybe even all THREE of you) are anti-Facebook but for those that have children on FB, here's a little warning. As I have three of my six daughters on FB, we've come across the latest virus. Being the old White Hat that I am, I'll post a little info on it here knowing that Google likes to index the crap out of this blog and it should reach a majority of people Googling for a fix to the problem.

(Sidenote: Google indexed this blog post in 18 minutes. 0_o)

If you've seen a goofy Facebook post that has horrific spelling like this:

"hahahahaha <name of recipient>  i cant believe whaaat u did in thiss videeoooo it's sooo stupid it's all over face bok!!! gooo hereee removee theee spaaaces -----> www .vidolaughs. com "

then you have witnessed the handywork of a hacker. With a simple suggestive hook (ie., look what you did AND it's on video) an unsuspecting user willingly clicks on the link provided. In this case, it is VidoLaughs.com.

Several warning bells should sound in your head when you see this stuff. Misspellings THAT bad are dead giveaways for hackers posting in a non-native language. Simple misspells like VidoLaughs instead of VideoLaughs are suspicious but the rediculous "whaaat" and "videeoooo" are most certainly done on purpose to gloat the unfolding malicious act. Taunting, if you will.

Always watch the URL when accessing an unknown site. If you are clicking a link like the aforementioned VidoLaugh.com but when your page loads and the URL clearly says "eventforyous.com/login.php" then you should not proceed any further.



Picture courtesy of YooSecurity (note the URL)

This is the classic FAKE login page that will steal your information once you attempt to log in.  The only good news, so far, is that the hackers in this case are NOT changing the passwords on the FB accounts once they have access. They are only logging in, spamming the bogus links, and moving on.

If you are affected by this hack, at this point, you can simply log in to FB and change your password.  You would also be wise to run a virus scan on your computer. I recommend Malwarebytes software for a safe and easy solution. I've used them for a few years now and with constant FREE upgrades, I haven't been stumped by a bug yet.

A little geek research for fun:

VidoLaughs.com appear to be located in Portugal, although this is most likely a mirror.

A WhoIs search on VidoLaughs shows a Registrant Protected status but shows the name of the server as ns1.clearfbevent.com. Clear FB Event, as in Clear out Facebook Event? Hmmm. The name VidoLaughs.com was just registered on Oct 2, 2012.

Of course, a quick visit to clearfbevent.com shows nothing. However, a Google search of "clearfbevent" shows 704 entries where the phrase clearfbevent was used in what appears to be a link scam for traffic. "Click here for a free Apple iPad 3" type advertisement.

This attack is mostly (90.6% of visitors) occuring in the United States, says Alexa (click on the "audience" link).

10 CLS
 
20 PRINT "Hello, world!"
 
30 PRINT "OrangeJeepDad blog is awesome"
 
40 REM "Visit us daily"
 
50 CLS
 
60 PRINT "All your base is belong to us"
 
70 END
 
80 LOL