Feeds

Facebook vows 'consequences' for extreme porn scammers

Responsible parties already identified

SANS - Survey on application security programs

Updated Facebook officials have tracked down the scammers responsible for deluging the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek swift justice.

As previously reported, Facebook has blamed the torrent of extreme smut on a "self-XSS vulnerability in the browser" that tricked users into pasting and executing malicious javascript in their address bars and caused them to unknowingly share this offensive content. Many victims have reported that the highly offensive content is visible to others but not to the user whose account was used to spread it.

According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:

"In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow."

Neither report divulged the identity of the scammers or said if law enforcement agencies have been called in to investigate.

When The Register asked Facebook representatives for confirmation, one of them responded with a statement that read: "We've identified the responsible parties and are pursuing legal action at this time."

Facebook's enforcement team has already taken a tough stance against spamming. In 2009, it sued serial spammer Sanford Wallace and two associates for spamming members with wall posts that posed as messages from their friends. The social network was eventually awarded $711 million in the case. Earlier this year, Wallace was criminally charged with hacking more than 500,000 Facebook accounts.

Facebook has sued other alleged spammers as well.

Facebook has yet to elaborate on key details of the ongoing attack. It's still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected.

Security firm Zscaler has a primer on self-inflicted JavaScript injection here. In the post, researcher Mike Geide said the most common ploy in the ongoing deluge comes from malicious Facebook groups that ask users to join and then enter JavaScript into their URL bar.

The scripts contain obfuscated code that generates invite messages to all of a user's Facebook friends and includes an invisible link to hxxp://aagmphxa.facebook.joyent.us/goog/index1.php. The URL no longer works. ®

This post was updated to add comment from Facebook and details from Zscaler.

Follow @dangoodin001 on Twitter.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.