Don't blame Anonymous for Facebook porn storm, says researcher

Computerworld - The recent spam attack that planted pornographic images on Facebook was not the work of Anonymous, a security researcher said today.

On Tuesday, Facebook confirmed what it called "a coordinated spam attack" that resulted in sexually explicit images, as well as photos of extreme violence and animal abuse, spreading on member's pages.

Earlier that day, some had speculated that Anonymous -- the hacker collective best known for conducting distributed-denial-of-service (DDoS) attacks against Visa, MasterCard and other firms that had stripped WikiLeaks of payment processing rights -- was behind the Facebook attack.

According to Romanian security vendor BitDefender, Anonymous crafted a classic Facebook worm, codenamed "Fawkes Virus," last July, and had pledged to use it to celebrate Guy Fawkes Day, Nov. 5 -- a promise the gang later withdrew.

Guy Fawkes was arrested Nov. 5, 1605, for his part in the Gunpowder Plot to assassinate King James I of England. Anonymous has often used a mask of Fawkes as a logo for its hacking campaigns.

BitDefender's find of Fawkes -- which it announced Nov. 12, just days before the Facebook porn storm -- prompted some, including Computerworld to speculate that Anonymous' malware was the cause of the fast-spreading offensive images.

Not the case, said BitDefender.

"It looks like other Facebook attacks," said George Petre, a senior social media security researcher at BitDefender, in an email reply to questions, referring to the porn attacks against the social networking giant.

"These are ordinary scams and we believe Anonymous would use something more sophisticated," Petre continued. "We expect the Fawkes virus to be something related to malware, and to have complex mechanisms."

Facebook has said that the attacks were conducted by exploiting what it called a "self-XSS browser vulnerability."

That label -- self-XSS -- has been used by other researchers to describe a ploy where spam messages tell recipients to copy and paste JavaScript into their browser's address bar. The script, however, is in fact malicious and exploits a bug to hijack the account, post images on their news feeds, and spread the images to others.

The same tactic has been used against Facebook members before, notably last May when a campaign baited the trap with a promise of video showing the death of Al-Qaeda terrorist Osama Bin Laden at the hands of U.S. special forces.

Just days after the Bin Laden attacks, Facebook touted security improvements, including one designed to stymie some self-XSS attacks.

"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it's a bad idea," said Facebook. "[And] we are also working with the major browser companies to fix the underlying issue that allows spammers to do this."