Shaakunthala's Portal

Recently I saw some videos spreading on Facebook. 'Spreading', in the sense that people watch and share. What so special with these videos was, their thumbnails had that "Youtube feel", but seemed bit different. Also, most of these had eye-catching titles (in Sinhala), and eye-catching thumbnails (For example, a girl changing her dress... ;-) ).

I actually clicked on one of these to play the video. Then it took me to a Facebook application page where it prompted me to grant permissions to a Facebook app called "Gindara videos". Why would I ever let a Facebook app to access my personal information when I have dozens of better ways to anonymously watch video on the Internet? As a matter of fact, I stopped there. Access denied, Gindara videos go fly a kite, please.

Few days back I saw a girl has shared another video of the same type. She is a fun person I know, but it was bit of odd thing that she would share such a thing publicly. So I left a chat message to her jokingly, "what are these things you post on fb? :P", and she replied, "seriously i didn't know. :'(".

Then I wanted to have a close look at the phenomenon. "Gindara videos" is a malware hosted on a Sri Lankan website called tharunaya.co.uk. This is not the only such malware seen on the Internet. Even years ago, there have been many of this type. But I feel this particular malware remained on Facebook for sometime longer than the previous ones, totally because people's ignorance. Their targeted victims seemed to be Sri Lankans and that may be the reason for such long lasting. If it ever had a 'global presence', not very long time it takes to vanish from Facebook.

Whenever you spot that kind of video or any malicious post on Facebook, take a moment to report them for spam. It's more of a civic duty. After reading the story below this picture, you'll better understand why you should report them.

Just report it for Spam

I did a piece of Holmes stuff and found out that these guys are using tool called "Facebook Viral Videos App With Auto Share" from a vendor called Appstico. As the name says, it's a 'viral' app which can automatically share videos on Facebook. Now, look at my friend's reply above again... she didn't know that she has shared a video on Facebook.

I don't want to promote Appstico's blackmarket stuff here, but just putting a nofollow hyperlink for you to go through it as understand what these guys do with YOUR personal information that YOU allow them to see.
http://appstico.com/facebook-viral-videos-app-with-auto-share/

This is what exactly tharunaya.co.uk/Gindara all about. In short, here's how it works.

1. There's a bunch of bad guys who want few more visitors coming into their website.
2. They deploy a virus. A social virus which uses human mind as its career and people's curiosity as the exploit.
3. Misled people just want to watch something that is rarely or never seen for real. No time to worry about privacy!
4. The video hyperlink on Facebook actually directs the victim to the bad guys' website.
5. It doesn't stop there. Without victim's knowledge, it posts a video hyperlink to the victim's Facebook timeline, which can be seen by other people.
6. They get more traffic, more traffic is more profit, and target accomplished. And the poor victim even doesn't know that someone has used him/her until a friend pokes.

Let's have a look at the 2nd step above. These 'Tharunaya' guys do business and their sole purpose is to increase their business. Who has time to learn how to make a virus from A to Z? So they outsource it to another party. And that another party is Appstico.

(click to enlarge)

Appstico also does is business, and knows that there are many bunches of bad guys who want more business coming in. So Appstico makes a package for everyone, and sell it to the bad guys just for one hundred US dollars. Bad guys just rename it to "Gindara videos" and make use of it. How clever is that?

Would you still let them to use you? Myself, I wouldn't. The more you report these malicious activities for spam, less they get spread. Eventually the viral app will be taken out by Facebook. And as I said above, it's a civic duty to report malicious things, as it helps to keep Facebook clean and safe place for people.

It doen't cost much time - usually lesser than to watch a video :-)

Theoretically this entire blog post is all about a separate area in Internet security called "Social Engineering". To end this blog post, I'll leave that for your further reading:
http://en.wikipedia.org/wiki/Social_engineering_%28security%29

Thanks for reading!

* If anyone is interested, I have proof of what I speak.

Email account hacked? Somebody has accessed your personal email?? If you have experienced this before, surely this blog post will be useful. Today I'm writing this note for those who do not have much experience with the Internet and WWW.

First of all, we'll follow up a small hypothetical case. Suppose I am a novice computer user; like one of the most of our community. I have a Facebook account. One day, a nice lady appears in... violah! She wants to be my friend!! Of course I don't know her... but who cares? She's at my doorstep, knocking my door. Accepted! (And she's here for a Relationship, Dating,.... blah blah)

After some time... it looks like something has gone wrong... I can't login to my Facebook account!!! Oh Jeasus..! Some weird status updates on my wall.... :( What on Earth is happening?

May be resetting my Facebook password may work. So I'm trying the “Forgot password” link. OMG!!! I can't access my email account...!! It's HACKED!!! O_o

(phone rings)

“Hello, is this J?”

“Yes, Speaking...”

“Idiot! What's the meaning of that $#$%# email you have sent to me????”

“Hey I'm sorry; I'm really sorry... my email account was hacked by someone. I didn't send that by myself... somebody has taken over.... believe me,.. sorry..........!!!!”

(conversation continues, and so and so)

---

Fine. The story is enough for us. Let us see what has really happened. The nice lady is actually an online predator. In reality, 'she' might potentially be 'he'. Remember the second training that Morpheus gives to Neo in the movie Matrix? Yes, the lady in red dress!

The very first advice that I might give you is, do not accept friend requests from unknown people on whatever social networking website you are using. It's always better to limit your connections to those who you know in reality. If the lady is too cute to be denied, you can just ask somebody and find out who she really is.

Then, how was (s)he able to hijack your all the accounts? I'm making one assumption here, that the victim in the above example is bit lazy in remembering passwords. So he uses his birthday as the email password!

(S)he just looks at your Facebook profile info, and then finds the victim's email and birthday on it. Suppose it's 06 July 1988. The predator might try 880706 on his/her first attempt. May be (s)he will fail. There is a second attempt... and of course subsequent attempts. So (s)he may re-attempt with,
060788
070688
07061988
19880706
…
…
… and so on...

If the victim has set one of those as the email password, and if our 'nice lady' has been able to match it, accidentally or somehow... what will happen?

You might have used your email account to create accounts/ profiles on various web-based services such as Facebook and Twitter. Almost all of them have the 'password reset' (or 'forgot password') feature, directly associated with your email accont. This means your email account is the one that you should keep eye on most. It's like the queen bee in a population. Once somebody has access, they can do almost anything.

So, now in our case, not only the email but also,

• (S)he can overtake victim's Facebook account
• (S)he can overtake victim's eBay Account
• (S)he can overtake victim's Paypal Account

Panic!!

Then, my next point goes like this,...
Never use your sensitive personal information to fomulate passwords. May be your birthday, name of the spouce, phone number, national ID card/ social security number – avoid useing them in passwords.

Those who know your personal information can GUESS your password. And that's what we call “Social Engineering”!

A good password should consist of capital letters, simple letters, numbers, and punctuation. Also, it should not be less than 8 characters. Preferred length for a stong password is 14 characters and as mentioned above.

Finally, see it... You do “Social Networking”; and they do “Social Engineering”... Be aware..!

---

The above case was not something that I have experienced in my real life, but I can show you dozens of people who have had this real world nightmare.

So, thanks for reading... take your time and think... it's about your privacy. Ciao.........!!!!!! :-)

Hi folks, just a small story with four screenshots...

If you use Facebook, you might have got game/application requests from  your 'friends'. But, did you know that some of those requests are actually not made by your friend? He/she might even doesn't know. They just add the application, and then the application automatically sends requests to each friend. And you think that they might get upset, and Allow the app.

In some cases, the application can even steal our privacy. So who do we get aware? Just go through the following screenshots:
(please click on each screenshot if you can't read them properly)

---

After Facebook has introduced their new privacy model, things have become ever worst. They have made some limits on capability of blocking stuff, and eventually we get addicted. Facebook is marketing our privacy. All they want us to spend more on Facebook. We fools trap in their strategies - they make profit - and we make loss to our boss.


So think wisely. USE FACEBOOK, BUT DON'T LET FACEBOOK TO USE YOU!

And finally I must say,.... I willingly misspell Facebook founder's name,... SUCKERberg!!! :-)