Honza Zíka

Honza Zíka

29 October 2014

Look-alike Avast Online Security extension deceives users

We have been recently notified about a suspicious browser extension for Google Chrome. Suspicious because it was called "Avast Free Antivirus 2014", while our browser extension is actually called Avast Online Security. You can see the fake extension along with our official ones in the printscreens from the Chrome Web Store.

Read More

Security News

Honza Zíka

28 October 2013

Facebook Clickjacking: Will You Like Me?

FB_meme“Who wouldn’t want to have more likes on their Facebook page?” This is the motivation of a very trivial code to get more likes, but while other methods usually comprise of adding better content or advertising, this one is a bit easier, and much dirtier. Why not show the like button directly beneath your mouse cursor as you browse a website, make it invisible, and move it as you move your mouse?

The only thing the victim has to do is click; if they are logged in to Facebook, they will automatically like the Facebook page. And of course, it is not only about the number of likes, but each like means the victim will get all the information about this page on their news feed (until they unlike the page), and all friends will also see that you like it – so why not check it out themselves?

FB_clickjack_Like_ButtonThis method is possible due to Like Button, a social plugin for Facebook, made by Facebook developers. It is used properly on many legitimate sites, but when combined with CSS hiding and JS moving, the victim has no other chance. If you want to know how to minimize the impact of such tactics, or if you are more into technical details, read on.

Read More

Tips, Threat Research, Security News

Honza Zíka

14 February 2013

Malware: Dollar Equals Tilde Square Brackets

Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:

original

Upon closer observation, several strange things are to be noted. First, there are no alphanumerical symbols to be seen in any part of the code. Second, on the line before this code starts, there is actually an HTML tag indicating a start of Javascript code (<script>), preceded by 37 tabs. Therefore, when opening an infected file in a text editor, one cannot normally see the starting tag, because it is shifted all the way to the right. To be able to see it, you either have to horizontal scroll, or have word wrap on. The same trick is performed with the script closing tag as well. Why would anyone try to hide these tags? The answer is simple, to trick people into thinking this is not actually a Javascript code.

Read More

Threat Research, Security News