Latest Facebook Scam Link – “Tsunami/Whirlpool”

I just saw a new scam link floating through the Facebook feed.  One of my friends clicked it and it shared itself into his Feed…

Facebook Tsunami Scam Link
Facebook Tsunami Scam Link

This is a malicious link that downloads a Trojan (virus) to your hard drive.  If you’re fortunate enough to be running ESET Nod32, you won’t feel a thing.  🙂  ESET is nice enough to keep track of known-malicious URLs so when you click one, nothing happens and you get a nice little notification…

ESET Nod32 blocks malicious URLs
ESET Nod32 blocks malicious URLs

For a split second, a fake video player is displayed…just before the Trojan is downloaded…

Fake Video
Fake Video actually downloads Trojan (virus/malware)

A few key signs reveal this is a bogus site, before you even click it.  First, there is no Title info in the post, just a glimpse of the URL.  Typically, you’ll see additional content from a news site, blog, etc.  That’s not enough though.  It’s really the domain name itself.  If you’re looking for the latest, breaking news, chances are it isn’t going to come from a “.info” site named “japan earthquake update.”  For Pete’s sake, the domain was just created yesterday…

Domain Registration Date
Domain Registration Date

The point is, there are a lot of bogus sites out there.  Think before you click.  Switching to a Mac isn’t going to enhance your awareness and increase your experience.  If you’re going to use Facebook, avoid links, period.  Go directly to news sites if you need legitimate news.  If you’re a consignment store and rely on your consignment software, clicking a link on Facebook could bring that to a screeching halt.  We’re trying to help consignment store owners navigate the Facebook terrain.

If you were one of the unfortunate people that did click that link, please contact The Computer Peeps immediately.  The first thing is to change your passwords, but once you have a Trojan that has infected the system, keyloggers are typically involved.  The virus/Trojan will have to be eradicated before you can even think about using the system again.

======================================================

I did some digging via DomainTools and found some handy bits of info.  First, it appears the owner of this site runs his/her own name servers…

Domain Tools - Name Server Info
Domain Tools – Name Server Info

Do not visit the domain for the Name Servers above.  As of 3/15/2011, the domain is still active and if you access that URL, it attempts to run a JS exploit and then re-post the URL back to the Facebook Feed via Facebook Connect…

JS Exploit + Facebook Connect
JS Exploit + Facebook Connect

Ultimately, the site’s IP appears to stem from a host out of Dallas, TX…

Reverse IP / IP Info
Reverse IP / IP Info

For what it’s worth, I’ve reported the offending domains + the malicious activity to the host.

I am a Software Developer, System Administrator, and consignment software specialist. I currently manage hundreds of consignment workstations, point of sale systems, and database servers all across North America and I am the developer of Peeps' Software, Peeps2Go, and Peeps' Consignor Login for iOS and Android. I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. Peeps' Software launched in 2016 and is now on hundreds of systems all across North America. I have successfully converted dozens of stores from all of the major consignment software systems. After 20 years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old buildings or strip malls, to advocating for them when their old consignment software keeps crashing.

8 thoughts on “Latest Facebook Scam Link – “Tsunami/Whirlpool”

  1. Jennifer

    Please help! I believe I may have gotten a virus from the Tsunami/Whirlpool link on Facebook. I have a Dell Inspiron 6400 laptop and Windows Vista program. I am running Norton’s antivirus now. I need help asap!!! Thank you!

  2. Dean

    Hi Jennifer,

    That’s really unfortunate – well, it’s a pain in the you know what – that Norton didn’t catch it. For now, power the computer off, just to make sure the Trojan isn’t “doing anything.”

    We open at 10 AM, but I’ll email you directly!

  3. Jasmine

    I know I got the virus, it started opening all my documents and I immediately powered down and opened safe mode to do a system restore; however, now all my security devices arent working so Im pretty sure the virus and trojan still made it into my computer. Please help! I have a Dell laptop as well.

    Thanks!

  4. Dean

    Hi Jasmine,

    Sorry to hear that! Those are tell-tale signs of an infection. It was a good attempt to start in Safe Mode, but that will start Windows with a minimal amount of drivers and services. Safe Mode with Networking will give you the ability to access a network/the Internet.

    We open at 10 AM and we can get this sorted out for you! I’ll message you directly and if you’re in a pinch, we can do this before 10 AM. I mentioned the same to Jennifer when I messaged her.

    Hang in there!

  5. Dean

    Contrary to popular belief, Macs can in fact get Trojans, viruses, etc. For years, many targeted Windows systems since it was like shooting fish in a barrel.

    Certain Macs (e.g. ones running OS X Server) have Clam antivirus pre-installed. Regular Macs, running Mac OS X, have a portion of Clam used for scanning emails. Here are the details on Clam and Macs…

    http://en.wikipedia.org/wiki/Clam_AntiVirus#Mac_OS_X

    So it’s difficult to say, but chances are this particular Trojan was meant for the Windows platform. That’s a guess at best though.

    The next part of the issue is whether or not the post is still on your page and still spreading to other systems. Make sure you delete that post, from any section of your Facebook page it appears in.

    Finally, many of these scam links not only download viruses to a system, they also try to “phish” your username and password. If you were prompted to re-enter your Facebook login information at any point, it might be wise to go ahead and change your Facebook password.

    When in doubt, you simply can’t go wrong with ESET and yes, there’s a version of ESET for Macs…

    http://www.eset.com/us/home/cybersecurity-for-mac

    They have some GREAT details on that page as to why it’s wise to protect your Mac.

    What I’m really concerned about most is, people moved to Macs because they thought they were safer. To a degree, that WAS true – it’s all relative. The “bad guys” know people think they’re safe on Macs. The bad guys know that everyone uses Facebook now, so it doesn’t matter which operating system you run.

    The BIGGEST scam that 100% affects ALL computer users, is phishing. That’s what the majority of these “scam” links do – try to get you to enter your username and password into a fake site. What I’m seeing more of these days, are links that drop Trojans and viruses on hard drives PLUS attempt to phish your information. So whether you’re on a Mac or Windows system, you’re going to get nailed. It really comes down to educating more people about how the bad guys do things, what to look out for, etc.

    At the very least, you should install Firefox and stop using Safari (or Internet Explorer on Windows systems). Once you have Firefox installed, install the free add-on called NoScript (from within Firefox, under Tools > Add-ons).

    To recap:

    – Remove the post from all portions of your Facebook account
    – Your system might not be infected, but it might be spreading the virus – a “carrier” of sorts – it’s worth installing a trial version of ESET so you can scan your system
    – Move to Firefox and use NoScript to block all malicious scripts from running

    Let us know if this helps!

  6. Beth

    I clicked on the Whirlpool/Tsunami link a while back (March, maybe?), and went through the process of deleting it off of my Facebook. However, I just realized today that it is still under the list of “pages” that I “like” on Facebook. I’ve tried deleting it, but the new Facebook set-up takes you to the page, asks for the website’s permission to get access to your account, etc.

    How can I get rid of it?

    1. Dean

      You should be able to go directly to the page, scroll down and click Unlike on the left-hand side:

      This Unlikes the page instantly without prompting you.

      I would also go to Account Settings > Apps:

      Uninstall any app you don’t want or recognize, by clicking the little X to the right of each app:

      Let us know if this helps!

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

Back To Top