Is there a spambot hiding on my Mac?

[orvn]

My Facebook account appears to be sending SPAM links via message to groups of friends. Note the sample screenshot below from a friend's account.

I'm wondering if the culprit is a SPAM bot on my Mac. How could I test for this?

* * *​

Details:

I'm a really cautious internet user.

I don't click on suspicious URLs, us, my Firefox add-ons are all very reputable and I went into my Facebook right away, changed my password and blocked every app except those from major publishers.

A day later the SPAM links were sent out again.

I can't actually see the SPAM messages I'm sending out within Facebook (to groups of 6 friends at a time), but I get email notifications in Gmail that contain any message I send or receive.

One of the links that I'm SPAMMing out appears as follows:

http://facebook.com/l.php?u=http://roobyjotero.com/wp-content/plugins/creatives.php?uowc

This "roobyjotero.com" appears to be an older Wordpress install that has been compromised. Several pages on this site redirect to the target SPAM domain.
​

 

[GGJstudios]

Clear your browser's cache and cookies.
If you haven't already done so, try changing your DNS servers on your Mac and your router to OpenDNS servers. This will show you how: Why am I being redirected to other sites?

 

[orvn]

Clear your browser's cache and cookies.
If you haven't already done so, try changing your DNS servers on your Mac and your router to OpenDNS servers. This will show you how: Why am I being redirected to other sites?

Okay, I set my router up with OpenDNS.

Used to use it, but I stopped some time ago because I didn't like their "website unavailable" search page.

Anyways, they do Malware reporting right? Hopefully I find something.

Any other tips?

 

[GGJstudios]

Okay, I set my router up with OpenDNS.

Used to use it, but I stopped some time ago because I didn't like their "website unavailable" search page.

Anyways, they do Malware reporting right? Hopefully I find something.

Any other tips?

Follow the recommendations in the "What security steps should I take?" section of the following:

Mac Virus/Malware FAQ

 

[BrianBaughn]

I'm not certain what you mean here. Facebook messages are being sent from your Facebook account to other Facebook users? If that is so, then disconnect your computer from the internet for an extended time. If these messages continue to go out, as I suspect they will, then it has nothing to do with your computer. If they stop, then resume once you have connected, then it's a possibility you have a rogue Facebook-Message-Sending-Bot lurking on your Mac.

 

[orvn]

I'm not certain what you mean here. Facebook messages are being sent from your Facebook account to other Facebook users? If that is so, then disconnect your computer from the internet for an extended time. If these messages continue to go out, as I suspect they will, then it has nothing to do with your computer.

They definitely only occur when my machine is connected. Sorry, that's something I ought to have mentioned in my original post.

If they stop, then resume once you have connected, then it's a possibility you have a rogue Facebook-Message-Sending-Bot lurking on your Mac.

Yes, hence the thread.

The issue is that I can't find the bot. Any ideas? Tried ClamXAV. Contemplating the new Avast! for OS X.

 

[GGJstudios]

The issue is that I can't find the bot. Any ideas? Tried ClamXAV. Contemplating the new Avast! for OS X.

Unless you installed it yourself or let someone else install it, it's extremely unlikely that you have any spambot or other malware on your Mac.

 

[orvn]

Unless you installed it yourself or let someone else install it, it's extremely unlikely that you have any spambot or other malware on your Mac.

It appears to only distribute the SPAM when I'm logged in to Facebook and have a tab open.. Ideas? Could be a Firefox issue, but I have no rogue addons.

 

[GGJstudios]

It appears to only distribute the SPAM when I'm logged in to Facebook and have a tab open.. Ideas? Could be a Firefox issue, but I have no rogue addons.

The JavaScript Blocker extension on Safari or the NoScript extension for Firefox allows control over what JavaScripts can run on a site. You might try that to block any unwanted scripts.

 

[hanten]

Having the same problem

I'm having the same problem with my FB account and trying to find any answers. It's been going on for three days. Same kind of links - weird blogs with "creatives.php" at the end.

I do not have a Mac, but I use FB on my iPad, iPhone 5 and home PC.

The messages seem to go to about 8 - 10 people at a time. I only know about it because I get email notifications when one of them "leaves" the conversation.

----------

Also I do not use Firefox. Using Chrome on the PC and of course Safari on IOS 6 devices.

 

[hanten]

I should mention

I should mention a crazy theory I have, though... This all started about the time I joined a hotel WiFi network a few days ago...

 

[munkery]

I should mention a crazy theory I have, though... This all started about the time I joined a hotel WiFi network a few days ago...

If you didn't use the https version of the login which isn't the default, then someone on the network could have sniffed your login credentials.

 

[hanten]

I guess in my example, I use https on the web version -- and the official apps on IOS 6 devices. I changed passwords and revoked permission to every app except Spotify and I was still pushing out spam this afternoon.

 

[munkery]

I guess in my example, I use https on the web version -- and the official apps on IOS 6 devices. I changed passwords and revoked permission to every app except Spotify and I was still pushing out spam this afternoon.

How complex is your password?

Upper and lower case alphabet?

Numbers?

And symbols?

At least one of each with minimum length of 8 characters?

 

[hanten]

How complex is your password?

Upper and lower case alphabet?

Numbers?

And symbols?

At least one of each with minimum length of 8 characters?

Yes, I use LastPass to generate secure passwords and FB is very strong. Way more than 8 characters and using all types of characters.

 

[munkery]

Yes, I use LastPass to generate secure passwords and FB is very strong. Way more than 8 characters and using all types of characters.

Ever log into FB from a public computer?

 

[hanten]

I guess I don't think it's a password problem. I've changed it three times in the last three days. I've required devices to declare themselves. I've cancelled all actives sessions....

 

[munkery]

I guess I don't think it's a password problem. I've changed it three times in the last three days. I've required devices to declare themselves. I've cancelled all actives sessions....

Maybe the Facebook web app has been compromised. It has been before.

This would explain many users being affected without malware being involved.

 

[scgustin]

Any updates to this? I saw the same problem about a week ago. I changed my password several times and it didn't help - so I deactivated my Facebook account for a week.

I just reactivated it yesterday and again today, I apparently sent out messages.

I have uninstalled all Facebook apps, run virus/spam checkers on all computers and changed my password again multiple times. I'm totally stumped.