Cybercrooks use Google name to spread Facebook worm

Share this article:

Malware writers are leveraging the trusted Google name to launch a new wave of worm attacks against Facebook users, researchers said this week.

The Koobface worm spreads by sending messages to "friends" from previously compromised, but legitimate, Facebook accounts, Guillaume Lovet, senior manager of threat research at Fortinet, told SCMagazineUS.com on Thursday. The messages, which are riddled with spelling errors to evade filters, tell users they were caught in a video on YouTube.


A screenshot of the message Facebook users receive, trying to persuade them to open to fake video.

The fraudsters include a link to either a Google Reader or Picasa page, where the video is supposedly being hosted, but users are actually redirected to a malicious site not hosted by Google, Lovet said.

"You go to check it out and the video looks like a fake YouTube and there's a pop-up that says you need to install a codec to view the video," he said.

However, that codec is actually a trojan that installs rogue anti-virus software -- a common theme for cybecriminals in recent months.

"They tend to trust Google," he said of internet users. "It makes it very much difficult for the Facebook security system to filter out those malicious messages. Facebook isn't going to blacklist Google."

Barry Schnitt, a Facebook spokesman, said the worm is not new -- it has been circulating since the summer -- but before now, criminals hadn't been using the Google name. He told SCMagazineUS.com that Facebook's estimated 110 million users will not be affected if they are running the latest anti-virus software.

To further prevent spread, Facebook is blocking potential victims from successfully clicking on these malicious links and implementing a CAPTCHA so attackers can't automatically send the malicious URLs or post them to someone's wall, Schnitt said.

A "small percentage" of users have been affected by the attack, he said.

A Google spokesman said the internet giant was shutting down any fraudulent accounts associated with this attack.

"Google works actively to detect and remove accounts that serve malware," he said. "We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines."

Share this article:

Sign up to our newsletters

More in News

Senator Leahy prepares bill to tackle NSA snooping

The bill is set to be introduced on Tuesday.

Malware used to compromise payment cards at Wendy's restaurant in Michigan

Customers who paid with credit and debit cards at a Wendy's in Michigan may have had their payment card compromised if they used it at the restaurant for about a month prior to July 15.

Report: Japan eyes law requiring security incident reporting

Bloomberg says the Japanese government is eyeing cyber security legislation to make companies 'fess up to security incidents impacting users.