Cybercrooks use Google name to spread Facebook worm

Share this article:

Malware writers are leveraging the trusted Google name to launch a new wave of worm attacks against Facebook users, researchers said this week.

The Koobface worm spreads by sending messages to "friends" from previously compromised, but legitimate, Facebook accounts, Guillaume Lovet, senior manager of threat research at Fortinet, told SCMagazineUS.com on Thursday. The messages, which are riddled with spelling errors to evade filters, tell users they were caught in a video on YouTube.


A screenshot of the message Facebook users receive, trying to persuade them to open to fake video.

The fraudsters include a link to either a Google Reader or Picasa page, where the video is supposedly being hosted, but users are actually redirected to a malicious site not hosted by Google, Lovet said.

"You go to check it out and the video looks like a fake YouTube and there's a pop-up that says you need to install a codec to view the video," he said.

However, that codec is actually a trojan that installs rogue anti-virus software -- a common theme for cybecriminals in recent months.

"They tend to trust Google," he said of internet users. "It makes it very much difficult for the Facebook security system to filter out those malicious messages. Facebook isn't going to blacklist Google."

Barry Schnitt, a Facebook spokesman, said the worm is not new -- it has been circulating since the summer -- but before now, criminals hadn't been using the Google name. He told SCMagazineUS.com that Facebook's estimated 110 million users will not be affected if they are running the latest anti-virus software.

To further prevent spread, Facebook is blocking potential victims from successfully clicking on these malicious links and implementing a CAPTCHA so attackers can't automatically send the malicious URLs or post them to someone's wall, Schnitt said.

A "small percentage" of users have been affected by the attack, he said.

A Google spokesman said the internet giant was shutting down any fraudulent accounts associated with this attack.

"Google works actively to detect and remove accounts that serve malware," he said. "We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.