The Koobface worm spreads by sending messages to “friends” from previously compromised, but legitimate, Facebook accounts, Guillaume Lovet, senior manager of threat research at Fortinet, told SCMagazineUS.com on Thursday. The messages, which are riddled with spelling errors to evade filters, tell users they were caught in a video on YouTube.
A screenshot of the message Facebook users receive, trying to persuade them to open to fake video.
The fraudsters include a link to either a Google Reader or Picasa page, where the video is supposedly being hosted, but users are actually redirected to a malicious site not hosted by Google, Lovet said.
“You go to check it out and the video looks like a fake YouTube and there’s a pop-up that says you need to install a codec to view the video,” he said.
However, that codec is actually a trojan that installs rogue anti-virus software — a common theme for cybecriminals in recent months.
“They tend to trust Google,” he said of internet users. “It makes it very much difficult for the Facebook security system to filter out those malicious messages. Facebook isn’t going to blacklist Google.”
Barry Schnitt, a Facebook spokesman, said the worm is not new — it has been circulating since the summer — but before now, criminals hadn’t been using the Google name. He told SCMagazineUS.com that Facebook’s estimated 110 million users will not be affected if they are running the latest anti-virus software.
To further prevent spread, Facebook is blocking potential victims from successfully clicking on these malicious links and implementing a CAPTCHA so attackers can’t automatically send the malicious URLs or post them to someone’s wall, Schnitt said.
A “small percentage” of users have been affected by the attack, he said.
A Google spokesman said the internet giant was shutting down any fraudulent accounts associated with this attack.
“Google works actively to detect and remove accounts that serve malware,” he said. “We’re investigating reports we’ve received on this issue and are committed to shutting down any accounts that violate our guidelines.”