Trend Micro explains that Facebook users have been receiving direct, private messages containing a link to a video apparently hosted by YouTube. The message is as follows:
Someobdy uplaod a vdieo wtih you on utbue. you shuold see. http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/”
Clicking on the link brings the user to a transition page from Facebook, which warns the user of the risks of following a link to the outside of the social networking site. Upon accepting the risks, the user is redirected to a page apparently displaying the video, but asking to download a Flash Player update in order to view it:
Of course, the "update" is actually malware, detected by Trend Micro as the Koobface variant WORM_KOOBFACE.IC. The Facebook messages link to pages hosted on various servers, but they all ultimately link to the Koobface malware. Once downloaded, the worm installs various components including TROJ_JORIK.D, which is apparently a Web server that continues to spread the Koobface infection.
For many users, the scam is quite easy to spot, as the poor quality of English used in the message and the suspicious-looking video page are clues that this "Flash update" could be malware. But for unsuspecting users, the scheme can very well work as intended.
Indeed, the first domain seen in the URL of the link is facebook.com. This is perfectly normal as any URL with the format http://www.facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Cyber criminals are probably hoping that target users will ignore Facebook's warnings.
This tactic is not new, as both Koobface and Zbot have been known to be using a very similar distribution process back in March. This new wave of attacks shows that users are still following unknown and suspicious links, apparently rendering the scheme successful.
|
