Chicago (IL) – Koobface, a worm that surfaced on Facebook in July, is spreading again and remains very active, according to a security alerts issued by Websense and McAfee.
Security experts from Websense warned users last month that they had picked up an email that indicated that user accounts infected by Koobface are being used to post messages to Facebook friends lists. “The content [of the email] was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.”
McAfee reports about a new variant that redirects a user “to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date.” The user is then prompted to download and open flash_player.exe, a new Koobface variant.
At this time, Koobface relies upon Facebook accounts that have already been compromised. The passwords are obtained by the malware campaigners through a changing set of tactics.
One important fact to take note of is that compared to the majority of malware campaigns that abuse and infiltrate social networking sites, the campaigns that have been targeting both Facebook and MySpace as of late do not take advantage of bogus accounts on the sites, but target legitimate ones so that they can then launch the campaign on a wider level and abuse the trust that exists between friends.
Social engineering and the fact that the majority of individuals who utilize social networking sites still reside in a world where they do not visit links they receive from unknown individuals – and typically do not visit sites that are identified as potentially harmful. This scenario is motivation enough for malware creators to take advantage of legitimate sites and create viruses that are shared unknowingly amongst friends.
If malware can exploit security vulnerabilities in social networking successfully, it can cause a great amount of damage in just a short time. However, the entire campaign can be shut down as quickly as it was created once the vulnerability is discovered and repaired.
Facebook has been working to keep track of the ongoing developments as far as malware is concerned and they have adapted their site due to issues throughout the year. Facebook has warned users on the potential maliciousness of clicking a link, and now even has CAPTCHA challenges for grey links that may slow down the spreading of any malicious campaign.
But clearly, these features can only be the beginning in the battle against malware campaigns on a social site. The best defense for users remains caution and doubt when they receive messages. Individuals will have to become aware that even when they think they can trust everyone, they still must pay attention, as anyone’s identity can be compromised and abused.