Spammers Attack on Facebook… Again?!

Well, it seems that Facebook is going to be one of the most targeted websites these days. Cyber-criminals are constantly choosing this social networking site as the enticement to trick their potential victims. This time security experts at Websense Security Labs inform everybody about the Koobface social networking worm being spread on Facebook.

This threat comes with an email purportedly sent from Facebook. The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The user is prompted to watch the video of him or her. This link uses a Facebook open redirector.

Below you can see a screenshot of a sample email:

As soon as the recipient clicks on the provided link, he or she will be redirected multiple times. Finally, the victim is navigated to the website masquerading as YouTube that serves a malicious Trojan downloader.

Here you can see a screenshot of this malicious website that is serving the Trojan downloader:

How does the whole system work? The Facebook link directs to a malicious account hosted at Geocities.com. The malicious Geocities account includes an obfuscated JavaScript link to http://lost[REMOVED]/js/js.js, which goes to http://off3[REMOVED]/go/fb.php. Then, the .php file next redirects to either http://youtube-spyvi[REMOVED]/?schk=&keat= or http://youtube-x[REMOVED]/?ch=&ea=. These sites serve the malicious "flash_update.exe" (SHA1: 62689f89f1c5f6df10f4c7096772468d4c8e458a) file.

According to anti-virus software company Symantec, the Trojan works by executing a worm called W32.Koobface.A that searches for cookies on the user's machine. If the worm finds the appropriate Facebook cookie, it modifies the users account settings and profile - adding links to malicious sites to trick others into installing the invader. Installing the fake upgrade allows the worm to work its magic and access files on the victim's machine while destroying their Facebook account.