Koobface Variant Hits Facebook -- Again
In this scam, detected by researchers at Trend Micro, users receive a message with a link, purporting to be from a friend from the user's contact list, along with a spoofed version of YouTube. Once users click the link, they are taken to a site supposedly hosting a video that appears to be from the alleged sender, containing the name as well as the photo of the user's "friend" from his or her Facebook profile.
By clicking the install button, users are redirected to a download site for the malicious file setup.exe, which is the Koobface variant known as WORM.KOOBFACE.AZ, hosted by a foreign IP address. All IP addresses hosting the malicious file are detected as HTML_KOOBFACE.BA.
The worm connects to a respective site using login credentials from its victims stored in the gathered cookies. It then scans the infected user's friend list, and subsequently sends out messages containing a link where a copy of the worm is downloaded. Once on the infected machine, the worm records keystrokes and steals login and other sensitive information, which it sends to a server, allowing the attackers to have complete access and control over victims' computers.
Trend Micro researchers said in a blog post that they had seen more than 300 different unique IP addresses hosting the malicious file, and that they anticipate the numbers will increase.
While Facebook seems to be the primary target, attackers have gone after other social networking sites, including Hi5, Friendster, MyYearbook, MySpace, Bebo, Tagged, Netlog, Fubar and Livejournal.
The latest attack follows shortly after another rogue application Facebook attack last week that enticed users to click on malicious links with a phony notification warning them that they had violated the site's terms of service.
Facebook users were instructed to click on a link that led to an application named "f a c e b o o k - - closing down!!!"
Once installed, the rogue application spammed all of the contact names in the affected user's friends' list with the same message, and security experts suspected that the app might also harvest personal information along the way.
Last week's attack was launched simultaneously with Facebook's recent announcement that it planned to allow users to comment and vote on its recently redrafted terms of service and other governing documents.