Security company Fortinet has released a statement warning facebook users that since end July 2008, it has detected a Facebook worm that is attempting to leverage Google Reader and Google Picasa to gain trust in visitors with an intention to download a malicious codec onto their machines.
The strategy has been simple, yet effective apparently.
A malicious message is sent to friends of the infected user, prompting them to visit a page carrying an online video - something utterly common in today's Web 2.0 era. However, should the targeted users follow the link, they would soon find out the video does not start.... unless they install a special codec, as prompted for by the page! As a matter of course, the said codec is nothing else than a Trojan, loading various malware pieces, possibly including a copy of the worm.
Google Reader is a news reader allowing its users to share the news they find interesting with their social network (in buzz words, this is a Web 2.0-enabled news reader), and with the public via their "shares" page. It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated CAPTCHA solvers) for the sole purpose of loading them with links to malicious sites. Indeed, upon clicking on the tempting video frame seen in the News Reader on Figure 2, the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan enabled site.
“This ‘hop’ via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the ‘it's a message from a friend’ factor, which naturally lowers down users' wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click,” said Guillaume Lovet, Senior Manager of Fortinet's FortiGuard Global Security Research Team.
The cyber criminals behind this scheme are now using Google Picasa to lure targeted users, with the URL in the suspect Facebook messages now being: http://picasaweb.google.com/[removed]/Youtube#52610132498569990
There, the same video screen grab is displayed and users are enticed to follow the link of the caption. After checking, it appears that allowing links in picture captions is really Picasa feature, which could potentially introduce more security threats. Which leads to the question: Is this functionality worth the potential risks if rogue Picasa users post malicious URLs?
Fortinet advices users to protect themselves with antivirus and Web content filtering services. |
