Worm spreads on Facebook, hijacks users' clicks
Social network cleaning up mess, but worm still on the loose, says researcher
Computerworld - Facebook Inc. is resetting some user passwords and scrubbing the service of malicious links in an attempt to eradicate a fast-spreading worm that redirects infected machines to a little-known search site, the company and security researchers said today.
The "Koobface" worm, which has been circulating through the popular social networking service since at least Wednesday, continues to be a problem, said Craig Schmugar, a threat researcher at McAfee Inc.
"We're not seeing increases in propagation," he acknowledged today, but noted that cleanup was a tough chore for Facebook. "It's a bit of a cat-and-mouse game for them," he said. "There are certainly millions of links on Facebook. How do you know which are the bad ones, which are the good ones? That's not without problems."
Wednesday, Schmugar was one of the first security researchers to notice Koobface's spread and notify Facebook.
Earlier in the week, Facebook users began reporting receiving spam messages such as "You look just awesome in this new movie" or "You look so amazing funny on our new video" that tried to dupe them into clicking on a link. Schmugar said that if they did, they were taken to one of several compromised sites that then displayed a fake error message claiming that Adobe System Inc.'s Flash was out of date, and prompted them to download an update.
The "update" was nothing of the kind, but instead was an executable file that installed the Koobface worm, which in turn installed a background proxy server that redirected all Web traffic. According to Schmugar, the proxy servers listens on TCP port 9090, particularly for search requests to the major search engines, including Google, Yahoo and Microsoft's Live Search.
"Search terms are directed to find-www.net," Schmugar said, "[which] enables ad hijacking and click fraud." The hackers are making money by redirecting users' searches to their own results, collecting cash from the ensuing clicks.
When Computerworld entered "thomas jefferson" as a search string at find-www.net, for example, the top result was a pitch for a free antivirus scanner. That scanner was, in fact, bogus and simply the first step in a so-called scareware scam that relies on sufficiently spooking users with phony warnings that they pay for fake security software.
Today, Facebook said it was dealing with the worm. "We're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages and coordinating with third parties to remove redirects to malicious content elsewhere on the Web," said spokesman Barry Schnitt in an e-mail.
He urged users to avoid links that "seem strange," and suggested that they arm themselves with up-to-date antivirus software. "The messages for this issue all have a title that is poorly spelled about seeing a video of someone, the text of the message has one to three words in all caps and then a spammy link," said Schnitt.
Koobface is a variant of one that hit MySpace, another well-known social networking service, last August, said McAfee's Schmugar. The earlier version targeted both MySpace and Facebook, he added, but the newest ignores the former and focuses on the latter. There are more than two dozen variants of the worm in circulation.
Facebook has posted a short message on its security page acknowledging the worm's attack. The notice urged users whose accounts had already been compromised to scan their PCs for malware and then reset their passwords.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts