Bangkok--1 Apr--Core & Peak
Threats are becoming increasingly adept at adapting social media in their attempt to trick users into downloading malware. In this recent attack, a basic spammed message in a user’s Facebook inbox supposedly alerted users to a “surprise.”
The Threat Defined
Facebook is one of the most popular social networking sites in the world with over 500 million members and growing. According to Facebook’s own 2011 statistics, its milestones for international growth include the fact that 70 percent of its users are from outside the United States, 50 percent of whom log on to the site daily. Nothing encapsulates the Web 2.0 concept more than social networking sites like Facebook, which gives users the ability to connect, communicate, and share with others. With over 500 million members and growing, Facebook was also the most visited website in the United States in 2010. This is the primary reason why cybercriminals choose to exploit the social networking site for malicious intent.
Almost all social networking sites have a messaging platform that can be abused to carry malicious links. In fact, last September, phishers abused Facebook Chat. In that attack, affected users unknowingly spammed links via Facebook Chat to their friends. Those who clicked the spammed links were then led to a phished Facebook page. Entering one’s Facebook credentials into the fake page was analogous to surrendering these to phishers. Facebook’s messaging platform has also been relentlessly abused by the people behind the infamous KOOBFACE botnet. A typical KOOBFACE infection starts with a spam sent through Facebook, Twitter, MySpace, or other social networking sites. The message usually contains a catchy message with a link to a supposed video, which made KOOBFACE the first malware to successfully propagate through social networks.
The newest malware that utilized this tactic was spotted. It took advantage of Facebook’s messaging platform in the guise of a personal message from one’s friend. The message contains a link that supposedly points to a Blog*Spot (now Blogger) page along with the text, “I got u surprise.” Clicking the link redirects users to a legitimate-looking Facebook application page where the surprise supposedly awaits. The fact that the link to a Blog*Spot page leads to a Facebook page instead is already suspicious. If users, however, fail to recognize the scam here and still click the “Get a surprise now!” image, they end up downloading TROJ_VBKRYPT.CB onto their systems. This Trojan, in turn, downloads TROJ_SOCNET.A, which sends messages to affected users’ Facebook and/or Twitter friends. The message contains a link to a site that hosts the malware from which the entire chain started—TROJ_VBKRYPT.CB. This last fact makes the attack more dangerous, as it proves that the malware is self-sustaining.
Figure 1. TROJ_VBKRYPT.CB infection
User Risks and Exposure
This particular attack is a good example of the many ways by which cybercriminals leverage current online trends. This recent Facebook threat highlights the importance of increasing user awareness of the countless ways by which threats arrive onto systems. The minds behind the attack effectively utilized Facebook’s messaging platform as a means of gaining users’ trust. Users should be able to discern if messages actually came from friends or contacts or not. They should also avoid adding people they do not fully know or trust to their list of friends or contacts. They should keep in mind that social threats that do not come from friends are usually spammed to make them look nonmalicious even if they are.
As this threat can spread in both Facebook and Twitter puts users at greater risk, as even if they have different sets of followers on these sites, their systems will all still be in danger of getting infected. Apart from being phished and FAKEAV infection, users also risk losing their online assets by exposing their personal credentials to cybercriminals. Visiting untrustworthy sites—compromised sites or those that have been injected with malicious iframes—can also expose users’ systems to kits that exploit vulnerable software, which may lead to complete system compromise.
Trend Micro Solutions and Recommendations
The Trend Micro? Smart Protection Network? delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.
In this attack, Smart Protection Network’s file reputation service detects and prevents the download of malicious files detected as TROJ_VBKRYPT.CB and TROJ_SOCNET.A onto users’ systems. Web reputation service blocks access to malicious sites even if a user is duped into clicking bad links.
As in this case, users should be wary of opening messages and of clicking links to sites even if these supposedly come from Facebook and/or Twitter friends. As shown, the message in this attack contained several glaring grammatical and punctuation errors—a telltale sign of spamming and phishing—something that should warn users that the site they are visiting is not legitimate.
Thailand Media Contact Public Relations Consultant, Core & Peak Co.,Ltd. Chayapat Sonthikorn Tel +66 (0) 2439 4600 ext. 8202 e-mail
[email protected]