There’s a significant Facebook malware attack occurring at the moment.
The attack is spreading virally using Facebook’s “Like” feature – a method well established by rogue Cost Per Action (CPA) marketing affiliates. But unlike CPA spam that redirects to deceptive ads, this “viral video” is linking to a Lithuanian server that serves up Windows and/or Mac malware.
This is the first time we’ve seen malware using “viral links”. (Stuff such as Koobface uses phishing and compromised accounts.)
The bait uses the following subject lines: “oh shit, one more really freaky video O_O” and “IMF boss Dominique Strauss-Kahn Exclusive Rape Video – Black lady under attack!” and points to a subdomain on “newtubes.in”.
An Openbook search shows numerous examples of folks that have been exposed.
Here’s an example of Facebook’s search results:
When testing the link from Germany, Finland, France, India and Malaysia, we were safely redirected to youtube.com. Testing from the USA and UK offered up Mac scareware or Windows malware depending on our browser user agent IDs.
The attack is GEO-IP as well as OS aware.
And though this attack started more 16 hours ago, Facebook does not yet block links to newtubes.in even though the subject text and the root domain has remained unchanged during that time. This could be due to the fact the attack is utilizing Facebook “Likes” rather than posting links to user’s Walls which can be more easily filtered by Facebook’s security team.
Or perhaps they’re still catching up on their post-Memorial Day holiday e-mail.
Leave a reply
