Facebook friend spam / Koobface

< Old Entries / Honeypot Presentation | Client-Side Honeypots >

Facebook friend spam / Koobface

Since a few days, a new round of malicious friend messages is going around at Facebook. The messages all look similar, an example is

"Oh noooooo
hxxp://www.facebook.com/l.php?u=hxxp://geocities.com%2Fmaxmonroe79%2Findex.htm..."

To reply to this message, follow the link below:
http://www.facebook.com/n/?inbox/readmessage.php&t=10085171....

Once a victim clicks on the link, he also needs to confirm the redirect on the Facebook site. Afterwards, the attackers use social engineering to trick the victim into installing the malware sample named flash_update.exe. I have also uploaded a movie to illustrate the infection process and to test the new media options I added to this blog: http://honeyblog.org/pages/20081204-koobface.html

Fortinet has some more information on a related incident: http://www.fortiguardcenter.com/advisory/FGA-2008-26.html

This entry was posted by Thorsten Holz on Thursday, December 4. 2008 at 13:27. and is filed under CWSandbox, malware. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry