KOOBFACE Spreading via Facebook DMs Again


Recommended Posts

Jul4

KOOBFACE Spreading via Facebook DMs Again

The infamous KOOBFACE botnet is sending direct messages (DMs) on Facebook. If this sounds familiar… it should be, as this tactic was previously discussed here in the Malware Blog back in March.

The hook is somewhat similar to a ZBOT attack also spotted in March. That attack claimed that someone posted pictures of the user; this one uses a video instead. The text and link in the message are:

Someobdy uplaod a vdieo wtih you on utbue. you shuold see.

http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/”

As is frequently the case in these kinds of attack, the English used in the message is comically bad. The URL, however, is somewhat disguised—the first domain name the user sees belongs to Facebook. This is because the link does legitimately go to Facebook first. Any URL with the format http://www.facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Apparently, cybercriminals are betting that users will ignore the warnings and proceed to their site anyway.

If users do go on to visit the malicious site, this is what they see:

More detail & screenshots - http://blog.trendmicro.com/

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...