Fake anti-virus proclaims to be your Facebook friend

Filed Under: Facebook, Malware, Social networks, Twitter

It is being reported by AVG that there is an attack in progress against Facebook again.

Things have been quiet recently on the Facebook front with much of the attacks against social media focusing on Twitter. This time Roger points out that they have found a way to break the captcha's of Facebook accounts and create a mass of new "friends" to try to join your social network.

The invites from these friends include a link. Of course, not being sure if in fact you don't remember Jennifer Jacobs after imbibing too much at the party last night, you may in fact be tempted to click the link to refresh the old memory. I think we all know what this will lead to though.

Investigating this attack, I went into SophosLabs to see what might happen, so all of you reading this don't need to create your own virus lab from which it might be safe to click the link.

It starts out innocently enough with a link that is not classified by Google Safe Browsing API. This then redirects to some other URL's including ones identified by Google and Sophos Web Appliance as malicious.
Image of Browser warning with virus detection
This is a great example of the usefulness of Firefox and Chrome implementing Google's Safe Browsing API. This often results in a much safer browsing experience. If you are crazy enough to ignore Firefox's warning and are a customer of Sophos you will get a detection of Mal/FakeAV-AD upon proceeding.

Customers using the Sophos Web Appliance will be protected from ever reaching the payload as well. We have been blocking access to a domain associated with this attack since August 2009.

The fact that the initial URL posted in Roger's blog is not listed in the Safe Browsing API means that Twitter users could be attacked with these URL's as well. I did some brief testing today and discovered that Twitter appears to only check the actual top-level URL in a shortened link or submitted URL, and does not follow the redirection chain used so often in these attacks.

My intention in sharing this incident with you is to encourage those of us who are looked upon to be the nerd in the family, or the geeky friend to call when your screen goes blue to educate our friends, families, and colleagues on the threats being slung at social media sites.

It may be Facebook today, or Twitter tomorrow, but we need to learn that our openness and willingness to connect with others is being exploited. Investigating a story, looking for information on swine flu, or checking out the pretty lady who wants to be your friend on Facebook all have rather unfortunate consequences associated with them.

Now I am off to investigate the infection of my "C Drive" on the Linux server I did my testing from...
Screenshot of FakeAV-AD on Linux

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.