Fake anti-virus proclaims to be your Facebook friend

It is being reported by AVG that there is an attack in progress against Facebook again.

Things have been quiet recently on the Facebook front with much of the attacks against social media focusing on Twitter. This time Roger points out that they have found a way to break the captcha’s of Facebook accounts and create a mass of new “friends” to try to join your social network.

The invites from these friends include a link. Of course, not being sure if in fact you don’t remember Jennifer Jacobs after imbibing too much at the party last night, you may in fact be tempted to click the link to refresh the old memory. I think we all know what this will lead to though.

Investigating this attack, I went into SophosLabs to see what might happen, so all of you reading this don’t need to create your own virus lab from which it might be safe to click the link.

It starts out innocently enough with a link that is not classified by Google Safe Browsing API. This then redirects to some other URL’s including ones identified by Google and Sophos Web Appliance as malicious.
Image of Browser warning with virus detection
This is a great example of the usefulness of Firefox and Chrome implementing Google’s Safe Browsing API. This often results in a much safer browsing experience. If you are crazy enough to ignore Firefox’s warning and are a customer of Sophos you will get a detection of Mal/FakeAV-AD upon proceeding.

Customers using the Sophos Web Appliance will be protected from ever reaching the payload as well. We have been blocking access to a domain associated with this attack since August 2009.

The fact that the initial URL posted in Roger’s blog is not listed in the Safe Browsing API means that Twitter users could be attacked with these URL’s as well. I did some brief testing today and discovered that Twitter appears to only check the actual top-level URL in a shortened link or submitted URL, and does not follow the redirection chain used so often in these attacks.

My intention in sharing this incident with you is to encourage those of us who are looked upon to be the nerd in the family, or the geeky friend to call when your screen goes blue to educate our friends, families, and colleagues on the threats being slung at social media sites.

It may be Facebook today, or Twitter tomorrow, but we need to learn that our openness and willingness to connect with others is being exploited. Investigating a story, looking for information on swine flu, or checking out the pretty lady who wants to be your friend on Facebook all have rather unfortunate consequences associated with them.

Now I am off to investigate the infection of my “C Drive” on the Linux server I did my testing from…
Screenshot of FakeAV-AD on Linux