New Koobface Scam Disguises as Update for Adobe’s Flash

During the 3rd week of October 2009, security specialists found that controllers of the Koobface botnet, which was driven with highly successful social engineering tactics, launched a scam against Facebook that involved a newly crafted template, masquerading as Adobe's update for Flash Player on a phony web-page that imitated YouTube. ZDNet published this on October 14, 2009.

Giving a detailed description of the attack, the specialists said that it started with an e-mail from a Facebook buddy providing an exciting movie that users could watch. Subsequently, those who were more curious became convinced and clicked the video link, which, however, connected to a remote compromised system connected to the Internet, the specialists said.

But whilst users start to run the video, a message pops up suggesting that the Flash player requires updating. On following the instruction, users are asked for downloading the setup.exe file that, however, contains the Koobface worm.

Furthermore, the scam produces another pop-up that contains a scareware URL, which keeps changing every 24-hrs so that it can escape detection. This form of double monetization that Koobface controllers apply began occurring during September end 2009, and continues even now, with the perpetrators making money via their participation in 'Crusade Affiliates,' a network for scareware partners.

Meanwhile reports state that the Win32/Koobface group of worms comprises multi-purpose malicious software, which cyber criminals use to launch various kinds of assaults. These assaults include manipulating a contaminated computer for further malware distribution, intercepting personal data, generating "pay per click" revenues, or cracking 'captcha' mechanisms, all of which turn a user's Web activity to something totally unintended.

Further, the malicious software is accompanied with a proxy program with which Internet crooks access private data that an infected PC holds. This perhaps represents the greatest risk characterizing the software as the exercise could lead to identity theft.

In the meantime, the new Koobface scam is spreading after its controllers are employing a replica of HyperSnap 6, which is actually unlicensed, for capturing the YouTube screenshot, with the act leading to the embedding of "purchase a license" seal on all the fake YouTube pages.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 10/29/2009