The thing about being a criminal is there's always the risk of being caught or otherwise exposed. This applies to the life of a cyber criminal as well. To wit, Facebook has identified five men it believes are behind the Koobface worm designed to burrow into various social networks like Facebook and Twitter in search of login information to help spread its related botnet far and wide.
How many times have you been told that when one door closes, another one opens? Probably a whole bunch, but what no one ever bothered to disclose is that this idiom isn't always an inspirational motivator to carry on with life and can sometimes apply to those with less scrupulous intentions. Case in point: a security firm warns that the Koobface worm is no longer spreading through social networks and is now slithering its way across BitTorrent sites.
A security researcher has identified what he believes is one of the biggest clusters of drive-by attack sites. According to Wayne Huang, co-founder and CTO of Armorize Technologies, a compromised widget called "Small Business Success Index” turned anywhere between 500,000 to 5,000,000 million websites into malware carriers.
Huang's estimate might seem implausible until you are told that the hacked widget was found on all parked domains hosted with web hosting company Network Solutions. For those of you unfamiliar with web hosting argot, a parked domain is one that continues to be unused even after being registered. Network Solutions pulled the plug on the widget over the weekend, within three hours of being notified by Armorize.
Trend Micro has issued a warning that the Koobface botnet has begun pushing out a new component capable of automatically registering a Facebook account and confirming an email address in Gmail to activate the fake persona. Once Koobface becomes part of the social network's community, it begins randomly joining Facebook groups, adding friends, and posting messages to people's walls.
"Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook," says Trend Micro. "All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered."
That's pretty wild, and it's done using Internet Explorer to create and register the account, according to Trend Micro. But what's interesting is that the Koobnet botnet halts its dastardly deed if the affected user is kicking it old school with IE6.
So how do you avoid being duped by a fake friend? You could become a loner, but that might get, well, lonely. Common sense applies - be sure you know who it is you're adding. And as usual, be wary of clicking on links. Trend Micro says the messages posted through Facebook's wall contain a link that leads to the fake Facebook or YouTube page hosting the Koobface loader component.