14 DAY TRIAL // A recent Facebook spam attack spreading Mac and Windows scareware has lasted for almost 24 hours on the social networking platform and mutated several times.
The attack started on Tuesday by luring users with messages about an alleged video of IMF chief Dominique Strauss-Kahn abusing a hotel maid.
The spam messages were posted from the accounts of users who already fell victim to the attack, possibly through a malware component installed on their computers or by exploiting a flaw in Facebook.
The pages the messages linked to were hosted on a .in domain and further directed users to scareware distribution sites.
The attack was OS-aware, in the sense that Mac users were served Mac rogue applications, while Windows users received Windows scareware.
During the course of 24 hours the attackers launched different spam runs, all leading to the same domain. One read "LOL, just found new tube site," while another lured users with an alleged leaked adult video of Rihanna And Hayden Panettiere.
According to Sean Sullivan, a security advisor at F-Secure, the attack server used analysis evasion techniques. "The attack server is Geo-IP aware: only attacks USA/UK IP address, and too many connections from same IP will get banned," he wrote on Twitter.
The researcher is not happy with Facebook's response time. "Appears @facebook has finally blocked IMF boss malware attack. Took them more than 24 hours to block attack coming from a single source!" he said.
Widespread attacks that distribute malware have been missing from Facebook for the past half year or more, ever since the notorious Koobface worm went silent.
During this time, there has been a surge in CPA lead scams that direct users to surveys and other spam sites, but now it seems that malware distributors are returning. Researchers fear that more such attacks will appear in the near future.