14 DAY TRIAL // Experts from the network security vendor Fortinet report that new worms spreading on Facebook are making use of links to pages hosted on popular Google services like Google Reader or Picasa Web Albums in order to bypass security filters and reduce user suspicions.
The general propagation of malware like the notorious Koobface worm, which circulates around Facebook, is based on social engineering techniques. The worm uses the Facebook accounts accessed from the infected computer in order to send a message to all the friends registered for each account. The message encourages users to watch a video file hosted on an external URL. Clicking on the URL takes the users to an image faking an embedded video. Clicking the image to start the video will result in an ActiveX prompt that asks users to install a fake video codec, which is actually a Trojan.
When Koobface first hit Facebook in July, the website administrators had a hard time stopping it, but after significant efforts, they succeeded in slowing it down. They achieved this by implementing security filters, which blocked the external URLs the worm used to spam. Then, the attackers tried to bypass the filters by hosting the links on services like TinyURL or Bloglines and it looks like they've hit big lately by using links hosted on Google's Reader and Picasa services.
“This 'hop' via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the "it's a message from a friend" factor, which naturally lowers down users' wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click,“ explains Guillaume Lovet, the leader of Fortinet's FortiGuard Global Security Research Team.
Another implication in this new approach is that Facebook admins won't be able to enforce generic filters without hindering the ability of users to post links to legit resources on Picasa or Google Reader. In addition, it is possible that the attackers automatically register the fake Picasa or Reader accounts by passing CAPTCHA security. This would make it possible to have constantly changing unique links that are a lot harder to filter and block.
Mr. Lovet also expresses his concerns over a legit Picasa feature. He points out that “after checking, it appears that allowing links in picture captions is really Picasa feature, which could potentially introduce more security threats. Which leads to the question: Is this functionality worth the potential risks if rogue Picasa users post malicious URLs?”.