Websense: Security Alert about Facebook
November 2008 by Websense
Websense Security Labs ThreatSeeker Network has discovered another round of malicious Facebook messages. This campaign is another visual social-engineering spam campaign which tries to visually trick users into believing that the message is a legitimate added friend confirmation. The "From" address in the message is spoofed to make it look as if it was sent from Facebook, and the links look like they lead to Facebook.
Websense quotes in the 2008 Threat Predictions report have been based on facts. In our previous alert Facebook "add friend" Malicious Spam campaign, we saw spammers including a malicious zip attachment that claimed to contain a picture, to entice the recipient to double-click on it. From a spammer’s perspective, the likelihood of attack success decreases when antivirus! software picks up the attachment. If not picked up by antivirus software, then content learning technologies filter such messages and their attachments after receiving a certain volume of similar messages.
In order to maintain their attack over a longer time period with increased success rates, spammers have switched their tactics by including links to an external Web site. The use of external links in emails makes antivirus detection tougher, as not all antivirus software has the ability to scan or detect links included in email messages. Also, from a spammer’s perspective, using links consisting of compromised ’legitimate’ domains hosting malware as a lure increases the success rate, as this is more likely to bypass security filters that rely heavily on reputation services.
Websense Security Labs sees these tactics adopted by spammers and malware authors as an ongoing trend, increasin! gly targeting Web 2.0 sites to carry out a wide range of attacks.