KOOBFACE Spreading via Facebook DMs Again

The infamous KOOBFACE botnet is sending direct messages (DMs) on Facebook. If this sounds familiar… it should be, as this tactic was previously discussed here in the Malware Blog back in March.

The hook is somewhat similar to a ZBOT attack also spotted in March. That attack claimed that someone posted pictures of the user; this one uses a video instead. The text and link in the message are:

Someobdy uplaod a vdieo wtih you on utbue. you shuold see.

http:// www. facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/”

As is frequently the case in these kinds of attack, the English used in the message is comically bad. The URL, however, is somewhat disguised—the first domain name the user sees belongs to Facebook. This is because the link does legitimately go to Facebook first. Any URL with the format http:// www .facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Apparently, cybercriminals are betting that users will ignore the warnings and proceed to their site anyway.

 TrendLabs Malware Blog

Leave a Reply