Malware Authors Exploit Facebook App - Page 2

Page 2 of 2

The newest attack first made its appearance over the weekend, O'Neill said, and its subject line has since changed from "Error Check System," to "Error Checking System," ostensibly in an attempt to avoid blocking.

However, it's not the contents of the message -- or the Facebook app it downloads -- that is putting users at real risk. Graham Cluley, senior technology consultant at security consultants Sophos, told InternetNews.com that users' searches for "Error Checking System" lead to sites that download scareware, or fake antivirus software, onto users' PCs. The scareware contains two viruses, which Sophos has named Sus/FakeAV-A and Troj/FakeAV-LL.

Was this a two-pronged attack?

While it's still unclear who's behind the current Facebook attack, at least one researcher thinks it has some clues.

Craig Schmugar, senior threat researcher at antivirus vendor McAfee, told InternetNews.com that one core group runs the Net's major scareware attacks -- and they're a likely culprit for the latest malware based on their previous methods of attack.

"It's the same domain names and the same rogue anti-spyware, so it seems likely that this time, the perpetrators created this pipe around Facebook so they could get more search results," Schmugar said.

Yet it remains uncertain whether the Facebook application and the malware were constructed by the same parties. The application could have been written to create a buzz that would lead to people being infected after doing Google (NASDAQ: GOOG) searches, Cluley said.

Or, the application's authors could have been attempting to promote some sort of product or service, he added.

"It's not yet clear whether the application writers were engaging in dumb marketing or they were part of a bigger plot," Cluley said.

Either way, the hackers behind the scareware attacks are cashing in.

"They have been very successful at seeding Google at a very high level," Cluley said.

Most of the Web sites carrying the malware are likely to have been legitimate sites that have been hacked by the malware authors, Cluley said, adding that the approach is a common tactic.

"We see over 20,000 infected Web pages daily, 90 percent of which have been hacked," he said.

Sophos isn't the only one noting the trend. A survey by messaging- and data-protection vendor Websense also found that hackers are increasingly compromising legitimate Web sites to do their dirty work. The survey concluded that search engines and social networking sites, which let users upload third-party applications, are the most at risk.

As a result, Cluley warned Facebook users to be very careful what applications they add on to their pages.

"You don't know who that person is, whether they can be trusted and whether they're competent," he said.