Today I was asked about a link that someone received in an email. The link was to a video that appeared to be on Facebook. Because the appearance of the link seemed legitimate there was almost no suspicion drawn, until the user realized that they didn’t know the sender of the message.
I was asked to check out the link and report if it was safe or not. I checked it out and within 30 seconds noticed my computer playing the block-the-virus game. Of course I didn’t want to stop at just that, so I decided to check it out further.
The worm being spread via different websites is referred to as W32.Koobface.D over on Symantec’s website. Let me just show you some things that might help you to identify what was wrong with this fake Facebook page so that the scammers or spammers can do a better job in the future.
First the Facebook warning page. It’s nice that Facebook has created a page that lets you know when Facebook is doing the redirect off of its site. This warning page only lets you know that you are leaving Facebook, but doesn’t offer any more protection than that. I’m not sure that its Facebook’s job to protect users more than this, but maybe it should be.
The image below has two red outlines on it. The first is on the URL. The problem with the URL is that it clearly does not say “Facebook” or any other variant with that word. This could easily have read “http://FACEBOOK.somedomain.com” and been a little more likely to fool someone. I did notice the IP address changes among several different addresses. ARIN states that the IP address shown belongs to an address on Comcast. There are several computers on different ISPs that seem to be either infected and allowing others to be infected or there are a group of people trying hard to start the spread of this worm.
The second red outline is around the Internet Explorer warning, letting you know that some program is trying to download onto your computer without your permission. Naughty, naughty!
Now even though I have Flash installed, the fake Facebook page says that it needs to be installed so that I can view the video. Of course, clicking on the link gives me an opportunity to download something, just not something i want. In fact, the entire webpage has code on it that allows a mouse click anywhere to initiate an attempt at trying to download bad stuff onto the future victim’s computer.
In the lower right of the webpage, I noticed that they had copied the look of the bottom bar on Facebook. The problem is that they they used a poor image that shows decreased quality over the regular images on Facebook’s bottom bar. Oh ya, and that chat is enabled also tells me something is off because I’ve disabled chat on my Facebook account. I won’t complain about the position being off a little, that’s in the next paragraph.
Now that I’ve decided to point this last piece out it’s more like complaining. There is text on the bottom of the page which there is not on Facebook. The text in this case is showing a date and time of some sort, though it definitely isn’t today (“19.08.2009 21:00 frame counter”). Perhaps this is so that the phisherman can keep track of something and maybe their web code is echoing something it shouldn’t.
The Symantec AntiVirus Detection Results window is nice, it gives me a sense of confidence that my computer will be protected even with potentially evil stuff trying to infect my poor little PC.
Whenever I would click anywhere on the webpage the file would try to install on my computer. Of course I needed to be smart enough to choose CANCEL instead of RUN or SAVE.
I found it more interesting that the webpage is doing tracking with an external tracking website. I would get into the specifics, but its really not necessary… if you have protected yourself from this than you are good to surf on. If you have infected your computer and somehow came to this website for help, let me know and I’ll tell you how to get rid of the bad stuff.
I wonder if extremetracking.com knows what they are tracking…