Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe's Flash updater embedded within a fake Youtube page.
The malware campaign is relying on compromised legitimate web sites, now representing 77% of malicious sites in general, and on hundreds of automatically registered Blogspot accounts with the CAPTCHA recognition process done on behalf of the users already infected by Koobface, compared to the gang's previous reliance on commercial CAPTCHA recognition services.
Here some of the most popular messages posted on Facebook for the time being:
Coongratulations! You are on TV! Funny vide0 with me :) HHolly sshit! Are you rreally in thiss viideo? Hollyy shhit! You are on hiidden cameera! Nicee! YYour boooty lookks greaat on thiss videoo! Saw thhat vvideo yesterdday... How coulld you do succh a thingg? Sweet!! Yourr ass loooks greaat on thiss video!! WWow! Is tthat reeally you in thaat videeo? You must see this vide0 now! :) You werre caughtt on our hiddeen camera!!
Upon visiting any of the URls issued by Koobface-infected Facebook users, a redirection to a (infected IP)/go.js? 0x3E8/youtube/console=yes/ takes place which is not only serving the setup.exe Koobface malware, but is also launching a pop-up with a scareware domain that is automatically rotated every 24 hours in order to evade detection. This double-layer monetization applied by the Koobface gang started taking place at the end of September, and remains active with the gang earning revenue by participating in a scareware affiliate network known as "Crusade Affiliates".
- Go through related posts: Gallery: Social engineering tactics of the Koobface botnet; Koobface worm joins the Twittersphere; Koobface Facebook worm still spreading; 56th variant of the Koobface worm detected
Despite that the "visual social engineering" tactic has been monetized within the cybercrime ecosystem a long time ago, with legitimately looking spoofs of popular applications and sites available for purchase, the latest Koobface campaign is relying on an unlicensed copy of HyperSnap 6 which the gang used to take the Youtube screenshot, which results in a "buy a license" stamp embedded on every bogus Youtube page.