New Koobface campaign spoofs Adobe's Flash updater

Summary:Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe's Flash updater embedded within a fake Youtube page.

Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe's Flash updater embedded within a fake Youtube page.

The malware campaign is relying on compromised legitimate web sites, now representing 77% of malicious sites in general, and on hundreds of automatically registered Blogspot accounts with the CAPTCHA recognition process done on behalf of the users already infected by Koobface, compared to the gang's previous reliance on commercial CAPTCHA recognition services.

Here some of the most popular messages posted on Facebook for the time being:

Coongratulations! You are on TV! Funny vide0 with me :) HHolly sshit! Are you rreally in thiss viideo? Hollyy shhit! You are on hiidden cameera! Nicee! YYour boooty lookks greaat on thiss videoo! Saw thhat vvideo yesterdday... How coulld you do succh a thingg? Sweet!! Yourr ass loooks greaat on thiss video!! WWow! Is tthat reeally you in thaat videeo? You must see this vide0 now! :) You werre caughtt on our hiddeen camera!!

Upon visiting any of the URls issued by Koobface-infected Facebook users, a redirection to a (infected IP)/go.js? 0x3E8/youtube/console=yes/ takes place which is not only serving the setup.exe Koobface malware, but is also launching a pop-up with a scareware domain that is automatically rotated every 24 hours in order to evade detection. This double-layer monetization applied by the Koobface gang started taking place at the end of September, and remains active with the gang earning revenue by participating in a scareware affiliate network known as "Crusade Affiliates".

Despite that the "visual social engineering" tactic has been monetized within the cybercrime ecosystem a long time ago, with legitimately looking spoofs of popular applications and sites available for purchase, the latest Koobface campaign is relying on an unlicensed copy of HyperSnap 6 which the gang used to take the Youtube screenshot, which results in a "buy a license" stamp embedded on every bogus Youtube page.

Topics: Enterprise Software, Malware, Security, Social Enterprise

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.