Earlier today my ZDNet partner-in-crime Ryan Naraine posted about the latest Facebook worm, which tries to get users to download a malicious codec from a video appearing to be shared through Google Reader.
I have a couple of disclosures in relationship to this worm:
- It was researched and reported by network security appliance vendor Fortinet, which also happens to be my employer
- I had a bit of a hand in discovering it
I awoke this morning to a Facebook alert from an old coworker that said, "Sommebody uupload a viideo witth you on utubee. you shuold ese." What's interesting is that I didn't initially notice the very poor spelling. I read right through it to the context, and with a bit of hesitation I went to my Facebook inbox (note: NOT from the email -- I logged straight into Facebook through an open browser). I saw in the Facebook note that the site redirected to a Google shared site at what appeared to be a valid URL -- I chanced it (NOT recommended). I didn't touch the video as I immediately knew there was an issue. But I should've realized it sooner.
At that point, I engaged Guillaume Lovet, senior manager of our FortiGuard Global Security Research Team, who led our research efforts. Ryan has all of the details of the worm itself in his blog post, but the point is that no matter your associations, understanding or education when it comes to security or social media, one cannot be too careful.
I asked Guillaume to share five tips that would help curious people who know better and novice users alike spot malicious threats via social networks -- as well as a couple ways they might protect themselves:
- Beware of messages with a link inside. That should first trigger your threat alarm.
- In such a case, pause one second and ask yourself if the message you're reading is from who it claims to be. It's very easy with people you know, because everyone has a "digital voice" of his/her own, a writing style that cannot be imitated by worms. Yet.
- A lot of social engineering sleight of hands used by social networking sites rely on teasing the victim into watching a video. Keep in mind that online videos share a very common format (i.e. flash), so if you can normally see flicks on YouTube or DailyMotion, you won't ever need any additional plugin or codec. Most importantly: codec which come in the form of executable setup files are, in this context, Trojans.
- Don't browse the Web with a system that's not up-to-date with security updates. Often, those malicious end-points carry some web-browser exploits that will actually push the Trojan onto your system without your knowledge, let alone your interaction. This won't happen if your browser is up to date. You may prefer alternate browsers for that purpose, hence reducing the exploit surface in your gear.
- If you failed somewhere, or if the malicious site exploited some un-patched flaw in your browser, antivirus gear may very well save you. A combination of antivirus and Web content filtering would create stronger protection, as if the malicious site is blacklisted on the Web filtering part, antivirus may not be needed to make the attack fail, but it is always good to have both due to the increased sophistication of threats.
What other tips can you share?
Update 10/29/08 8:18 a.m.: It appears that the Facebook worm culprits are also trying to leverage Google Picasa the same way it was leveraging Google Reader.