New Koobface campaign spoofs Adobe's Flash updater

New Koobface campaign spoofs Adobe's Flash updater

Summary: Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe's Flash updater embedded within a fake Youtube page.

SHARE:

Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe's Flash updater embedded within a fake Youtube page.

The malware campaign is relying on compromised legitimate web sites, now representing 77% of malicious sites in general, and on hundreds of automatically registered Blogspot accounts with the CAPTCHA recognition process done on behalf of the users already infected by Koobface, compared to the gang's previous reliance on commercial CAPTCHA recognition services.

Here some of the most popular messages posted on Facebook for the time being:

Coongratulations! You are on TV! Funny vide0 with me :) HHolly sshit! Are you rreally in thiss viideo? Hollyy shhit! You are on hiidden cameera! Nicee! YYour boooty lookks greaat on thiss videoo! Saw thhat vvideo yesterdday... How coulld you do succh a thingg? Sweet!! Yourr ass loooks greaat on thiss video!! WWow! Is tthat reeally you in thaat videeo? You must see this vide0 now! :) You werre caughtt on our hiddeen camera!!

Upon visiting any of the URls issued by Koobface-infected Facebook users, a redirection to a (infected IP)/go.js? 0x3E8/youtube/console=yes/ takes place which is not only serving the setup.exe Koobface malware, but is also launching a pop-up with a scareware domain that is automatically rotated every 24 hours in order to evade detection. This double-layer monetization applied by the Koobface gang started taking place at the end of September, and remains active with the gang earning revenue by participating in a scareware affiliate network known as "Crusade Affiliates".

Despite that the "visual social engineering" tactic has been monetized within the cybercrime ecosystem a long time ago, with legitimately looking spoofs of popular applications and sites available for purchase, the latest Koobface campaign is relying on an unlicensed copy of HyperSnap 6 which the gang used to take the Youtube screenshot, which results in a "buy a license" stamp embedded on every bogus Youtube page.

Topics: Enterprise Software, Malware, Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Only one OS is affected:

    "The Windows operating system is currently the
    only operating system affected by these worms."
    HollywoodDog
    • Yes, 77% of web sites running *nix.

      Care to comment?
      No_Ax_to_Grind
  • This is why we can't have nice things

    NT
    The one and only, Cylon Centurion
  • RE: New Koobface campaign spoofs Adobe's Flash updater

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut