Facebook members were subjected to malicious URLs posted on the wall of some of the service's most famous users, including Justin Timberlake, but the very same compromised links were spread from thousands of members across the social networking service, propagating by the second before the command-and-control server spreading the malware was taken offline during the day. According to Websense, Facebook members who clicked on the URLs would likely have their machines infected by malware, as only about 14% of the top anti-virus engines were able to detect the infection.
Patric Runald, senior manager for security research at Websense, told Infosecurity that the installed malware would steal a user’s Facebook username and password, log into the user’s account, and then begin to spread the malicious link by posting messages to group and user walls and via messages to friend/group lists.
In the case of Justin Timberlake’s Facebook page, more than two million fans have signed up to follow the postings. Once accounts like these were compromised, it’s easy to see – via Websense’s video evidence – how the malicious link was able to spread so rapidly across the service, literally by the second.
Runald added that links to the supposed videos had an accompanying message indicating that the recipient was in the video and to click on the link to view it. This was the vehicle through which this ruse was spread so easily across Facebook.
“Be aware of any links that talk about videos, that point to a website that looks semi-suspicious”, said Runald. However, he now assures that the threat is no longer active, as Websense promptly notified Facebook of the scam, and the site hosting the malicious content was taken offline.
To prevent possible infections from future scams, Runald told Infosecurity that Websense offers a free Facebook application called Defensio to monitor for malware and other malicious content on a user’s page. It can be installed for free on any user’s profile, both in a personal or corporate setting.