Facebook Koobface virus

120,000,000 people use Facebook, and we're all being targeted by "Koobface" that leverages Facebook.com's instant messaging system to infect PCs.

The target according to Yahoo?

Your credit card numbers.

Not surprisingly, the Koobface/Facebook story showed up on Yahoo! News today [editor's note: the article has been removed since this blog was written, so the link to it has also been removed], and according to Facebook's spokesman, Barry Schnitt, few people were affected (so far).

A few things about this story (and the McAfee Antivirus blog) caught our attention:

1. The fine folks at McAfee already have a security blog on Koobface of their own up. Hopefully, that will help spread the word.
2. The virus, like many, is really a social engineering attack and not a worm that spreads willy-nilly on its own.
3. Don't open links you aren't expecting--no matter how juicy they may be. It's really not worth it.
4. According to McAfee's blog, the purpose of the virus is to push you through a proxy server to enlist you in click fraud. (More on this later.)

The original Yahoo! story goes on with this quote, with wise words we couldn't agree with more:

"'Facebook requires senders of messages within the network to be members and hides user data from people who do not have accounts, said Chris Boyd, a researcher with FaceTime Security Labs. Because of that, users tend to be far less suspicious of messages they receive in the network.

'People tend to let their guard down. They think you've got to log in with an account, so there is no way that worms and other viruses could infect them,' Boyd said."

Well said, Mr. Boyd. Well said, indeed. But, meanwhile back to the click fraud.

We all know how vigilant the various search engines are working on preventing it (or at least they claim to be), but what's odd is that the Yahoo! story explicitly mentions the McAfee blog yet it fails to mention anything about click fraud and instead mentions the theft of credit card numbers.

Once again, we smell a rat. (Actually, there are probably a couple here, but we're splitting hairs.)

This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results. Search terms are directed to find-www.net. This enables ad hijacking and click fraud.

Hmmm. How is it the precise mechanism is so clearly articulated in the McAfee blog, but some other excuse is fashioned up in the Yahoo! story? We all make mistakes. Perhaps an oversight. Funny though, isn't it, that their very search engine is one caught up and targeted for click fraud by the fraudsters.

'Til next time, fair readers, keep your firewalls up and your antivirus software scanning.