Today, one of our old friends, Mark Coker got three different emails purporting to be about Facebook. He twittered about it here and asked me what it was about.
He actually got three emails, all in short order, with this subject (remember, future attempts will have different subjects) ...
Review - My family invite you out for lunch, don't hesitate!
And if you click the embedded link, you're taken to a fairly convincing looking facebook page...
Notwithstanding the funny looking url that I've circled in red, the rest of the page looks convincing. If you are alert enough to look at the url, then you know you're not at a real FB page, but as I've often said, they don't want to catch everyone.. .they don't want to cut down the apple tree... they just want to shake it and pick up the apples that fall off.
If you click anywhere on the image, you get the "pitch" screen, that looks like this...
and then you get a convincing looking adobe download dialog. Given the number of recent Adobe updates, this will catch a bunch of folk, and they will indeed run the installer. This approach, by the way, works no matter how well you are patched, and probably even works if you are running full-blown UAC in Vista....
If you run it, of course, you no longer own your machine. It belongs to them, because it installs a rootkit....
This one is worse than most, because once it runs, it's subtle... it doesn't pop up messages asking you to install some antispy ... it's just _got_ you.
Remember, as the economy worsens around the world, the Bad Guys are more motivated than ever to get into your pc.
Keep safe folks,
Roger
Kieren thought it was sad that people would get fooled by the dialog.
Yep... of course, the point is that these guys don't want to catch everyone... they couldn't handle it if they did. As long as they catch *enough*, they're happy.
Posted by: Roger | March 06, 2009 at 03:30 PM
David asked if he had installed KoobFace. It's possible that you got nailed, but it's possible that it was just a genuine update, because there are updates to Flash. The best idea is to update your av software (hopefully it's AVG :-) ) and let it look.
Posted by: Roger | March 06, 2009 at 03:26 PM
I just read the comments on the request to download and install an update to Adobe Flash from a pop-up that looks real. It said I needed the update to view the video on You Tube I wanted to open. Like a dummy, I installed it. Since then I am getting strange things happening, especially while using Yahoo Mail. Could this be the virus 'Koobface botnet worm? If so, is there anything I can do to remove it from my desktop?
Posted by: David K. Wollenweber | March 05, 2009 at 08:35 PM
It's just sad that some people would believe that dialog box in the second picture. In the age of computers, everybody is computer-illiterate.
--K
Posted by: Kieran | March 05, 2009 at 02:19 PM
Heh! Well, _I_ do. :-)
Cheers
Posted by: Roger | March 04, 2009 at 03:52 PM
Come on. Who really pays any attention to the url while on Facebook ;-)
Posted by: Userid Swappa | March 04, 2009 at 08:36 AM