NEWS FROM THE LAB - Wednesday, December 31, 2008

Your Friendster Contacts Are Belong To Us Posted by WebSecurity @ 06:51 GMT

Addendum to our earlier post, Fake Friendster and Facebook Sites with One IP Address:

A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends).

Here is an example of such an invite, from a known contact:

Friendster messege

So how are the spammers getting access to the contacts lists?

Well, as we mentioned in our earlier post, a phishing site that mimics the real Friendster site steals the user's e-mail address and password information. Once the bad guys have that information, they can use it to access the account, and then use the account to start spamming malicious links to all contacts. Simple and effective, really. Users receiving these messages from a contact are more likely to disregard caution and click on it.

This particular link leads the user to the legitimate domain, files.myopera.com, and a file named video.gif. But wait — to check the contents of the file, try using view-source (in Firefox). As it turns out, users will be redirected to a malicious, fake video site.

View Source

Of course, the new site will prompt users to "update the video player" with a certain file in order to view the video.


The file the site would like you to download is cunningly named setup.exe, we detect it as net.worm.win32.koobface.dd — a worm that, incidentally, also spreads on social interaction websites.

As usual, beware of clicking any URL links, whether from a known or unknown sender. Don't forget to change your Friendster account password regularly to avoid abuse.