Has Facebook jut been hit with a new IM spam attack?

6 Aug 2010

A security expert has reported there may be a new worm circulating on Facebook via instant message (IM). The jury is out on whether the spam attack is in conjunction with a worm, but the suscpicion is criminal organisations may be involved.

Randy Abrams, director of Technical Education at ESET, has reported that there may be a new worm circulating on Facebook. A contact received an instant message from a friend on Facebook that said:

“Hey i just made myself a cartoon omg lol ill show you but you gotta do urs too”

The IM also included a link to a website that claims to allow you to upload a picture and it will turn it into a cartoon for a fee.

“While my friend did not click on the link, his friend did not send the IM, but did click on the same message when he got it from a friend,” Abrams said.

“At the very least, this is an IM spam attack, but it isn’t clear if it is in conjunction with a worm. It may turn out that it is not a worm, but another type of attack that involves multiple levels of criminal organisations, which to some degree are being aided by the privacy laws in Holland.

“To begin with, there are stolen credential attacks. The two primary ways that a crook steals a Facebook account are by phishing for the information and by guessing the username and password. If you use the same password at Facebook that you used on another site and you got phished for another site, then the odds are the bad guys will get your Facebook or MySpace or other social networking accounts.”

Levels of cyber crime

The stealing of account credentials is the first level of crime. Next come the spammers who use the stolen accounts to send email or instant messages.

In the Facebook case Abrams and the ESET team are following, it could be a case of stolen credentials but there are signs that clicking on the IM causes your Facebook account to IM your friends. The IM is for spam and contains a link. The link goes to a web site registered in Holland.

Because of Holland’s privacy laws, ESET is unable to find out who owns the domain. Abrams added: “As long as crooks can hide the ownership of domains we will have a much rougher battle against cyber criminals.”

It is possible that the level of crime stops at the spammer who is probably being paid to direct traffic to a website. The operators of the site receiving the traffic may not know that the spammer is using unsavoury tactics to redirect.

After clicking on the link in the IM, there are at least redirects before you arrive at the site that lets you turn your picture into a cartoon. To share the cartoon, you have to sign up for a service that costs US$9.99-US$19.99 per month. The terms of service indicate that your text-messaging capability is required for all services.

This may be a legitimate, if not over-priced website, however there are still more potential levels of crime here, warned Abrams. By signing up, your mobile phone might start automatically calling premium rate phone numbers. Your credit card details could additionally be sold to other criminals.

“It is not uncommon for people to have their credentials stolen, thereby allowing a hacker to access their email and social networking accounts. For this reason you must take extra precautions to be sure that when a friend sends you a link you verify it really was the friend who sent it.

“One wrong click and you may spam all your friends. If the link directs you to download or run a program, be even more wary. Always exchange a message or two and ask if they really did send you the link. If they say ‘no’ then you know it is a problem.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years