Facebook Worm Redux Taps Google Sites

Once again, social networking site Facebook has been hit by the Koobface worm, which has been used to attack it several times since July.

This latest attack, discovered by security vendor Fortinet, sends a message to users' Facebook friends urging them to click to view a video uploaded to either Google's Picasa photo-sharing site or to a shared video in Google Reader RSS feed aggregation site.

When victims try to do so, an error message pops up, asking them to download a new version of "Video ActiveX Object" so they can view the video. The Video ActiveX Object is a known malware application that helps spread Trojans (define) Zlob and Smitfraud.

The disclosure comes as the latest high-profile attack built around major, widely regarded sites. The fact that hackers are using Google's (NASDAQ: GOOG) Reader and Picasa sites is by design, in an effort to make the worm more likely to spread.

"Google is a trusted brand, so people are more likely to try to download the video," Guillaume Lovet, senior manager of Fortinet's security research team, told InternetNews.com. As a result, Lovet said he thinks Facebook will find this attack difficult to deal with.

"Their security policies are not going to blacklist Google or filter out links to Google sites, which have a high reputation," he said. Many antispam and antivirus software filters out or blocks URLs based on their reputation or ranking. The more secure and trusted a site is, the higher its reputation.

The worm has been kicking around for several months in various permutations but following a similar strategy. In early August, it resurfaced when hackers posted messages on Facebook users' sites, urging visitors to view a video purported to be hosted by Google or YouTube.

Clicking on the video downloaded a worm, and Facebook said a slim minority -- about 220,000 of its 110 million users -- were affected.

Barry Schnitt, a Facebook spokesperson, agreed with Lovet that Facebook will not cut off access to Google links as a result of the renewed round of attacks. However, he also said that the problem remains challenging for Facebook.

"It's difficult to deal with because the cybercriminals are changing the links they send people to, and the way they reach people, and they're very good at hiding the worm, especially using trusted sites like Google Reader," Schnitt told InternetNews.com.

Fortinet has already notified Google and Facebook about the latest attack, it said, while Schnitt confirmed that Facebook is talking to Google about closing the redirects from the Koobface worm. It's unclear, however, what action Google may take on the matter.

"We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines," a Google spokesperson said in an e-mail to InternetNews.com.

Lovet said the Koobface worm also targets another social networking site, MySpace.com, but Facebook is "the target of choice because it's so prevalent." Traffic monitor comScore Networks reported that MySpace had 117.6 million unique users in June, compared to 132.1 million visitors for Facebook.

This article was first published on InternetNews.com. To read the full article, click here.