Close Encounters of a Viral Kind (Updated)
(Update at the end.)
There’s some malware circulating around Facebook in bogus messages with subject lines like “Wow! Are you really in this video?”
I received an email from a friend of mine this morning that contained a forwarded Facebook message:
- (snip signature)
- [Redacted] sent you a message.
- Subject: Wow! Are you really in this video?
- “:)
http://www.facebook.com/l/[redacted]:[redacted]”
The colon in the web address is significant; more on that later.
I tried Googling the name of the video as it appeared in the link. That was a dead end.
I appended “Facebook” to the search string; that turned up a number of references to other Facebook messages containing the same link, but nothing to answer the question, “What is this thingee, anyhoo?” so I went to Trend Micro’s Threat Encyclopedia.
The name of the link again turned up nothing, but there was a item stating that the Koobface Trojan, which targets Facebook users, has returned with a new twist. If you go to their fake Facebook page then and try to close the browser window, it forces a download of its malware. Trend has a video of this behavior in the article.
I clicked the link in my friend’s email. It took me something that looked like the login page that Facebook displays when you click a Facebook link without being logged into Facebook. But the wording felt wrong–it wasn’t obviously wrong, but it was just off.
I clicked the “Continue” button without entering my user name or password; it continued, whereas Facebook would have thrown an error message and redisplayed the login page. (By the way, don’t click through something like this at home unless you know what you are doing.)
It continued to gibberish, then stalled, because I was using Linux and it didn’t know what to do next.
I emailed my friend that it looked awfully fishy and asked her whether the Facebook friend who emailed her would likely use the subject line, “Wow! Are you really in this video?” My friend said, not in so many words, “Come to think of it, no.”
She later send me this email:
After a little checking, I found out that the link in the Facebook message redirects (that’s what the colon in the web address does) to a web address in Spain. Here’s the whois information for the IP address:
- role: ARSYS Role Object
address: arsys.es
address: C/ Ch1le 54
address: Logrono 26005 (La Rioja)
address: SPAIN
phone: +34 941 620100
fax-no: +34 941 204793
e-mail: [email protected]
remarks: trouble: www.arsys.es
admin-c: NI49-RIPE
tech-c: RLC11-RIPE
tech-c: ERO2-RIPE
tech-c: MdRO1-RIPE
nic-hdl: ARO12-RIPE
mnt-by: ARSYS-RIPE-MNT
source: RIPE # Filtered- % Information related to ‘217.76.128.0/20AS20718’
- route: 217.76.128.0/20
descr: arsys.es
origin: AS20718
mnt-by: ARSYS-RIPE-MNT
source: RIPE # Filtered- % Information related to ‘217.76.128.0/19AS20718’
- route: 217.76.128.0/19
descr: arsys.es
origin: AS20718
mnt-by: ARSYS-RIPE-MNT
source: RIPE # Filtered
Update:
My friend got another email this morning. Here’s what she had to say about it. To put this in context, many persons would consider my friend and me to be “older” already. We don’t, but we did listen to White Rabbit when it was first released. And understood it:
Got another one this am from an older lady friend who said, Wow. Awesome booty on that video.”
She would never say “awesome booty.” good grief.