Thursday, September 25, 2008

Spammers log on to Facebook with twin IP a/c

One IP Address Sends Spam, Another Directs User To Attack Site

IN what is seen as a first-of-its kind attack on the social networking site Facebook, spammers have begun using two internet protocol (IP) addresses to infect unsuspecting users with a Trojan virus. The virus is disguised in a manner that entices the user as it is masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook.

When a user is added to another user’s friend list on the social network, as protocol Facebook sends an email to notify their users of this. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse, which is a virus that can corrupt the hard disk of the victim. This email is sent from a domain that closely resembles, an official domain used by Facebook to notify its users.

One IP address is used to send the spam, while the other directs the user to attack site. This makes it difficult for the site vendor to block the malicious spam easily. Earlier, when spammers used one IP address to launch a spam or phishing attack, vendors found it easy to block the lone address. But with two IP addresses being the norm of the day, it is an indication that the spammers are now more sophisticated in their modus operandi.

“Initially, Orkut was a very large breeding ground for virus attacks. But now it has moved to MySpace and Facebook. Perception amongst people is that Facebook is for a more sophisticated user. The age group here is more varied, while in Orkut it is more of a college crowd.” said Frost & Sullivan deputy director (ICT practice) Kaustubh Dhavse.

With the increasing level of awareness amongst people, spammers are now getting smarter. The less-sophisticated spammers use deceptive servers, however, in this case they have used the authentic Facebook server to increase the legitimacy of the email to evade reputationbased spam filters. After a person logs onto the authentic Facebook site, it directs them to the spam mail. Most of these viruses are the ‘payload’ kind, which once in the system will just sit in and control the system remotely.

“It is difficult for security products to block such spams and phishing attacks as there are two IP addresses being used and only one can be easily traced.” said Websense channel manager (SAARC and India) Jyoti Prakash. Websense Security Labs discovered this new malicious social-engineering spam campaign.

No comments: