Cyberattack Via MSN References Facebook, Hi5

By on Feb 17, 2010

Cyberscammers are referring to popular social networking Web sites Facebook and Hi5 in an attempt to trick Spanish speaking computer users into clicking on a personalized malicious link sent via instant messages.

On Wednesday a friend in Ecuador sent me repeated messages via MSN Messenger. The messages asked: “Estas foto es tuyo?” with a link to a URL that resembled Facebook (but was misspelled) and a mention of Hi5 as well. (For non-Spanish speakers, the question translates to: “Is this photo yours?”)

The link included my personal e-mail address, which is also my MSN user name. I am paranoid, so I didn’t click on the link. However, I can understand that others might be duped by a message that comes from a friend, asks about a photo, includes a personalized link and references popular social networking sites.

I asked Craig Schmugar, a malware researcher at McAfee Labs, to check out the link. As I suspected, it goes straight to malware. The malicious program appears to spread itself via several instant message applications and turns an infected computer over to the attacker, Craig told me. I am not including the link in this blog posting because the Web site is live and the malware is still online.

Instead of going to a photo, the malicious link actually goes to an executable file (the malware.) If you run the file, it will pop up a message that says “Picture can not be displayed.” This may give you the false sense that nothing bad is happening on your PC, but you in fact just executed a malicious program. The attackers now have full control over your computer and it will join a network of commandeered PCs called a botnet.

The malware displays a fake alert while the nefarious software is installed.

The malware displays a fake alert while the nefarious software is installed.

The map below shows detections of the attack. McAfee Artemis Technology, our real time detection, blocks the attack. As you can see, the targets mostly appear in Central America, Latin America and Spain. No surprise, since the attack uses Spanish and refers to Hi5, which is popular in Spanish speaking countries.

Targets of IM attack mentioning Facebook and Hi5.

Targets of IM attack mentioning Facebook and Hi5.

This is an old trick. Cyberscammers continuously look to build out their armies of commandeered computers by sending out malware. The attacks continue to get more cunning by personalizing them, just like in this example.

It has been a while since I’ve seen any of my friends get infected with malware and have their contact list spammed with malicious links. I hope it will be a while until it happens again.

As a general rule, don’t click on links that arrive via instant messages or e-mail, unless you have verified that your friend indeed intended to send you a trusted link. Also, make sure you run updated security software like McAfee Total Protection to shield against these type of attacks, just in case a cybercrook is successful in tricking you into clicking on a link.