This morning, I was once again browsing through my Facebook lists (man, Facebook really is a gold mine of material for the cybersecurity world, isn’t it?). I came across something a friend of mine posted, it is entitled “My ex-girlfriend of 2 years cheated on me… here is my revenge!” There is a picture of a scantily clad woman with a link off-site. This friend is a different friend than the one I took to Peru and tossed his iPod into the lake.
My brain started making all sorts of not-so-random associations. Recall that a couple of days ago, I posted that I received a Friend invite from a spammer. And in that invite, there was a picture of a woman in a seductive pose. Having an idea that there might be some relation here, I decided to click on the link being pretty certain that I knew what was going to occur. I clicked on the link and Facebook prevented me from going to it – I was told “Sorry, the link you are trying to visit has been reported as abusive by Facebook users.”
Now my curiosity started to kick in. Was it abusive because the material was offensive? Or was it abusive because the content was malware? I decided to go to the link myself and find out for certain. I went to the page and it had another image (non-offensive… actually, neither image was offensive) but it said to click on a link to download the full image set. Right away, I pretty much knew what it was – a social engineering trick that uses seductive images of women to get people (mostly men) to download the images but in reality installs a worm. The invitation to treat is in the original image, and the payload is not what people bargained for. I checked out the WHOIS info and it was inconclusive.
But the story gets more interesting than this.
I just uploaded a post on CircleID this morning. As I normally do from time to time, after creating my post, I decided to read the posts of other authors. I am currently tied for the 19th most prolific author on there, and I like to read the posts of the most prolific writers. One of them is Gadi Evron, a security consultant who used to work for the Israeli government in their cybersecurity space. I have read a bunch of his posts on CircleID and some of the other posts on his web site.
Now here is where the story gets interesting. For some reason, I decided to do a Bing search for his name. I don’t know why I did this, I think I just wanted to check out his web page again. I found his home page and gave it a quick glance and read his Career Highlights. I then read through his most recent tweets. Here is the most recent one (as of 9:55 am PST, Jan 29, 2009):
yet another facebook worm with a sexy lure ("I cheated on my girlfriend, here's my revense" [sic]-- don't click on it!)
Right then, I knew that my initial (subconscious) guess was correct. This new post that my friend had put up was actually a redirection to a malware page. My friend had fallen prey to it and Facebook was right to block it because it links to malicious content. Good for Facebook, they’re on the ball. However, I thought it was pretty neat/strange/coincidental that a bunch of seemingly random events could all be tied together.
So, unlike the last Facebook incident I encountered where I did nothing, this time I around I did something. I went to my friend’s profile and posted that this was a Facebook worm, not a “legitimate” joke. Hopefully he didn’t click on the link or download/install anything.