Koobface is one of the better known botnets that leverages Facebook as a propagation medium (way to spread media).  The recent New York Times article and a report by Nart Villeneuve from Information Warfare Monitor provide an in-depth view on Koobface’s operating components and monetization strategy.  What stands out is the contrast of the newness of leveraging the social network for propagation and the usage of well-established malware monetization schemes, like the affiliate networks for pay-per-click (PPC) fraud or the sale of fake security products.  Both of those schemes have been around for years.  The new trend seems to be using the old methods, but pushing them through social networks, specifically Facebook.

To propagate, Koobface uses a large number of fake accounts to distribute its messages.  These fake accounts act as a screen hiding the real sources.  Some of the Facebook accounts targeted have a large number of friends.  Looking at the statistics, here is the detailed breakdown:

  • 21,790 Facebook accounts attacked with a total of 935,000 friends
  • 350,854 total Blogger accounts
  • 522,633 total Google accounts
  • 4,842 total Google Reader accounts

In addition to distributing content, the fake accounts are used to create intermediate pages where the actual attack is embedded, such as a blog post with a fake video.  Two parts of this are interesting:

  1. A fake account can be viewed as as much of a threat as a malicious URL.  Security companies in general don’t focus on “fake” accounts as threats.  As users we tend to trust people. Once you’ve made a friend, they have the ability to continue to send you messages until you unfriend them.  When we get a message with malicious content, we tend to think that it’s not the friends’ fault – they’ve been duped.  In addition, a friend of a friend always seems safer then a stranger somehow.  So once connected, the accounts seem to be able to propagate undetected, as evidenced by the large number of friends.
  2. By posting content through blogs, the links don’t look malicious to the user until you get to the attack itself.

We are probably at the early stage of development of social media malware.  Other attackers are focusing on monetization through social gaming and other means.  The threat ecosystem will evolve and become more sophisticated over time.