Boface.BJ.Worm Uses Facebook to Trick Users

PandaLabs reports the discovery of Boface worm variant No. 56, called the Boface.BJ.worm, which tricks users into purchasing a fake anti-virus application after convincing them to download and install malware via Facebook. Some 1 percent of all computers scanned by the Panda ActiveScan online scanner have been infected with Boface since August 2008.

PandaLabs announced May 14 that has uncovered a variant of the Boface worm known as the Boface.BJ.worm that uses Facebook to trick users into purchasing fake anti-virus software.

The malware analysis and detection laboratory, run by Panda Security, estimates that roughly 2 million Facebook users could be infected with the worm, which is variant No. 56 of the Boface family of worms. The worm downloads and installs rogue anti-malware using the popular social networking site, then convinces users they need to buy a fake anti-virus application.

After infecting a computer via attachments, Internet downloads, FTP transfers, IRC (Internet Relay Chat) channels, peer-to-peer file sharing or other means, the worm waits for approximately 4 hours before activating. At that point, when a user logs in to the Facebook account, the worm sends a message with a link to that user and to his or her entire network.

Malware attacks propagated on social networking sites are 10 times more likely to succeed than e-mail-borne attacks. Click here to read more.

Should users click on that link, they are directed to a fake YouTube page that asks them to download a "media player" to watch a nonexistent video. If they do that, the malware is downloaded, and will proceed to launch messages broadcasting that the computer is infected and that the user needs to buy an "anti-virus solution."

"Users of social networks like this normally trust the messages they receive, so the number of reads and clicks is often high," Luis Corrons, technical director of PandaLabs, said in a statement. "In addition to the security measures of the social network itself, users have to take on board certain security and personal privacy basics, to avoid falling victim to fraud and contributing to its propagation."

To that end, Corrons suggested the following steps for dealing with this new Facebook variant of the worm:

  • Don't click suspicious links from nontrusted sources. "This should apply to messages received through Facebook, through other social networks and even via e-mail."
  • If you do click on a suspicious link, check the target page carefully. Don't recognize it? Close your browser. Posthaste.
  • Don't accept downloads from a suspicious target page.
  • If you do head to a suspicious target page, click on the link, accept a download and start receiving multiple infection messages, remember that this is most likely a fraud.
  • Make sure your computer is secure as a matter of course.

About 1 percent of computers scanned by Panda Security's ActiveScan online scanner have been infected with some variant of Boface since August 2008, the company reports. Panda Security estimates that in the intervening nine months, the growth rate in the number of infections has reached 1,200 percent, with about 40 percent of it in the United States.

PandaLabs estimates that the rogue anti-malware business has grown over 100 percent in the past year.