Juraj Malcho, Head of Lab at Bratislava, reports:
We've just encountered what appears to be a new Facebook scam in the wild. As of this moment we haven't seen any malicious content being served, but the content is changing even as I’m writing this post and it’s likely to serve malware soon. It spreads by adding a link on the Facebook wall, such as
"try not to laugh xD http://www.<removed>.com/omg/allow.php?s=a&r=18857"
If a logged-in user clicks the link, the same message gets posted on his wall. A few minutes ago, nothing else happened after that, and the site that we presume will deliver the payload was returning an empty IFRAME redirect. However, right now it serves a clicking game which counts have many times you’re able to click your mouse within 5 seconds.
We advise that you take care and do not click any similar links while browsing other peoples’ Facebook walls. As is typical with social engineering tricks such as this, it’s likely that eventually Rogue AVs or other dubious applications will appear, trying to persuade you to install them.
We'll keep you informed as the situation changes, of course.
[Update: I notice that Mikko Hypponen at F-Secure and Graham Cluley at Sophos have also blogged on this in some detail: the fact that we've all blogged so close together does suggest that this has been spreading pretty fast. However, after Mikko rang a number that appeared to be associated with the site in question, the site in question went offline. Mikko's account of the incredible disappearing Facebook threat is at http://www.f-secure.com/weblog/archives/00001955.html. We will, nevertheless, let you know if there are any further developments. :-) ]
David Harley FBCS CITP CISSP
ESET Research Fellow and Director of Malware Intelligence
