Hijacking of Facebook accounts spikes in first quarter

Byron Acohido | USA TODAY

UPDATE: McAfee on Friday, June 6, said it made a mistake. Koobface has actually been quiet of the past three months.

Koobface, the fast-spreading Internet worm cybergangs use to hijack Facebook accounts on a massive scale, is on the move once again.

McAfee this morning released a threat report showing samples of Koobface spiking in the Internet wild all through the first three months of 2013.

"The resurrection of Koobface reminds us that social networks continue to present a substantial opportunity for intercepting personal information," says Vincent Weafer, senior vice president, McAfee Labs.

Meanwhile, the bad guys also are turning up the spam spigot, as activity of the equally infamous spam-spreading botnet Cutwail, also known as Pushdo, also surged in the first quarter.

After remaining more or less stable in 2012, spam levels reached the highest volume McAfee has seen in the past two years.

The rising trends are very probably related. The logons, contacts and preferences stolen from Facebook accounts feed intelligence into the cyberunderground which spammers can use to hone their spam campaigns.

For instance, they can fake Facebook postings and messages to specific individuals at targeted companies to help them gain access inside corporate networks, where they seek out and usurp privilege accounts. It's not hard to imagine a well-positioned intruder discovering ways to overcome spam filters at targeted companies.

First discovered in 2008, Koobface volume tripled in the first quarter of 2013 to levels never previously seen, Weafer says.

Koobface is a case study of how swiftly cybercriminals react to emerging trends.

Its creators initially sent Facebook users friendly messages asking them to click on a link to see a video. Doing so called up another message asking the recipient to click on an executable file — a small computer program — needed to upgrade a video player required to view the video. In a classic bait-and-switch, clicking on the file instead turned over control of the PC to the attackers.

The worm then automatically sent similar viral messages from the victim's account to his or her Facebook friends.

By clicking on the malicious file, the victim intentially chooses to run the bad code. So no actual hack of the computer's hard drive is needed.