Posted by: Barracuda Labs
On Wednesday, a seemingly harmless application listing glitch sent numerous users into believing there was a Spybot attack ongoing on Facebook. Due to the bug, an application listed as ‘Unnamed App’ appeared in some users’ application settings. Some of the users took this as the presence of a spybot which would steal their account details / passwords and perform malicious activities on their computer. Those users warned other users about it and hence the word about ‘Un named App’ spread like a fire in few hours.
Ultimately, this was a harmless bug; however, curious users turned to Google to learn more about it, and scammers saw this as a golden opportunity. The scammers soon harnessed the search query ‘unnamed app’ and poisoned search results to include sites that would redirect users to a Rogue AntiVirus serving site instead. This has become a very popular technique used by scammers in the past few months.
Scam artists also attempted to hide from the research community by selectively redirecting only users who visited straight from Google by clicking one of the search results. Visitors (mostly researchers) who attempted to go to the malicious search result directly were redirected to http://www.cnn.com instead.
There are multiple ways to achieve this. In this case, attackers reviewed the referrer-header to check from where the user came.
Hence what was seemingly a harmless bug, was still able to perform some damage to the innocent users’ browsing experience today.
Users of the Barracuda Purewire Web Security Service are protected from this attack.