It has been reported that Facebook has helped the FBI to find the cybercriminals who infected 11m computers with viruses and stole £525million. Below is a comment from Tal Be’ery, Web Research Team Leader at Imperva on how the scam occurred and what users and organisations can do to reduce the risk of getting infected:
The FBI had reported (http://www.fbi.gov/news/pressrel/press-releases/fbi-international-law-enforcement-disrupt-international-organized-cyber-crime-ring-related-to-butterfly-botnet ) that the malware involved in the scam was “Yahos”. The Yahos malware is reported (http://igl-security.blogspot.co.il/2011/02/facebook-photo-tricking-users-to-open.html) to propagate via social engineering, and naturally it thrives in the hotbed of social networks. An infected user will send a message to all of his friends "How does this photo look?” with an attached Malware file or malware link. Users naturally trust messages they receive from friends and will follow the link and will get infected themselves and the malware will try to spread to all of their friends, ad infinitum.
The malware is not unique to Facebook and is reported to spread over other social medium such as Instant Messaging (IM). But since Facebook is the most popular social network platform most of the attention of the attacker were dedicated to it.
Using Facebook security team, the FBI was probably able to track the propagation of malware to its origin and discover “Patient zero” of the Yahos epidemic. “Patient zero” was probably a fake profile (or profiles) created by the attackers to spread the malware. We assume, that using that account access details (e.g. IP address) the FBI was given a lead to the people behind the operation.
Users, as well as organizations, can reduce the risk associated with data theft through infected computers, by following the following three principals
Safe behavior: Not opening attachments or following links received from strangers, or even friends if the message comes “out of the blue” without any context
Block known malware with an Antivirus (AV) solution: Having an up to date Antivirus software will help in blocking known viruses but will not necessarily detect new variants. There are some pretty good free AV solutions available such as the Avast!’s AV.
Block unknown malware with data access monitoring: monitoring database and file access for the organization’s users, or routine checks for credit card’s bills for unexplained charges for home users.