www,ArticleCar,cn – Another Facebook Virus Variant

by on November 29, 2009

facebook_virusThere now appear to be multiple variants of the ArticleGet,cn Virus that are hitting Facebook.  The latest creates a post on someone’s wall that looks like this:  “Is this something you can do ? www,ArticleCar,cn”

Articlecar.cn appears to link to a traditional Easy Google Profit scam fake news site, but there very well might be something worse lurking in the background on the site.

Looks like there are two main possibilities for how someone gets this one:

  1. Cross Site Request Forgery:  You click on a link and go to a website which runs some behind the scenes frames and scripts that you never see.  If your browser is autologged into Facebook it is then able to make Facebook think you posted the link that the worm submitted under your name.
  2. Virus Execution: You have a virus on your computer that is allowing it to be used as a “zombie” for someone running a bot network.  They are able to make your computer do things without you knowing (thus the zombie part, really should be called a werewolf actually) including posting messages like this to the various social networks.

Either way, not a good thing.

At first we really strongly suspected that it was #1 above (CSRF), but we went and checked out both ArticleGet.cn (which I would NOT recommend without good script blockers in place on your computer.  If you do not know what that means, do not go there) as well as all the scam sites linked from it.  None of them had anything running on them that would cause this sort of Facebook behavior.

If a friends account is displaying these messages, warn them immediately.  If your account is posting these things to your wall, be very afraid, you could very well have some very nasty things running on your computer.

{ 1 comment… read it below or add one }

Laura Carr November 30, 2009 at 5:40 pm

The phone number associated with this SCAM is 810-814-2767. It comes up as Syed Enterprises but it is a woman by the name of Kenya (sp?).

Leave a Comment

Previous post:

Next post: