We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter.
The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URLs are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all-too-familiar fake YouTube page that hosts the Koobface downloader component.
Google Reader is a free service offered by Google that allows users to monitor websites for new content. It also allows the users to share content from the websites. Any user online can view these pages as they are shared with the public. Sharing any Google Reader page publicly is easy as anyone can click on the share icon in his or her Reader page and the content will appear on his or her public page.
This ability to share content with the public was abused by cybercriminals to use the Google Reader domain to spam malicious links.
We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack. The spam URLs hosted through these accounts are now blocked.