For most Facebook users, it's common to receive a message from a friend urging them to visit a page containing a video. But one video currently making the rounds appears on a Google page and will not play unless a new codec is downloaded and installed. The link provided on the Google page is not a video link, say researchers at Fortinet, but a link to a Trojan horse hosted on yet another server.
Guillaume Lovet, senior manager of Fortinet's security research team, told CNET News that Google sites were chosen because they have a well-regarded reputation and are unlikely to be blocked by spam or phishing filters. The Google page does not actually host the malware, only a link that connects the user with the malware host site.
In order to pull this off, the attackers had to register their own Google Reader accounts either by themselves, or through automated methods using phishing sites or so-called Captcha solvers. The Google pages, which were still live at press time, exist only to lead visitors to malicious sites.