Skype users be warned: if you get a message on Skype that says “lol is this your new profile pic” with an accompanying http://goo.gl/XXX?img=XXX URL, do not click on the link!
It is being reported by various security firms, and confirmed by Skype, that many Skype users are being spammed with an “lol is this your new profile pic http://goo.gl/XXX?img=XXX” instant message. The link leads to a website where malicious ZIP files are automatically downloaded (named “skype_06102012_image.zip” or “skype_08102012_image.zip”) that contain trojans. Once you download and run the executable inside the ZIP files, your computer is instantly infected with a backdoor trojan that then proceeds to download other malware. According to Sophos, this eventually leads to your data being stolen, your computer being made part of a botnet, and potential attacks by ransomware.
The malware appears to only affect Windows (what else is new…) and it is nothing knew; if you accidentally do end up downloading it, any competent anti-malware program should immediately block and delete the files.
What makes this attack particularly effective is the medium it uses — messages over Skype. People usually aren’t suspicious of messages over Skype because Skype is often used to interact with people you trust, not people you would suspect of sending you malware links. However, the moral of the story is obvious — do not click on every link you see, even if it is sent to you by a person you would otherwise trust. For all you know, their account, or computer, may have been compromised.
Now, if you click on the link because your friends regularly send you messages similar to “lol is this your new profile pic” and you thought the link to be legitimate… then you have deeper concerns to worry about than potential malware attacks.