Websense is reporting that a tool is being offered to "Habbo" users, which contains malicious code. The loaded tool is being offered by a third party software developer.
From the Websense alert:
Websense® Security Labs™ has received reports of a Trojan keylogger aimed at the users of Habbo, a popular social networking site for teenagers. As of last month, Habbo’s entry on Wikipedia said that over 8 million unique visitors access Habbo’s Web sites around the world every month. The party involved in spreading this malicious code poses as a third-party software tool developer for Habbo.
There seems to be very little out there about this, but I was able to find a BBC article from November about a teenager stealing $4,000 euros worth of virtual furniture using real money?
Based on the article, this isn't the first time (or probably the last) that Habbo users have faced the murkier waters of the Internet.
The article states:
A spokesman for Sulake, the company that operates Habbo Hotel, said: "The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.
"In Habbo, as in many other virtual worlds, scamming for other people's personal information such as user names has been problematic for quite a while.
"We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action."
According to the article, there are a lot of spoofed Habbo sites, asking for user name and password information. FSecure.com did another article with screenshots of some of these spoofed sites.
In case anyone besides me is having a hard time understanding how real money is used to buy virtual furniture, Wikipedia offers a explanation:
Credits, also known as Coins in other websites, are the currency used in Habbo. Credits can be purchased using a variety of different services, such as credit card, a telephone service and via SMS. Credits are often given out as prizes for competitions held in the community. The Credits are stored in the user's purse accessible in any public or private room as well as on the Hotel view and while logged in on the website. Credits can also be redeemed into Exchange, which displays the Credits as an item of virtual furniture, the furniture can then be traded among users, and redeemed back into Credits.
At least now I can understand why someone would want to break into a Habbo account - they do have real money in them.
This might not have been the first time Habbo users have been exposed to assorted forms of malicious code. I found a discussion on Habbohut, a Habbo bulletin board, where the matter was being discussed in 2005.
Going back to the current alert from Websense, it has some pretty wise advice, which can be applied to any software tool being touted from an unknown source:
Websense Security Labs recommends caution when trying out new third-party applications developed for Web 2.0 and social networking Web sites, especially those with APIs open for third-party developers.
In other words, just say no!
Websense alert with screenshots, here.