News Categories

Kaspersky Lab reveals how a malicious campaign works through Facebook Messenger

By Nestor Domingo Jr - on 11 Sep 2017, 12:13pm

Kaspersky Lab reveals how a malicious campaign works through Facebook Messenger

Kaspersky Lab exposes the malicious scam that worked through Facebook Messenger. Image from Kaspersky Lab.

Kaspersky Lab shares the discovery of a multiplatform malware that is distributed through Facebook Messenger, according to a report by antivirus expert David Jacoby from Kaspersky Lab's Global Research and Analysis Team.  A few years ago, similar outbreaks were occurring quite often, but none have appeared lately as Facebook was doing a lot to prevent similar attacks.

From a user’s perspective, here is how the infection progressed:

  • The user receives a message in Facebook Messenger from a friend. The message contains the word “video”, the name of the sender, a random smiley, and a short link. It might look like this, for example:

Malicious link screenshot. Image from Kaspersky Lab.

  • The link is redirected to Google Drive, where the user sees something resembling a video player with a picture of the original sender in the background and what looks like a Play button.
  • If the victim attempts to play back the “video” in Google Chrome, he or she is redirected to a page that looks much like a YouTube page. The user is offered to install an extension for Chrome.
  • If the user agrees to the installation, then the extension begins to send out malicious links to friends. An algorithm repeats the same process for each user.
  • Users of other browsers are persistently reminded to update their Adobe Flash Player instead of being offered the extension. The file they downloaded turns out to be an adware.

A project called the “Hunting bugs for Humanity” has analyzed this malicious campaign and worked on how it operates by Jacoby, along with Frans Rosen, a researcher. The page that users were redirected to after following the link in Facebook Messenger was basically a PDF file that has been published to Google Drive. It opens as a preview. The file has a picture from a user’s Facebook page (the user whose identity is used to spread the malware), an icon for playing back the video is shown over the picture, and the link opens as the user tries to click the playback button.

Clicking the link led friends of the victim to this page. (Image from Kaspersky Lab)

By simply clicking the link, it causes the user to be redirected to several websites. Victims using browsers other than Chrome ended up on a website offering to download adware masked as an update for Adobe Flash Player.

Users of browsers other than Google Chrome are offered to download adware disguised as Adobe Flash Player. (Image from Kaspersky Lab)

If the user uses Chrome, it will be just the beginning. If the victim agrees to install the extension offered on the landing page, it begins monitoring the websites opened by the user. The extension steals the users login credentials and the access token is being sent to the malefactor’s server as soon as the victim navigates on Facebook.

A fake YouTube page offering to install Google Chrome extensions. (Image from Kaspersky Lab)

By using the stolen credentials and accessing the obsolete Facebook feature, the crooks could request that the social network send them the contact list of the victim, cull those who are not currently online, and randomly select 50 new victims from the remainder. Users are bulk-messaged with a new link to Google Drive with a PDF file preview generated with the picture of the person on whose behalf the new messaging wave commenced. All in all, as you give it a closer look, it is a vicious cycle.

It is worth noting that among other things, the malicious script “likes” a specific Facebook page, apparently to collect statistics for the infection. In the course of the attack, Jacoby and Rosen observed that the malefactors changed several of the specific pages, possibly as Facebook closed the previous ones. Judging by the number of “likes,” there were tens of thousands of victims.

One of the pages that infected users “liked.” Image from Kaspersky Lab.

The localization function’s code shows that the crooks are primarily interested in Facebook users from several European countries such as Turkey, Italy, Germany, Portugal, France (also Francophone Canada), Poland, Greece, Sweden, and all countries with English-speaking users.

The infection’s spread has been put to an end for now through the mutual effort of several countries. Nonetheless, this article is a great reminder that extensions for browsers are not as harmless as they may seem. Avoid installing browser extensions without absolute confidence that they are safe, that will not steal your data, and that they won’t track your online activities to stay safe and not to fall as a victim. Also, clicking every link, even links that seem to be from someone you know, is out of the question. It is always a good idea to make sure that it is really your friend on the other end of the line, not some criminal who took control of your friend’s account.

by: Yrda Veanssa Fernandez