A security researcher David Jacoby has revealed that Facebook Messenger is now being used to spread malware. Reportedly, the victims are being redirected to customized, fake versions of famous websites.
Jacoby, the senior security researcher at Kaspersky Lab, states that he became alerted about the attacks when he received a suspicious message on Facebook sent by his contacts. Jacoby then analyzed the content of the message and concluded that the malware is being distributed through Facebook Messenger. He further explained that the malware is “serving multi-platform malware/adware, using tons of domains to prevent tracking, and earning clicks. The code is advanced and obfuscated.”
Related: Facebook users hit with “You are in this video?” malware scam
Furthermore, the malicious links that are being sent via Facebook Messenger accounts are all infected and the messages are being sent from stolen accounts and hijacked browsers. They might even be a result of clickjacking.
The method of attack is quite basic considering that it relies on identity theft. The person supposedly sending the message is a trusted contact, and therefore, the recipient of the message will inadvertently click on the sent link.
However, the message has been sent by contact the credentials of who have been stolen by the attackers. The link appears to be memes and videos, etc. The message bears the recipient’s name followed by the word “Video,” with a shocked emoji face. There is a shortened URL link as well.
For instance, the message says “David Video” with a link leading to Google Doc. The photo, which apparently is stolen from the victim’s Facebook page, is blurred and video seems to be a playable movie.
However, when the link is clicked upon by the recipient, the malware redirects the victim to any one of the compromised websites. The website is selected according to a number of factors such as the operating system and browser being used and the victim’s location. Once the victim visits the fake website, the malware would initiate the second stage of the scheme and installs adware.
Such as, if the victim is using Google Chrome, the link will redirect him/her to a website that appears like the legitimate YouTube with genuine looking logo and layout. A fake error message will appear on the website that would require downloading of a Chrome extension, which is malware.
Similarly, Firefox users will be redirected to a site where they will be notified to update Flash, and the adware will be delivered via a Windows executable. Safari users will receive a website link that is compatible with macOS. The user is prompted to download a .dmg file that also happens to be adware.
Related: Facebook ‘Comment Tagging Malware’ Spreading via Google Chrome
So why are cyber criminals sending out adware in this campaign? The reason is that the adware program can track browser activity. This is done by the use of cookies. Adware display targeted ads across the internet, and some of these ads are engineered in a way that users are compelled to click on them. These clicks are very important for the ad developers as these generate revenues.
Currently, it is not confirmed who is behind the new Facebook Messenger campaign, but it is quite concerning given that Facebook is used by 1.2 billion users per month and therefore, the scope for cyber criminals operating this scheme is extremely wide. As Jacoby stated:
“The people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts.”
So how can you stay protected? The Facebook spokesperson claims that the company has embedded numerous automated systems to prevent these kinds of malicious scheme from affecting its users. However, the best method is to be skeptical of messages containing shortened URL links sent by your Facebook contacts.
Moreover, Facebook has promised its users that even if the computer has been infected with malware, the social network will provide users “a free antivirus scan from trusted partners” and the company will also share tips on how users can stay safe from malicious campaigns.