BEWRE: Worm Being Spread via Facebook

Facebook users, if you have clicked the link (URL shortening service) then you might have gotten your computers infected by a worm.

The link is being spread by attackers through a post that promises one-of-its-kind of pornographic content. The post is being shared via numerous prominent social media networks such as Twitter and Facebook, reports Malwarebytes.

MUST READ: Facebook Login Bug Lets Hackers Takeover User Accounts with Reconnect Tool

Digging Deeper into the Story:

The worm apparently seems to be hailing from the Kilim family. After infecting the user’s computer it then posts the same link on the walls of all of the user’s contacts and groups.

Kilim manages to hit media networks by installing a malicious extension within the web browser Google Chrome, says senior security researcher at Malwarebytes Jerome Segura.

This malware can easily let attackers post new messages such as a page and allows them to follow users on any social media network as well as send direct messages, explains Segura.

As per Segura’s information the attack primarily targets Chrome and “The goal is to harvest as many users as possible to create a very large consisting of social networks profiles which can be leveraged in various ways, reselling Facebook friends and likes, reselling Twitter followers, generating pay per click revenue by visiting sites and clicking ads.”

MUST READ: Facebook users targeted with ‘Wat are u Doing in This Video’ Message Phishing Scam

Segura further revealed that attackers utilize a multi-layer redirection style that controls cloud services. He also added that attackers might be using the same method to “make it harder to pinpoint exactly how the malicI ous redirection takes place, but also to be able to switch services quickly if they get blacklisted.”

The Infamous Link:

When a Facebook user clicks on the infamous link that promises “sex photos of teen girls in school,” it redirects immediately to an Amazon Web Services page and later the user gets redirected to a compromised Box website. The function of this website is to inspect the user’s system. Users are then prompted to download a file and when it is installed the system gets infected instantaneously leading to the download of the worm. It then spreads the link to all contacts of the user on Facebook.

Segura explained the modus operandi of this attack pretty comprehensively in his post. He says: “These offers usually end up being bogus apps or surveys. The file hosted on Box is trimmed down to a minimum size and its only purpose is to download additional components.

This is typically done to avoid initial detection, but also to allow the bad guys to update the backend code on the server so that the trojan downloader can retrieve the latest versions of each module. After the additional components are downloaded (Chrome extension, worm binary) they are installed on the machine and simply wait for the user to log into Facebook.”

However, users who have clicked on the link via their mobile are taken to an offer page based on their geographic location and language.

Both the Facebook and Box are aware of the attack and the threat of this worm. For addressing this issue, Box is eliminating sharing privileges and deleting files from malicious accounts and is regularly performing security checks by scanning for viruses.

Conversely, Facebook is collaborating with the companies that have been targeted by attackers and the social media giant has blocked associated link as well as stopped the links from being spread on its platform.

Amazon Web Services (AWS) spokesperson in an official statement explained that the “activity being reported is not currently happening on AWS.”

Related Posts