If you get a Facebook message that has a video link it, no matter whom you got it from, even your friends, do not open it – because there is a new threat going around this way.
Kaspersky Lab’s security researchers have found an ongoing cross-platform campaign on Facebook Messenger. It works by sending users video links that send them to a fake website, tricking them into installing a malicious software.
Researchers suspect that the way the malware spreads is through compromised accounts that spammers use, as well as hijacked browsers and clickjacking techniques to spread the link to malicious content.
The attackers trick users into clicking on the link by exploiting social engineering. It seems like the bit.ly link is coming from your friend, so it makes you trust it and click.
The URL sends victims to a Google doc that shows a video thumbnail, that once clicked, sends you to another customized landing page that differs from the browser and operating system you’re using.
For example, Mozilla Firefox users on Windows are redirected to a website displaying a fake Flash Player Update notice, and then offered a Windows executable, which is flagged as adware software.
And in case you’re a Google Chrome user, you are redirected to a website that pretends to be YouTube and has similar YouTube logo, and you are presented with a fake error message popup that then makes you download a malicious Chrome extension from the Google Web Store.
What you’re actually downloading then is a downloader that saves a file that attacker chooses on your computer.
David Jacoby, who is a chief security researcher at Kaspersky Lab, wrote a blog post in which he said that the file should be unavailable to download at the time of writing the post.
He also found it interesting that the Chrome extension has log files from the developers that show usernames. He still isn’t sure if this is related to the campaign, but he finds it amusing nonetheless.
Those who use Apple Mac OS X Safari end up on a similar web page as those who use Firefox but with a customization for MacOS users that includes a fake update for Flash Media Player. When you click on it, the fake update downloads an OSX executable .dmg file, also an adware. The same goes for Linux – there is a different landing page designed especially for the users of the said operating system.
Thankfully, the attackers aren’t really spreading any banking Trojan or exploit kits, instead just making a lot of money by generating revenue from ads.
These spam campaigns are pretty common on Facebook. Just a few years ago, researchers stumbled upon cyber criminals using boobytrapped.JPG image files to hide their malware in order to infect Facebook users with variants of the Locky ransomware, which encrypts all files on the infected PC until a ransom is paid.
Here is our advice when it comes to these kinds of situations: never open a link someone has sent you, even if that person is your friend unless you made sure to check it was actually them who sent it and make sure your antivirus software is always up to date.