Malware uses video and tags to infect 100,000 people on Facebook

110,000 Facebook users said to have been infected within days

facebook mobile

Facebook - the world's most active social media website, boasting some 1.4 billion registered users, is no stranger to viral attacks that spread quickly.

Over the weekend, researchers started noticing an uptick in tag spam that was delivering malware to users.

The campaign was first noticed on Saturday by researchers at Bitdefender, an anti-Virus firm in   Bucharest, Romania. Initially, the three-day campaign was said to have infected just over 5,000 users. However, earlier this week, security researcher, Mohammad Reza Faghani, reported that the number had increased to 110,000 users.

Malicious Facebook post Bitdefender

The campaign hinges on videos posted on a person's timeline, which tags a number of friends. The videos themselves look as if they are legitimate, and use the goo.gl URL shortening service to mask their true destination. While more experienced, security savvy users would be immediately suspicious; most of the victims followed their gut and trusted the alleged link to Google.

"Users who click the respective video are sent to an external page, where their user-agent (the browser and operating system identifiers) are analyzed so hackers know where to redirect the victim," Bitdefender wrote in a brief summary of the attacks.

"The operating system check is quite thorough and include scenarios for multiple operating systems, ranging from Android mobiles to PlayStation consoles, media players, smart cars (yeah, you had that right), TV sets and even dumb phones. If the user is browsing from any of these “low-interaction terminals” they are redirected to a SMS fraud service that tries to hook you up with an useless premium service for as low as €3.00 / $3.5 (not including tax). This happens through a series of redirects, including one stopover to a mobile traffic monitoring service that provide hackers with insight about how many victims reached the scam and how many of them actually fell for it."

Windows users are directed to a fake Facebook page where they are prompted to install a Flash Player update in order to watch the video.

Malicious Facebook post Bitdefender

The malware that's being delivered by the scam comes in two parts. The first is a generic backdoor, which grants the attacker the ability to install additional software on the system. The other is the propagation script, which will post the malicious link to your timeline, and tag no more than twenty friends.

"We tracked three different versions of this scam that all seem to be operated by a Turkish cyber-criminal called "schwarzback." Real-time analytics embedded in the scam page (and its two other clones) shows that more than 5000 people have landed on the scam page in less than one hour. The domain hosting the payload for this tag scam has been registered on Saturday and it’s still up and running," Bitdefender reported.

Fake updates are a common method used by criminals to trick users into installing malicious software.

The warnings and pop-ups are created to mimic the actual software, which can make it hard to determine if the source is legitimate. The best rule of thumb is to avoid installing anything that you're unsure about. It's also wise to remember that Flash updates or other Adobe updates can be (and should be) obtained by visiting Adobe directly.

"First and foremost, install an anti-malware solution on your PC. If you already have one, you still might not want to click every single link you get on your wall. Carefully analyze whether your contacts would actually post this type of content on their wall and always remember that it’s curiosity that killed the cat," Bitdefender's Bogdan Botezatu said, suggesting additional protective measures.

"Last, but not least, adjust your Facebook privacy settings to ask for your permission to display content you’re tagged in to your followers. This way, you could limit the spread of such scams should you fall victim to them. You can do this by setting the Timeline Review option in your Facebook Privacy Settings page."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.