The threat actors use the social media platform to push a shortened URL that promises the user coupons, vouchers, premium software downloads and even tax return services, but actually take the victim to a server hosted on Google's cloud service where Spy Banker is downloaded. The criminals are banking on the victim seeing the "facebook.com" link and trust it enough to click it, said Kaspersky Lab security researcher Fabio Assolini told SCMagazine.com via email correspondence.
“The cybercriminals main purpose in these attacks is to use the Facebook infrastructure to host malware there and spread it to the users, as everybody tends to trust a facebook.com link,” he said.
Generally cybercriminals create fake accounts, with fake or no pictures included, Assolini noted.
“In the end, the user will receive a malicious email asking to download a file hosted on Facebook, which is a very clever social engineering attack,” he said.
Cybercriminals also have been spotted using Google Docs, Dropbox, Sugarsync and other platforms as part of their social engineering strategy to host files, Assolini said in a Kaspersky Lab post, adding that using Facebook to host the malicious files was new.
One of the malicious Facebook links was clicked more than 102,000 times on between October 20 and November 30 researchers said in the Kaspersky post.
To prevent falling victim to these type of attacks Assolini recommends that users educate themselves on social engineering attacks and use robust antivirus solutions as their primary defenses.
“Even if a executable comes from a trusted source such as Facebook, users should check with their antivirus before opening it,” he said.