Incident Response, Malware, TDR, Threat Management

Attackers spread worm via Facebook, leverage cloud services

Facebook users who clicked an Ow.ly link in a post promising pornographic content may have become infected with a worm – believed to belong to the Kilim family – that then spread the same link to all of their contacts and groups, according to a Thursday post by Malwarebytes.

Kilim targets social media networks – particularly Facebook and Twitter – by installing a rogue extension within the Google Chrome browser, Jerome Segura, senior security researcher at Malwarebytes, told SCMagazine.com in a Friday email correspondence. The malware can be used to post new messages, like a page, follow users and send direct messages, he explained.

“The goal [of this current attack] is to harvest as many users as possible to create a very large [botnet] consisting of social networks profiles which can be leveraged in various ways, [such as by] reselling Facebook friends and likes, reselling Twitter followers, [and] generating pay per click revenue by visiting sites and clicking ads,” Segura said, adding this attack seems to target Chrome specifically.

To infect users, attackers are taking advantage of a multi-layer redirection architecture that leverages cloud services, the post indicates. Segura said the attackers may be using this method to “make it harder to pinpoint exactly how the malicious redirection takes place, but also to be able to switch services quickly if they get blacklisted,”

Upon clicking the Ow.ly link claiming to deliver “sex photos of teen girls in school,” Facebook users are redirected to another Ow.ly link, which then redirects to an Amazon Web Services page, which then redirects to a malicious website, according to the post.

At this point, the malicious website checks the user's system. Mobile users are “taken to an offer page based on their geographic location and language,” Segura said. “These offers usually end up being bogus apps or surveys.”

Computer users are instead sent to a Box website where they are prompted to download a file, the post indicates. Running the file will result in the machine becoming infected, which then leads to additional components – the worm – being downloaded and the original Ow.ly link being spread to the infected user's Facebook contacts and groups.

“The file hosted on Box is trimmed down to a minimum size and its only purpose is to download additional components,” Segura said. “This is typically done to avoid initial detection, but also to allow the bad guys to update the backend code on the server so that the trojan downloader can retrieve the latest versions of each module. After the additional components are downloaded (Chrome extension, worm binary) they are installed on the machine and simply wait for the user to log into Facebook.”

Box is aware of the attack, according to a statement emailed to SCMagazine.com on Friday. To address the issue, the company is removing the files, eliminating sharing privileges for malicious accounts and is continuously scanning for viruses and related activity.

Facebook is also aware of the threat. Working with the other companies targeted in the attack, the social media giant spent the past week blocking associated links and stopping the links from spreading on its platform, according to a statement emailed to SCMagazine.com on Friday.

In a statement, an Amazon Web Services (AWS) spokesperson told SCMagazine.com on Friday that the “activity being reported is not currently happening on AWS.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.