facebook
facebook

A new advanced form of malware is using Facebook Messenger to infect victim's systems, security researchers warned.

The malware was discovered by Kaspersky Labs researcher David Jacoby. On a blog post, he explained that the malware came to his attention after a friend sent him a link to a video file in Messenger. 

He said that the link points to a Google doc. The document has already taken a picture from the victim's Facebook page and created a dynamic landing page which looks like a playable movie.

“When the victim clicks on the fake playable movie, the malware redirects them to a set of websites which enumerate their browser, operating system and other vital information. Depending on their operating system they are directed to other websites,” said Jacoby.

He added that the malware works in both Windows and MacOS, and is browser independent.

“What I noticed during my research was that when changing the User-Agent header (browser information) the malware redirects you to different landing pages. For example, when using Firefox I was redirected to a website displaying a fake Flash Update notice, and then offered a Windows executable. The executable is flagged as adware,” he said.

He added that when using Chrome, he was redirected to a website which mimics the layout of YouTube, even including the YouTube logo. The website then displays a fake error message tricking the user to download a malicious Google Chrome extension from the Google Web Store. He said that the Chrome Extension is a Downloader, which means that it downloads a file to a victim's computer. “At the time of writing, the file which should have been downloaded was not available,” said Jacoby.

Jacoby said that the campaign is unique in that it also uses Google Docs, with customised landing pages. “As far as I can see no actual malware (Trojans, exploits) are being downloaded but the people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts.”

He said that the initial spreading mechanism seems to be Facebook Messenger, but how it actually spreads via Messenger is still unknown.

“It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing,” said Jacoby.

He warned users not to click on random links sent by friends on Facebook.

Chris Doman, security researcher at AlienVault, told SC Media UK that attacks like this are not uncommon as previous Javascript worms have spread these messages to all Facebook contacts. “It seems as though the final payload of this attack is Adware, which is well detected by most anti-virus vendors,” he said.

Mark James, security specialist at ESET, told SC Media UK that even if you think you know the sender you should always be very weary of links in messages. They are often shortened so will give you no clue as to their destination. 

“In an ideal world double check with the sender through an alternative contact method. If you really do need to follow the link to ensure its genuine then make sure your operating system and applications are fully patched and updated, to lower your chances of being hit through an exploit or vulnerability,” he said.