Kaspersky’s David Jacoby who is a senior security researcher found an attack which seems to be parts of a larger campaign being utilized in the Facebook Messenger platform.
Jacoby wrote Thursday in a blog post to Securelist that code behind the campaign is “advanced and obfuscated,” and uses “tons of domains to prevent tracking” and earn clicks.
A message using the victim’s name is sent with the keyword “video” to trick unsuspecting victims to click a link which has been shortened by bit.ly. In the event they click it, they would see a google docs page which hosts an image from the victim’s Facebook Photo album.
The photo would have a transparent play button which would appear as if it is a video file but it is definitely tainted with adware code. It then redirects the victim to a series of what is called a domain chain and then a adware payload is delivered.
In layman’s terms, “By doing this, it basically moves your browser through a set of websites and, using tracking cookies, monitors your activity, displays certain ads for you and even, in some cases, social engineers you to click on links,” Jacoby writes.
With a different browser like Firefox, it is forwarded to a site that displays a fake Flash Player update notice and runs an executable file which contains the adware. On Mac OS X, it will let the victim download a .dmg file. And with Google Chrome, they will see a fake YouTube page which will later on download a malicious browser extension.
It ha been a while when Facebook had been utilized to spread adware and malware campaigns. Main difference this time is that the landing page is Google Docs that seem to be fully customized for each victim.
The main objective of the adware developers it to make money from the ads, domains and websites it gets cycled through.
Facebook has been in the forefront to stop these things from happening. They have fixed a vulnerability last summer that lets an attacker access and modify chats.
So far other social media platforms have not been used for this adware based campaign.