New malware spreading via FB Messenger – antivirus firms

MANILA, Philippines – A new malware is spreading via Facebook's messaging app, Messenger, according to antivirus and cybersecurity firms Kaspersky, Avira, and CSIS. 

The malware spreads via a message sent by a contact containing a bit.ly or t.cn link and the name of the user plus the word "Video." The malware wants potential victims to believe that it is a legitimate video link. But when clicked, the user is redirected to external sites that eventually attempt to lure the potential victim into installing the malware.

Denmark's CSIS, in a Facebook post urgently warned users not to click: "Look out! Don't click! Another aggressive worm is spreading through Facebook's messenger system. It arrives with a link to the URL-service bitly."

The malware in this case is a type of adware – illicitly installed software that pushes ads to victims, and earns ad money for the cybercriminals – and one that may also be collecting credentials from Facebook accounts. Kaspersky senior security researcher David Jacoby says in a blog post that while he sees no Trojans or other exploits being downloaded, the people behind the cyber scam are "most likely making a lot of money in ads and getting access to a lot of Facebook accounts." 

Jacoby, however, also said that they are not yet sure how the malware is spreading via Facebook Messenger but are suspecting "stolen credentials, hijacked browsers or clickjacking." 

Varied infection mechanisms

After clicking the link on Messenger, the user is redirected to a dynamic landing page on Google Docs, which shows what appears to be a playable movie, as shown below. When the user clicks on the fake playable movie, the user is then redirected to another site that tricks the user into downloading the infecting file.

Image from Kaspersky

The infecting site, to which users are redirected, varies according to certain parameters including a person's operating system and browser, says Jacoby. 

"For example, when using Firefox I was redirected to a website displaying a fake Flash Update notice, and then offered a Windows executable. The executable is flagged as adware."

When using the Google Chrome browser, Jacoby says he was redirected to a website which "mimics the layout of YouTube, even including the YouTube logo." The fake website then displays a fake error message that tricks the user into downloading a malicious Google Chrome extension from the Google Web Store. 

"Please make sure that you don’t click on these links," advises Jacoby. 

One other firm, Avira, posted about the said malware on their social media account:

Suspicious messages with a video link ("t.cn / bit.ly") are shared within #Facebook messenger. Avira #Antivirus customers are protected! pic.twitter.com/XliA9J64Nc — Avira (@Avira) August 24, 2017

With the variety of infecting sites and download prompts, it's smart to be extra suspicious of any online link that seems to be out of the ordinary.

While this new malware has spread fast enough to attract the attention of big cybersecurity firms, this type of cyberscam isn't entirely new. Its form changes and evolves, but infection methods will still mostly rely on taking advantage of people's routine, behavior, and habits when interacting with online content and computers. – Rappler.com

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.

image