CYBER SECURITY EVANGELIST

There’s a new malware threat spreading fast on the Internet, and this time it’s targeting Facebook users.

If you get this suspicious link via Messenger from one of your Facebook friends, don’t click on it!

This malware, which replicates over Facebook’s internal messaging system, Messenger, is circulating and spreading heavily. This is a form of social engineering used to trick people and steal sensitive data.

Here’s how it works

The message includes a BIT.LY link (Bit.ly is a URL shortening service) which contains a video with the person’s name. Once the user clicks on the malicious link, it redirects the entire traffic through a big chain of malicious domains.

Un-shortening the URL leads to (sanitized for your protection):

https [://] docs.google [.] com/file/d/0B7rArSLkL3A-dk9ZNVp1NzRUWjg/preview 

Here is a selection of the malicious URLs involved in delivering and keeping the distribution covert (sanitized for your online safety):

Http: // bitly [.] Com / 2v8tlRs? [Name of recipient] https://docs.google [.] Com / file / d / [unique ID] / preview
http: // dilosi [.] Bid / ad / 1010442020
q.redirecting [.] Website
FlashPlayerPro_0851280053.exe

The final destination is a domain where the malware, in this case adware, is downloaded from.

This strain of adware tracks cookies, monitors your online activity, and shows different ads that lead to potentially malicious URLs.

Researchers have discovered that this campaign uses various attack angles, such as a browser extension for Chrome and Firefox, or a binary package that installs adware on users’ computers. The binary package is offered to Safari and Microsoft Edge / Internet Explorer users.

According to SecureList, when using the Firefox browser, it sends users to a website displaying a fake Flash Update notice, and then showing a Windows executable.

FB malware FirefoxSource: SecureList

The browser extension for Chrome is a downloader, which will download a file to your personal computer.

Here how it looks:

Chrome extensionSource: SecureList

The adware is installed via (sanitized for your online safety) this website: www.currentcleannew.com and is named as a “VideoPlayer”, which looks like a playable movie that users are tempted to access.

Here is an installation package that will be installed as default to the

c: \% program files% \ Fahi folder

VirusTotal indicated that 23 of 64 antivirus solutions were detecting this malicious code at the time this article was posted.

VirusTotal

Source: VirusTotal

That’s what we know about this new malware so far. We’ll keep you informed as new details emerge.

Until then, we strongly recommend being careful while navigating online. Once again: don’t click on suspicious links, and remember to install all the latest updates for any apps your may be using. Couple that with a robust security tool that can block such malicious domains and you’ll make your online life a lot safer.

Our guide can help you how to easily backup all your files on the computer and protect your valuable data.

Facebook security wise, here are some useful tips to help you stay away from online scams:

  • Do not accept friend requests from people you don’t know
  • Do not share your password with others
  • When log in, use two-factor authentication
  • Avoid connecting to public and free Wi-Fi networks
  • Keep your browser and apps updated
  • Use proactive cyber security software.

To enhance your online privacy, read our full guide on Facebook security and privacy.

*This article features cyber intelligence provided by CSIS Security Group researchers.

facebook security
2017.09.29 SLOW READ

Facebook Privacy & Security Guide: Everything You Need to Know

2017.03.06 SLOW READ

Beware of Scams Using Fake Facebook Profiles

2017.01.19 SLOW READ

How Cybercriminals Hack Facebook, Instagram and Snapchat Passwords

Comments

very informative.

Thank you, Pedro! Happy to know it helps!

I am actually thankful to the holder of this site who has shared this
great post at at this time.

If you clicked the link but didn’t Add the extension in Chrome, are you still infected?

My Windows 8.1 is kinda quite slow and I’m trying to install an antivirus program aka Heimdal Security. Maybe I should use this site as my personal alert site, and this topic is useful! Thx so much!!! Also I live in Vietnam. If you clicked on my channel link and watched some videos I made, you can see that one of my videos showed the vietnamese letters.

As a FaceBook user this is a very helpful ALERT.

Thank you so much for the feedback, Tim! Much appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP