By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    Malware Reigned Supreme In 2012
    12 months ago
    BEWARE THE THINGBOT!
    12 months ago
    Is your PC a part of botnet? Check it!
    12 months ago
    Latest News
    Beware of scammers! Dangerous apps in the App Store
    6 hours ago
    How To Limit Login Attempts on WordPress (+ Should You?)
    1 day ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023)
    1 day ago
    Two privilege escalation vulnerability in Simple Membership Plugin
    2 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    The creator of malware has infected her own computer
    12 months ago
    Windows 11 build 25163 out with new Taskbar Overflow feature
    12 months ago
    How to fix Microsoft Store not working on Windows 11
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    8 months ago
    Now you can speed up any video in your browser
    8 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    9 months ago
  • How To
    How ToShow More
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    9 hours ago
    Privacy-preserving measurement and machine learning
    Privacy-preserving measurement and machine learning
    9 hours ago
    Encrypted Client Hello – the last puzzle piece to privacy
    Encrypted Client Hello – the last puzzle piece to privacy
    9 hours ago
    Reminder: Enable two-factor authentication wherever you have it. This business
    13 hours ago
    ​​Know exactly when your data is transferred to GoogleIn a world where our data is permanent
    13 hours ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    VK Messenger update
    9 months ago
    How to block a website in iOS?
    9 months ago
    How to post photos to Instagram from a computer?
    12 months ago
    Latest News
    How to enable extensions for Google Bard AI
    7 hours ago
    Window 11 Copilot: 10 Best tips and tricks
    14 hours ago
    How to create AI images with Cocreator on Paint for Windows 11
    2 days ago
    How to install September 2023 update with 23H2 features for Windows 11
    3 days ago
  • Glossary
  • My Bookmarks
Reading: Bulk messaging malware in Facebook Messenger
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

Bulk messaging malware in Facebook Messenger

Tom Grant
Last updated: 13 October
Tom Grant 12 months ago
Share
7 Min Read

Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often, but none have appeared lately; Facebook was doing a lot to prevent similar attacks.

First a preliminary report was published. At that time, Jacoby still had not had enough time to research many details about how the malware operated, but now he has, and we are ready to share them. From a user’s perspective, here’s how the infection progressed.

  • The user received a message in Facebook Messenger from a friend. The message contained the word “Video,” the name of the sender, a random smiley, and a short link. It might look like this, for example:

  • The link redirected to Google Drive, where the user saw something resembling a video player with a picture of the original sender in the background and what looked like a Play button.
  • If the victim attempted to play back the “video” in Google Chrome, they were redirected to a page that looked much like a YouTube page and offered to install an extension for Chrome.
  • If the user agreed to the installation, then the extension began to send out malicious links to their friends — and everything followed the same algorithm for each of them over again.
  • Users of other browsers were persistently reminded to update their Adobe Flash Player instead of being offered the extension. The file they downloaded turned out to be adware — essentially, malefactors used advertisements to earn their money.

Jacoby, along with Frans Rosen, a researcher with whom he has been working on a project called “Hunting bugs for humanity,” have analyzed this malicious campaign and worked out how it operates.

The page that users were redirected to after following the link in Facebook Messenger was basically a PDF file that had been published to Google Drive. It opened as a preview. The file had a picture from a user’s Facebook page — the user whose identity was used to spread the malware — an icon for playing back the video shown over the picture, and the link that the victim opened by trying to click the playback button.

Clicking the link led friends of the victim to this page.

The link caused several redirections, landing the user on one of several websites. Victims using browsers other than Google Chrome ended up on a website offering to download adware masked as an update for Adobe Flash Player.

Browsers other than Google Chrome offered to download adware disguised as Adobe Flash Player.

In the case of Chrome, that was just the beginning: If the victim agreed to install the extension offered on the landing page, it began monitoring what websites the user opened. As soon as the victim navigated to Facebook, the extension stole their login credentials and the access token and sent them to the malefactors’ server.

A fake YouTube page offering to install Google Chrome extensions.

The crooks had found an interesting bug in Facebook. As it turned out, the unsecure Facebook Query Language (FQL), which was disabled a year ago, was not completely wiped out; it was blocked for applications, but with a few exceptions. For example, Facebook Pages Manager, an iOS application, still uses FQL. Thus, to gain access to the “locked out” feature, malware simply has to act on behalf of the application.

By using the stolen credentials and accessing the obsolete Facebook feature, the crooks could request that the social network send them the contact list of the victim, cull those who were not currently online, and randomly select 50 new victims from the remainder. Then, those users were bulk-messaged with a new link to Google Drive with a PDF file preview generated with the picture of the person on whose behalf the new messaging wave commenced. All in all, a vicious cycle.

It is worth noting that among other things, the malicious script “liked” a specific Facebook page, apparently to collect statistics for the infection. In the course of the attack, Jacoby and Rosen observed, the malefactors changed several of the specific pages, possibly as Facebook closed the previous ones. Judging by the number of “likes,” there were tens of thousands of victims.

One of the pages that infected users “liked.”

Their analysis of the code revealed that the malefactors were initially planning to use localized messages but then changed their minds and resorted to the short and simple “Video.” The localization function‘s code showed that the crooks were primarily interested in Facebook users from several European countries such as Turkey, Italy, Germany, Portugal, France (also, francophone Canada), Poland, Greece, Sweden, and all countries with English-speaking users.

The mutual effort of several companies has put an end to the infection’s spread for now. Nonetheless, this story is a great reminder that extensions for browsers are not as harmless as they may seem. To stay safe and not fall victim to similar malicious campaigns, avoid installing browser extensions without absolute confidence that they are safe, that they will not steal your data, and that they won’t track your online activities.

Also, clicking every link, even links that seem to be from someone you know, is out of the question. It is always a good idea to make sure that it is really your friend on the other end of the line, not some criminal who took control of your friend’s account.


Source: kaspersky.com

Translate this article

TAGGED: Apple, Chrome, Facebook, Malware, Threats, Transport Layer Security, YouTube
Tom Grant October 13, 2022 October 7, 2022
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Cloudflare now uses post-quantum cryptography to talk to your origin server
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps 9 hours ago
Privacy-preserving measurement and machine learning
Privacy-preserving measurement and machine learning
Apps 9 hours ago
Encrypted Client Hello – the last puzzle piece to privacy
Encrypted Client Hello – the last puzzle piece to privacy
Apps 9 hours ago
Beware of scammers! Dangerous apps in the App Store
Threats 9 hours ago
How to enable extensions for Google Bard AI
News 10 hours ago

You Might Also Like

Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps

Cloudflare now uses post-quantum cryptography to talk to your origin server

9 hours ago
Encrypted Client Hello – the last puzzle piece to privacy
Apps

Encrypted Client Hello – the last puzzle piece to privacy

9 hours ago
Threats

Beware of scammers! Dangerous apps in the App Store

9 hours ago
How To Limit Login Attempts on WordPress (+ Should You?)
Wordpress Threats

How To Limit Login Attempts on WordPress (+ Should You?)

1 day ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
How to install September 2023 update with 23H2 features for Windows 11
Critical Vulnerability in Forminator Plugin
How to get the latest Windows 11 innovations
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
Previous Next

10 New Stories

Reminder: Enable two-factor authentication wherever you have it. This business
​​Know exactly when your data is transferred to GoogleIn a world where our data is permanent
​​Fake correspondence with the iPhone interfaceIn a world where digital communication is
​​Let's find out who is watching your Instagram stories from a fake Have you ever wondered
Window 11 Copilot: 10 Best tips and tricks
How To Limit Login Attempts on WordPress (+ Should You?)
Previous Next
Hot News
Cloudflare now uses post-quantum cryptography to talk to your origin server
Privacy-preserving measurement and machine learning
Encrypted Client Hello – the last puzzle piece to privacy
Beware of scammers! Dangerous apps in the App Store
How to enable extensions for Google Bard AI
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?