VPN Articles and News

Malware Posing As Software Update Infects Facebook Users

Friday, April 24th, 2015

A new malware posing as a video player update is currently wreaking havoc on Facebook. The malware was first detected by experts working for BitDefender Antivirus who estimated that the rogue program has infected at least 5,000 users. However, according to security expert Mohammad Reza Faghani, who works as a senior consultant at PricewaterhouseCoopers, the malware is far more lethal and has already infected more than 110,000 Facebook users in less than 3 days.

The modus operandi of the malware is pretty simple. The program first posts a message on the infected user’s Facebook wall which looks like an adult video clip. In order to spread itself, the program also tags friends from the user’s friend list along with the video. However, the program takes care not to tag hundreds of users in a single message, it just tags around 20 people. This helps it to stay under the radar and spread itself without arousing suspicion.

When other people try to play the video clip by clicking on the Play button, they see a message that a Flash Player update is required in order to play the video. People are then encouraged to download the update from the link posted alongside the message and run the installation file. The link is cloaked through a popular link shortening service (goo.gl) so there is no way for the users to know where the link is actually leading them. What’s worse, the update warning looks strikingly similar to the message used by Adobe whenever it issues a Flash Player update which further increases the message’s legitimacy.

Once the user clicks on the link, he/she is redirected to a webpage whether their browser and operating system information is evaluated. The evaluation part is quite thorough since the webpage not only checks for Smartphones and computers but also Gaming Consoles, Smart TVs, Smart Cars and even older phones. If the user is accessing the page from a phone, TV or gaming console he is simply redirected to a page which tries to sell a premium mobile service for $3.5.

The program is far more dangerous for Windows users since once the “update” is installed, it actually installs a malicious keylogger on the user’s machine. The program then modifies registry files in order to auto-launch itself as soon as the machine starts. Once the keylogger is installed, it automatically captures all the keystrokes and sends them to external servers. The program even keeps on updating itself by downloading updates and files from the internet.

Security experts have termed the tagging technique used by the malware as “Magnet” since the program gets more visibility simply by tagging users’ friends in the post. Since the post can potentially be seen by all the friends of people who are tagged in the message, it gets a lot more visibility (which of course means more number of victims) without making any extra effort.

Security experts have advised Facebook users not to click on suspicious messages and install an anti-malware software on their machines in order to remain safe from such rogue programs. Facebook, on its part, has said that it is aware of several varieties of the program and is actively making efforts to delete such messages and block suspicious links.

April 24, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 9 =