Variants of this malware have appeared on Facebook in the last few months. Today’s version of the attack starts with a friend’s post that looks something like this:
The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player. (none of the Facebook elements on the top of the page are actually clickable). Visitors are informed that they need the Divx plugin/Youtube Premium plugin.
Clicking on the download link runs a script that performs several misdeeds:
1) A link is posted on the user wall – Facebook extracts the content for the post from the page itself which includes data specifically formatted for this purpose:
- 95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds
2) The script then installs Firefox or Chrome extensions depending on the browser used. These extensions are used to redirect users to several further scams. The redirections happen no matter what sites the user actually intended to go to. One of the redirections is to a scam offering a $50 Starbucks gift card. This is similar to the attack we described in December. After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site.
How to spot that this is bad stuff before you click too much:
- The spelling and grammar errors – “Cant”, “wow checkout this”, “FOr”,
- The blogspot page that is based on a number
- The blogspot page that looks like a Facebook page
- The “download plugin” requirement to see a video (a long-running trick to get people to willingly install malware).