Last week we described Facebook malware that was distributed via compromised accounts offering “500 free credits on Facebook”. Now the same techniques are being used but the subject matter has changed to the highly topical death of Osama Bin Laden.
As described in the last post the malware cycle is as follows:
- Facebook friends get messages or event invitations promising actual videos of the death of Bin Laden.
- These trick users into running a malicious JavaScript. Since the script is run while the user has Facebook open, the malware has access to all of the user’s friends and privileges (such as being able to send messages).
- The now-infected user is lead to a website with a YouTube clip of President Obama’s announcement (which has been cut down to a few seconds). The site then quickly redirects to an affiliate marketing page. This page uses various techniques to generate revenue through pay-per-click advertising.
- In parallel the malicious script sends out more “Bin Laden Death Video” messages and the cycle starts again
This is a sample event invitation:
And below is a screenshot of one (of the many) destination pages which feature the instructions to start the malware cycle. Note that the instructions are very specific about copying and pasting the link into the open Facebook page. This effectively runs the script “within” a Facebook session – a kind of “manual” cross-site scripting attack.
Prior to the Bin Laden incident there were other occurrences of this technique (over the weekend) – this time using subjects related to finding out who views your profile. The basic flow was almost identical to that described above. The invitation message shown below leads an “instruction” page similar to the one shown above.
As before we caution Facebook users to be wary of links that seem strange – especially since they will be sent by friends.