Back in the past, David Jacoby, a Kaspersky AntiVirus expert of Global Research and Analysis Team, discovered multiplatform malware which was disseminated via the Facebook Messenger app. A couple of years ago, similar attacks were detected quite frequently. But lately these attacks haven’t appeared because Facebook is vigilant in trying to prevent malware.
At the time, when the first multiplatform malware was discovered on Facebook Messenger, D. Jacoby didn’t provide enough details about the operations of the malware.
In this article the management of the malware will be provided from a consumer’s point of view:
At first, a potential victim receives a text from a friend on Facebook Messenger. This text contains the word “Video”, a random emoji, a short URL and the name of the receiver.
For instance, it could look like this image:
If the user clicks on the link, it will redirect them to Google Drive and the user will see a video player with the picture of the sender and a play button.
Then, if the user tries to play the “video” on Google Chrome, they will be switched to a site that looks something like a YouTube page and suggests that the victim should install a Chrome extension.
Finally, if the victim agrees to download the extension, it will start spreading out malicious links to victim’s friends and it will follow the same algorithm for every other potential victim.
If a victim uses another browser rather than Chrome, he or she will be reminded to update the Adobe Flash Played instead. Thus, the “flash player” turns out to be adware – malefactors use the ads to make money.
Jacoby and Frans Rosen have investigated these malicious campaigns and how this malware operates.
The page that the victims were switched to after clicking on the link they received on Facebook Messenger literally was a PDF file previewed on Google Drive.
The file included a picture from the victim’s Facebook account, an icon that “plays” the video, and the URL that the victim clicked in the address bar (see example below).
Clicking the link landed the victim on one of the couple of websites. Meanwhile, users using a different browser than Chrome were encouraged to install pretend-to-be Adobe Flash Player adware (see image below).
If the victim used Chrome and agreed to download the mentioned extension, it started to monitor the websites which the victim opened. When the user switched to Facebook, the malware hijacked their login data and took access of their account.
The hackers have detected an error in Facebook code that appeared not to protect Facebook Query Language (FQL). FQL was turned off last year but wasn’t entirely removed – it was deleted for apps, but had a couple of exceptions. For instance, FQL is still used by the iOS app Facebook Pages Manager. So, if the malware wants to access the feature, it has to operate on behalf of this app.
By applying the hijacked logins, the attackers also request that Facebook provides them with the victim’s contact list. There are 50 randomly selected potential victims who will receive the messenger with a URL of a new Google Drive preview, and the cycle starts all over again.
It is worth mentioning that the malicious script has “liked” a certain Facebook page that clearly monitors the data for the infection. According to the researchers, malicious programs changed a few of these special pages, potentially because Facebook has blocked the prior ones. Taking into account the number of “likes”, the malware infected thousands of devices.
The investigation of the code disclosed that the malware has been planned to apply localized messages, but then the developers probably decided to use a short word “video” instead. In addition, the localization function’s code revealed that attackers were targeting users from Turkey, Germany, France, Sweden, Poland and many English-speaking countries.
At the moment, the infection has been stopped. However, this malware is a good reminder that extensions for browsers can cause a lot of trouble.
So, in order to protect your device and to prevent installing any malicious programs, try not to download extensions from unknown sources.
In addition, be sure to check that the link sent by your friend is from the real friend and not a hacker who stole your friend’s account.