Facebook Tag Scams are Back with Malicious Payload
Bad week-end for Facebook users: a malicious tagging campaign ended up infecting at least 5 thousand computer users with a backdoor. This three-day campaign has been actively mirrored by the cyber-criminal(s) in order to prevent an early takedown.
UPDATE: there are a number of similar scams in circulation as of today which are targeting particullarly Spanish-speaking users. Unlike the scam we documented below, this one redirects the user to a malicious Chrome browser extension hosted on the official Chrome store. Once the chrome addon has been installed, the attacker gains control everything that goes through the browser, including passwords and other sensitive data.
The scam starts with an alleged video in which a number of friends are tagged in. The number of tagged friends is always 20 and the alleged video is always different. The so-called video shows the goo.gl host underneath, which should raise some flags with more experienced users, as it is a URL shortening service and not a video hosting one.
Users who click the respective video are sent to an external page, where their user-agent (the browser and operating system identifiers) are analyzed so hackers know where to redirect the victim. After all, it wouldn’t make any sense to redirect an Android user to Windows malware, would it?
The operating system check is quite thorough and include scenarios for multiple operating systems, ranging from Android mobiles to PlayStation consoles, media players, smart cars (yeah, you had that right), TV sets and even dumb phones. If the user is browsing from any of these “low-interaction terminals” they are redirected to a SMS fraud service that tries to hook you up with an useless premium service for as low as €3.00 / $3.5 (not including tax). This happens through a series of redirects, including one stopover to a mobile traffic monitoring service that provide hackers with insight about how many victims reached the scam and how many of them actually fell for it.
If you’re less fortunate (read: you’re using Windows), then you’re going to get the full service: a redirect to a fake Facebook page where you are prompted to download a so-called Flash Player update in order to be able to watch the video, which now turns out to be a spicy one rather than what was promised in the original Facebook post. Since we’re a family-friendly website, we had to censor a generous part of it.
Now, straight to the malware. The dropped payload is obviously not a Flash Player update, but rather a SFX file (a self-extracting executable archive built with WinRar). When clicked, it would install two pieces of malware contained within, called install.exe (detected by Bitdefender as Gen:Variant.Graftor.172986) and setup.exe (detected as Gen:Variant.Symmi.49919). The former is a generic backdoor that can be used to install various other malicious components, while the latter is responsible with propagating the scam on the Facebook accounts of the compromised victims.
We tracked three different versions of this scam that all seem to be operated by a Turkish cyber-criminal called “schwarzback”. Real-time analytics embedded in the scam page (and its two other clones) shows that more than 5000 people have landed on the scam page in less than one hour.
The domain hosting the payload for this tag scam has been registered on Saturday and it’s still up and running.
What should you do to stay away from this type of scam?
First and foremost, install an antimalware solution on your PC. If you already have one, you still might not want to click every single link you get on your wall. Carefully analyze whether your contacts would actually post this type of content on their wall and always remember that it’s curiosity that killed the cat. Last, but not least, adjust your Facebook privacy settings to ask for your permission to display content you’re tagged in to your followers. This way, you could limit the spread of such scams should you fall victim to them. You can do this by setting the Timeline Review option in your Facebook Privacy Settings page.