A new scam takes advantage of Emma Watsonâ€™s growing popularity, using the actress as bait to spread malware on Facebook, according to the Bitdefender Labs. The alleged sexy videos of the British actress drop more Trojans than actual pictures and, just as in many other sex tape scams, users donâ€™t get to see the promised content. The scam comes a couple of weeks after a nude photo leak threat targeting Watson turned out to be a hoax by a site calling itself Rantic Marketing, seeking to shut the 4chan forum.
Emma Watson private videos hide no marketing stunt this time. They harbor several harmful Trojans, which scrounge for personal data such as phone numbers, steal tokens of legitimate apps and hijack Facebook sessions. To monetize their efforts, malware writers also subscribe victims to premium SMS scams.
It all starts with a Facebook comment promising to reveal private or leaked videos of Watson. The comments are automatically posted by users infected with the malware. As in many Facebook scams, victims end up as marketers for cyber-crooks.
When users click on the malicious links, they are redirected to a salacious YouTube copycat. Future victims are then asked to update their Flash Player, as an error allegedly prevents them from watching the leaked videos of Emma Watson.
Our system detected that you are using an outdated Video Player version, in order to watch videos on Youtube please update to the latest secured version of Video Player by clicking [the] â€˜Upgrade Nowâ€™ button bellow,â€ the error message reads. â€œOnce you download and install the update refresh the browser to watch the video.â€
To make the story more credible, the fake YouTube account used the Anonymous â€˜Guy Fawkesâ€™ mask, as the hacktivist group is often claiming celebrity video leaks.
Besides stealing phone numbers through premium SMS scams, the malware disguised as a Flash Player update also changes browser settings not allowing victims to see their list of extensions and Facebook activity and settings anymore. Bitdefender detects the browser malware as Trojan.JS.Facebook.A, and the executable as Trojan.Agent.BFQZ.
To look legitimate, Trojan.Agent.BFQZ uses the authentic Flash Player icon and drops the browser infection components in “C:\Program Files\Internet Explorer,” together with the install.bat, a file it also executes and adds at Start Up. It also grabs the anti-CSRF token of the victim â€“ a common mechanism of Facebook scams. The Cross-Site Request Forgery attack allows scammers to reuse an already authenticated session to perform unwanted actions on usersâ€™ behalf.
Here are some permissions the malicious browser add-on grabs once dropped on victimsâ€™ computers:
- to abuse privileged paths of tabs and cookies
- to access hosts to stay in touch with the command-and-control center (one of the host web sites also spreads fb-color-changer.exe, a similar malicious file that lures victims with an add-on that claims it will change their Facebook color)
- to use scripts on “http://*/*”, “https://*/*” (and access code from other web sites)
- to steal access tokens of legitimate Facebook apps and use them to grab their permissions
- to post comments on usersâ€™ behalf at every post on their timeline
- toÂ automatically like and follow Facebook pages (which can later be monetized)
The malicious URLs also redirect users to various IP-localized surveys. This makes the scam more credible, as users can fill in the surveys in their own language. Grabbed when victims click the â€œComplete the surveyâ€ button, phone numbers can be sold on underground markets.
In September, Watson fans were also tricked with bogus nude pictures of the British actress by a group of social media marketers who created a web site titled â€œemmayouarenext.com,â€ in an attempt to shut down the 4chan website. At the time, journalists suspected the social media marketing â€œenterpriseâ€ Rantic could itself be just a hoax. In the meantime, their web site went under maintenance.
This article is based on the technical information provided courtesy of Bitdefender Virus Analyst Doina Cosovan.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.