- Oct 23, 2012
- 12,527
A new spam campaign has recently been seen spreading on Facebook, which allegedly contains sex videos of celebrities. In reality, it leads unsuspecting users into downloading a malicious Chrome extension.
Discovered by Cyren security researchers Magni Reynir Sigurðsson and Maharlito Aquino, the campaign is initially spread through private messages, as well as Facebook Groups. To make it truly enticing, the file name contains the name of a celebrity, which can vary, together with a "leaked-sextape" name, complete with a date, and an .mp4 extension, as shown below. Celebrities part of the leak list include Kim Kardashian, Rihanna, Jennifer Lawrence, and Hillary Duff, among many others.
Looking closely at the attached file, it really is a PDF document, and the MP4 name was only written to trick users into thinking that what they are about to download is indeed a video file. Indeed, as Microsoft hides file extensions by default, the file will appear as an MP4 file, lowering suspicions from the recipient.
If the PDF file is opened, it will display what seems to be a video player, which contains a thumbnail of a human body, and a play button. Clicking on the play button, it will not play the alleged video. Instead, it will open a browser page, which will aggressively bombard the victim with advertisements and pop-up messages. Mobile users who access the webpage will not be spared, serving them with the same intrusive content.
Discovered by Cyren security researchers Magni Reynir Sigurðsson and Maharlito Aquino, the campaign is initially spread through private messages, as well as Facebook Groups. To make it truly enticing, the file name contains the name of a celebrity, which can vary, together with a "leaked-sextape" name, complete with a date, and an .mp4 extension, as shown below. Celebrities part of the leak list include Kim Kardashian, Rihanna, Jennifer Lawrence, and Hillary Duff, among many others.
Looking closely at the attached file, it really is a PDF document, and the MP4 name was only written to trick users into thinking that what they are about to download is indeed a video file. Indeed, as Microsoft hides file extensions by default, the file will appear as an MP4 file, lowering suspicions from the recipient.
If the PDF file is opened, it will display what seems to be a video player, which contains a thumbnail of a human body, and a play button. Clicking on the play button, it will not play the alleged video. Instead, it will open a browser page, which will aggressively bombard the victim with advertisements and pop-up messages. Mobile users who access the webpage will not be spared, serving them with the same intrusive content.
The spam campaign however seems to have a certain liking for Google Chrome; if the browser is used to open the page, the user will be led to a fake YouTube website, which asks them to install a Chrome extension to view the alleged video. This is a common tactic by cybercriminals, as landing on a YouTube page will not make users suspicious, even if the address bar says otherwise.
The malicious extension, once installed, will open a legitimate Facebook page, and will ask the user to "re-authenticate" the extension. Doing so will allow the cybercriminals behind the malicious extension to exploit the victim's Facebook account, collecting all the personal and social information it can get, as well as starting the campaign itself all over again by sending the PDF to the victim's friends list.
It doesn't stop there, however; the extension has the ability to prevent the user from accessing the Chrome extensions page, so the user cannot uninstall the malware. It also blocks the user from opening the browser's developer tools, and can run even more malicious scripts.
To get rid of the malware for good, a user has to delete the extension manually through Windows' registry editor. You can learn more on how to do it here.
We have contacted Facebook for a comment on the story, and will update this article once we hear more.
All things considered, even though the malware can be controlled and terminated, it pays to be careful of what we do on the internet, as malware can easily be contracted these days, which may gravely damage our computers.
Source: Cyren Blog via Bleeping Computer