Campaign targeted Sweden, Finland, Germany
Researchers first detected messages aimed at Swedish users on October 15, Finnish users on October 17, and German users on October 19. The campaign targeted other countries in the subsequent days, but to a lesser degree.
"The total number of clicks for the entire campaign reached almost 200,000, where close to 80% of the visitors were from Germany, Sweden and Finland,"
said F-Secure researcher Frederic Vila.
The campaign relied on spammers already having access to hacked Facebook accounts that were not protected by a two-step verification system.
Spammers posted links that looked like YouTube videos
Attackers posted shortened links on Facebook pages using the user's account, but they also spammed the target's friends via direct Facebook Messenger messages.
The spammed content appeared to be a link to a YouTube video, but the attackers used the old technique of forging metadata to trick Facebook's URL previewing system into displaying the wrong link info. The trick they used was recently described by security researcher Barak Tawily in a blog post
here.
Users who clicked the links joined a carousel of various short link services. At one point, users would land on a site that triaged users based on their device type.
