Facebook Application Spreading Adware

BitDefender researchers today have uncovered a new scheme that allows cyber-criminals to monetize on unwary users by leading them into installing adware applications. Rather than using hidden vulnerabilities in the social networking platform, this novel approach relies on social engineering in order to trick users into interacting with the attacker.

Chapter I: The Application

The central element of the scheme is the Dance Class Video, application, a third-party extension of Facebook that has neither been developed, nor approved by the social network. The application’s page has been artificially populated with content and friends to increase the victim’s confidence. The application’s main purpose is to send specifically crafted messages and to continue recruiting new victims, as described below.

Chapter II: The Bait

The infection vector is simple yet efficient. Compromised accounts send spammy messages that impersonate a Facebook video: “[victim’s name], this video is from the dance academy i went to last week.. what do u think?”. As soon as the victim follows the link, the application would ask for confirmation to pull out personal data, to send message on users’ behalf, as well as permission to always send these messages without any further confirmations.

 

 

 

Chapter III: The Payload

After all the necessary confirmations have been pulled from the victim, they would be redirected to the application’s page that displays a fake video player (which is in fact a JPEG image hosted outside of Facebook), prompting them to update their FLV player in order to be able to see the video.

The download page even contains an End-User License Agreement and the small provision that the SB 140 Alaska rule expressly forbids an application to engage in deceptive acts or practices described in this subsection using spyware by causing a pop-up advertisement to be shown on the computer  screen of a user by means of a spyware program”. The page also triggers the automatic download of a binary file called FLVDirect.exe.

Once downloaded and installed, the binary file would hijack the browser’s start page and search settings without the user’s consent.

Apart from all the trouble a piece of adware may inflict to the average computer user, please remember that your social networking profile may hold sensitive information and granting third parties access to it or to act on your profile may have extremely dangerous repercussions on your privacy.