From social network aesthetics to adware flood

I guess most people believe a social network account is like a home away from home and that’s why they try to adorn it with all the ingredients of their personality. Any content posted and shared tells something about the account holder so, no wonder people would jump to the occasion of doing a little bit of “virtual” interior decoration for a more appealing atmosphere.

Once the bait is set, the artsy users who kindly welcome it by clicking the suggested link will land on an application page that’s got all of the expected ingredients, among which the ability to “Like” the application and, most importantly, that of suggesting it to all of their friends.

One important social engineering ingredient kicks in here, namely the impressive number of people who appear to have “liked” the application, which reinforces the idea of its being legitimate. The fact that it’s “completely FREE” and that the layout change will not be visible to the respective users’ friends unless these friends also download the application (why change clothes, then, if you cannot show them off?) adds to the persuasiveness of the overall message.

 

Not a chance is wasted to keep the ball rolling so the “invite your friends” commandment is there to stay, loud (i.e. in bold) and clear, as illustrated below. 

Clicking their way through the account embellishing procedure, users reach Step 2, which requires that they download a Layout Plugin. Actually, a hidden load of adware is served right away. The viral potential of the scam is relentlessly supported by the suggestion to extend an invitation to all friends to join in.

Let’s have a look now at a variant of this scam that brings a twist into the picture. Can anyone deny that the “click here to change your background” invite is very hard to turn down when it’s presented as an “official” tool provided by the social network platform?

One click, and there it is: THE PAGE! Suggest to friends? Check! Like? Check! Share? Of course…but that’s not all. To keep things interesting (is it just me or this looks like a “make it vanish into thin air” ritual?) there’s the 5 clicks on this banner call to action. 

 

What happens next? Nothing much, at least not visibly. But let’s not forget that we’ve already sent invites to friends (so the pest keeps spreading), we’ve probably contributed to its success by a simple “like” and, to top it all, we’ve probably made a kind contribution to the welfare of those who set up the scheme (pay per click, anyone?).

This is where the story gets more complicated: this adware spreading mechanism has been around for some time, but under different disguises. One of its predecessors, for instance, took advantage of social networks users’ curiosity about their virtual friends’ interest in them (“see who views your profile”).

What to do, then, when facing this ever changing threat? As always, your antivirus should keep you safe. As illustrated before, BitDefender blocks the adware (Gen: Variant. Adware.FlvDirect. 6) before it installs.

In addition to that, the users of BitDefender safego, the recently launched free BitDefender application that’s designed to keep social accounts safe, are also protected against most variants of this scam.

However, considering the dynamics of the scam (its rapidly changing disguises), we invite all users to submit any possible undetected variants to [email protected]. The BitDefender safego application is still in its beta stage and all of your input will help make it better and achieve excellent user experience in the final stage of its development.

Safe sharing, everyone!

This article is based on technical information provided courtesy of George Petre, BitDefender Threat Intelligence Team Leader.