Funny Video Facebook Scam Drops Not so Funny Trojan, Bitdefender Warns

A new “funny” video spreading on Facebook drops a not so hilarious Trojan on users` computers, according to research by antivirus software provider Bitdefender. The malware can access abundant data from Internet browsers. The hackers might originate from Albania, according to malicious code samples. The story was also featured by The Guardian.

It all starts with what appears to be a funny video of a Facebook friend. Once they click on the video, users are brought to the phony YouTube page, which redirects them to a malicious Flash Player.exe for an Adobe “update”.

Scammers created over 20,000 unique URLs that redirect victims to malicious websites and a series of fake alluring YouTube videos, showing a girl taking her clothes off on webcam. The video seems to actually play for a couple of seconds to entice male users` to go on clicking. Malware writers faked the number of views so the video seems to have been watched by over a million users. After stealing Facebook information, they also add the victims` profile names in the fake YouTube URL parameters. This enables them to make the video look more legitimate, as it seems posted by users` friends.

In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that help them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple doesn`t stop the scam from spreading further. Bitdefender has notified bit.ly of the abuse.

The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video redirects users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install.

On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network`s functionalities so that users can’t delete the malicious posts from their timeline and activity log.

Besides delivering malware, the scammy add-on also “amuses” victims with several URL redirects that lead them to fraudulent surveys and subscribe them to premium SMS services. When users want to check what browser extensions they have installed (about://extensions), the malicious code may close their add-ons tab.

Users are advised to be cautious before clicking on a “funny” Facebook video, keep their antivirus solution and other software updated and warn their friends if they have been malware victims.

Bitdefender blocks the malicious web sites with a malware warning.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the technical information provided courtesy of Bitdefender Online Threats Researcher Andrei SERBANOIU and Bitdefender Malware Researcher Victor LUNCASU.