Social Networks

Polymorphic Facebook Scam Attacks from Different Angle with Each Click

Complex attack promises leaked sex video, delivers morphed payload through poisoned browser extensions

A Facebook scam disguised as an invite to view a leaked sex video allows cybercriminals to infect different users with different malware in a highly efficient “polymorphic” attack that could end in bank fraud, invasion of privacy, or a wave of illicit porn advertising.

The scam starts with a Facebook post which features an alluring thumbnail, the first frame of the alleged sex tape.

Users who click the link included in this post are told they must install a Divx plugin to actually view the video.

The page recommending users to install the missing plugin features several other elements to encourage users to keep clicking:

a)      The video’s name hints that the sex tape belongs to a celebrity.

b)      The warning that the user’s antivirus must be disabled works on reverse psychology: though prospective viewers know this action is risky, they do it precisely because they have been warned about it.

c)      The reference to age verification further hints at the salaciousness of the video.

One step later, the Dixv plugin turns into a fake YouTube extension, a common feature of recent social scams.

The first visible sign of the fact that this is a tricky move: once installed, the extension will change all newly opened tabs to a page advertising an adult chat service.

This complex threat takes users toward the same supposed destination – the sex video – by a different route.

This time, the downloadable item is a premium video player called 7pic, which actually hides a piece of malicious code.

The fishy extension also allows the scammer to actually impersonate the user (by reading the cookie stored on and advertise the scam and like the scam’s Facebook page from the victim’s account. This results in the victims’ friends being exposed and to the victim itself being subject to other possible attacks launched by means of links posted on the liked page.

The fact that this extension will be able to access the users’ data on all websites should work as a strong deterrent against adding it to their browser. So should recent warnings against installing any unauthorized plugins or extensions on Facebook.

“This is an interesting and quite complex type of scam. In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed. If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishing” stated Andrei Serbanoiu, Bitdefender Online Threats Analyst Programmer.

What You Can Do: The only way out of this x-rated or malware laden loop is to uninstall the tricky extension. The steps to be taken are available here for Firefox and here for Chrome. This kind of risky situations can also be avoided by using Safego, the Bitdefender free anti-scam tool for Facebook and Twitter or TrafficLight, a Bitdefender free tool providing cross browser unintrusive web threat control. As for the piece of malware that might be downloaded at one stage or another of the scam mechanism, a good internet security solution will save the day.

This article is based on the technical information provided courtesy of Andrei Serbanoiu, Bitdefender Online Threat Analyst Programmer.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Ioana Jelea

Ioana Jelea has a disturbing (according to friendly reports) penchant for the dirty tricks of online socialization and for the pathologically mesmerizing news trivia. From gory, though sometimes fake, death reports to nip slips and other such blush-inducing accidents, her repertoire is an ever-expanding manifesto against any Victorian-like frame of thought that puts a strain on online creativity. She would like to keep things simple, but she never does.

1 Comment

Click here to post a comment
  • Watch out the free access of dating sites, more clearly the ones who shows to much meat to trigger impulsive clickers/ through this method or by feeding your greed of new contacts free of charge, you’ll get a gruyere firewall, a damaged security -changing- settings and the potential lost of all of your files.