A Facebook scam disguised as an invite to view a leaked sex video allows cybercriminals to infect different users with different malware in a highly efficient â€œpolymorphicâ€ attack that could end in bank fraud, invasion of privacy, or a wave of illicit porn advertising.
The scam starts with a Facebook post which features an alluring thumbnail, the first frame of the alleged sex tape.
Users who click the link included in this post are told they must install a Divx plugin to actually view the video.
The page recommending users to install the missing plugin features several other elements to encourage users to keep clicking:
a)Â Â Â Â Â The videoâ€™s name hints that the sex tape belongs to a celebrity.
b)Â Â Â Â Â The warning that the userâ€™s antivirus must be disabled works on reverse psychology: though prospective viewers know this action is risky, they do it precisely because they have been warned about it.
c)Â Â Â Â Â The reference to age verification further hints at the salaciousness of the video.
One step later, the Dixv plugin turns into a fake YouTube extension, a common feature of recent social scams.
The first visible sign of the fact that this is a tricky move: once installed, the extension will change all newly opened tabs to a page advertising an adult chat service.
This complex threat takes users toward the same supposed destination – the sex video – by a different route.
This time, the downloadable item is a premium video player called 7pic, which actually hides a piece of malicious code.
The fishy extension also allows the scammer to actually impersonate the user (by reading the cookie stored on facebook.com) and advertise the scam and like the scamâ€™s Facebook page from the victimâ€™s account. This results in the victimsâ€™ friends being exposed and to the victim itself being subject to other possible attacks launched by means of links posted on the liked page.
The fact that this extension will be able to access the usersâ€™ data on all websites should work as a strong deterrent against adding it to their browser. So should recent warnings against installing any unauthorized plugins or extensions on Facebook.
â€œThis is an interesting and quite complex type of scam. In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed. If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishingâ€ stated Andrei Serbanoiu, Bitdefender Online Threats Analyst Programmer.
What You Can Do: The only way out of this x-rated or malware laden loop is to uninstall the tricky extension. The steps to be taken are available here for Firefox and here for Chrome. This kind of risky situations can also be avoided by using Safego, the Bitdefender free anti-scam tool for Facebook and Twitter or TrafficLight, a Bitdefender free tool providing cross browser unintrusive web threat control. As for the piece of malware that might be downloaded at one stage or another of the scam mechanism, a good internet security solution will save the day.
This article is based on the technical information provided courtesy of Andrei Serbanoiu, Bitdefender Online Threat Analyst Programmer.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.