It’s time to adjust your Facebook privacy settings as the famous social networking site is attacked by a fatal Porn-based tagging malware infecting thousands of Facebook accounts. Though it is not the first time that Facebook has been infected with a malware attack, but for this time the attack seems very perfect and takes over the control of the user’s device without leaving any suspicion.
HotForSecurity reports that last weekend the malicious tagging campaign infected at least 5 thousand computer users using the backdoor, and the campaign is still very much active.
How does this Tagging malware spread
The tagging malware spreads with an alleged video that tags perfectly 20 friends. The attackers ensure that an eye catching video that invites attention is different every time. The video shows the goo.gl host which is a URL shortening service and not a video hosting one. Users who click on the video are directed to an external page where their browser’s information and OS details are analyzed by the attackers.
HotforSecurity says, that the OS check is quite thorough and include scenarios for multiple operating systems, ranging from Android mobiles to PlayStation consoles, media players, smart cars, TV sets and even dumb phones. If the user is browsing from any of these “low-interaction terminals” they are redirected to an SMS fraud service that tries to hook you up with a useless premium service for as low as €3.00 / $3.5.
This intrusion happens through a series of redirects, including one stopover to a mobile traffic monitoring service that provide hackers with insight about how many victims reached the scam and how many of them actually fell for it.
The malware also directs some users to a fake Facebook page asking for a Flash Player update to watch the video which is nothing but a porn clip seemingly better than the original video shown at the beginning.
Users who go for Flash Player update end up downloading a SFX file which, when clicked installs two pieces of malware contained within, called install.exe (detected by Bitdefender as Gen:Variant.Graftor.172986) and setup.exe (detected as Gen:Variant.Symmi.49919). The former is a generic backdoor that can be used to install various other malicious components, while the latter is responsible with propagating the scam on the Facebook accounts of the compromised victims.
Avoiding tagging malware
Users are best advised to first install an antimalware program on their Windows PC and keep an updated one. Be vigilant if your Facebook contacts would actually share a porn video on their wall, and even if someone has posted avoid clicking.
Be alert, be safe.