A slick social engineering campaign is using Facebook Messenger, Google Docs, and a series of malicious websites to install adware and other unwanted applications on victims’ machines.
The campaign begins with Facebook Messenger messages sent to a new victim. The messages come from a contact of the victim and contain a shortened link that points the victim to a Google Doc file. That file takes a screenshot of the victim’s Facebook page and then creates a dynamic landing page for each new victim, according to an analysis of the attack by David Jacoby of Kaspersky Lab. That landing page has a fake movie on it.
“When the victim clicks on the fake playable movie, the malware redirects them to a set of websites which enumerate their browser, operating system and other vital information. Depending on their operating system they are directed to other websites,” Jacoby said.
“This technique is not new and has a lot of names. I would like to describe it as a domain chain, basically just A LOT of websites on different domains redirecting the user depending on some characteristics. It might be your language, geo location, browser information, operating system, installed plugins and cookies.”
Attackers often will use this redirection technique as a way to hide the true origin of the attack. The installation of plugins and cookies also allows the attackers to track victims’ movements around the web and serve them specific ads. Jacoby said this specific campaign is designed to install adware, and sometimes garbage browser extensions, depending upon which browser the victim is using.
“For example, when using FIREFOX I was redirected to a website displaying a fake Flash Update notice, and then offered a Windows executable. The executable is flagged as adware,” he said.
“When using the Google Chrome browser I was redirected to a website which mimics the layout of YouTube, even including the YouTube logo. The website then displays a fake error message tricking the user to download a malicious Google Chrome extension from the Google Web Store. The Chrome Extension is a Downloader, which means that it downloads a file to your computer. At the time of writing, the file which should have been downloaded was not available.”
By using Facebook Messenger as the spreading mechanism, the attackers are leveraging victims’ trust in their Facebook friends. That abuse of trust is a key social engineering tactic, but Jacoby said it’s not exactly clear how the adware campaign is beginning the spreading behavior.
“The initial spreading mechanism seems to be Facebook Messenger, but how it actually spreads via Messenger is still unknown. It may be from stolen credentials, hijacked browsers or clickjacking,” he said.
Facebook, Twitter, and other social networks have been fertile ground for attackers for many years, and social engineering has always played a part in their campaigns on those sites.