Pierluigi Paganini July 02, 2016

Security experts from Kaspersky monitored a phishing campaign launched to spread a Facebook malware that infected more than 10,000 users in just two days.

Security experts from Kaspersky monitored a phishing campaign that hit Israeli media since June 26^th.

Thousands of Facebook users reported that they had been infected by a malware spread through the Facebook platform after they received a message from a friend claiming they had mentioned them in a comment.

“On the morning of 26^th June, news of a phishing campaign hit the Israeli media. Thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment.” reported Kaspersky.”The Kaspersky Security Network (KSN) recorded almost ten thousand infection attempts around the globe in the space of just 48 hours.”

The researchers that investigated the issue confirmed the attack and discovered that numerous infections were observed also Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany.

The researchers explained that the Facebook malware was spread in a two-stage attack:

In the first stage when the victim clicked on the “mention,” a malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. Of course, the fake login page was used to steal login credentials to the victims. When the victims logged in into the Facebook account, their session was hijacked in the background and a new file was downloaded. This represented the second stage of the attack, as embedded in this file was an account-takeover script that included a

In the second stage of the attack, a script embedded in the file downloaded in the first stage is executed. The script allows the attackers to take over the victim’s account script, is included a privacy-settings changer, account-data extractor and other utilities that could be used for further malicious activities, like spamming and generating fraudulent ‘likes’ and ‘shares’.

After logging in, the victims can see that the attack is launched against the user’s entire Facebook list. All the victims’ friends receive a notification by the victim about a new URL. Upon clicking on this URL, the user’s friends will also be infected by the Facebook malware too and the attack chain loops again.

The Facebook malware mainly targeted users with Windows-based machines, but also those using Windows OS phones could have been at risk too. Android and iOS users were not impacted since the Facebook malware doesn’t user libraries compatible with these mobile OSs.

Bad story, isn’t it? Do you want to know if have been infected by the Facebook malware?

Kaspersky suggests the following actions to check if the Facebook malware compromised your account too:

• Open your Chrome browser.
• Look for the extension named thnudoaitawxjvuGB.
• For a more thorough check, click Start > Run > copy the following command:%AppData%\Mozila if the folder and files such as “autoit.exe” and “ekl.au3” are in it, the computer is infected.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Facebook malware, phishing)