{"id":18412,"date":"2017-09-04T09:00:04","date_gmt":"2017-09-04T13:00:04","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=18412"},"modified":"2019-11-15T06:45:18","modified_gmt":"2019-11-15T11:45:18","slug":"facebook-messenger-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/facebook-messenger-malware\/18412\/","title":{"rendered":"Bulk messaging malware in Facebook Messenger"},"content":{"rendered":"<p>Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often, but none have appeared lately; Facebook was doing a lot to prevent similar attacks.<\/p>\n<p>First a <a href=\"https:\/\/securelist.com\/new-multi-platform-malwareadware-spreading-via-facebook-messenger\/81590\/\" target=\"_blank\" rel=\"noopener\">preliminary report<\/a> was published. At that time, Jacoby still had not had enough time to research many details about how the malware operated, but now he has, and we are ready to <a href=\"https:\/\/securelist.com\/dissecting-the-chrome-extension-facebook-malware\/81716\/\" target=\"_blank\" rel=\"noopener\">share them<\/a>. From a user\u2019s perspective, here\u2019s how the infection progressed.<\/p>\n<ul>\n<li>The user received a message in Facebook Messenger from a friend. The message contained the word \u201cVideo,\u201d the name of the sender, a random smiley, and a short link. It might look like this, for example:<\/li>\n<\/ul>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071859\/malicious-link-screenshot.png\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071859\/malicious-link-screenshot.png\" alt=\"\" width=\"261\" height=\"334\" class=\"aligncenter size-full wp-image-18418\"><\/a><\/p>\n<ul>\n<li>The link redirected to Google Drive, where the user saw something resembling a video player with a picture of the original sender in the background and what looked like a Play button.<\/li>\n<\/ul>\n<ul>\n<li>If the victim attempted to play back the \u201cvideo\u201d in Google Chrome, they were redirected to a page that looked much like a YouTube page and offered to install an extension for Chrome.<\/li>\n<\/ul>\n<ul>\n<li>If the user agreed to the installation, then the extension began to send out malicious links to their friends \u2014 and everything followed the same algorithm for each of them over again.<\/li>\n<\/ul>\n<ul>\n<li>Users of other browsers were persistently reminded to update their Adobe Flash Player instead of being offered the extension. The file they downloaded turned out to be adware \u2014 essentially, malefactors used advertisements to earn their money.<\/li>\n<\/ul>\n<p>Jacoby, along with Frans Rosen, a researcher with whom he has been working on a project called \u201c<a href=\"https:\/\/www.kaspersky.com\/blog\/hunting-bugs-for-humanity\/\" target=\"_blank\" rel=\"noopener nofollow\">Hunting bugs for humanity<\/a>,\u201d have analyzed this malicious campaign and worked out how it operates.<\/p>\n<p>The page that users were redirected to after following the link in Facebook Messenger was basically a PDF file that had been published to Google Drive. It opened as a preview. The file had a picture from a user\u2019s Facebook page \u2014 the user whose identity was used to spread the malware \u2014 an icon for playing back the video shown over the picture, and the link that the victim opened by trying to click the playback button.<\/p>\n<div id=\"attachment_18416\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071901\/google-drive-pdf.jpeg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-18416\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071901\/google-drive-pdf-1024x567.jpeg\" alt=\"\" width=\"1024\" height=\"567\" class=\"size-large wp-image-18416\"><\/a><p id=\"caption-attachment-18416\" class=\"wp-caption-text\">Clicking the link led friends of the victim to this page.<\/p><\/div>\n<p>The link caused several redirections, landing the user on one of several websites. Victims using browsers other than Google Chrome ended up on a website offering to download adware masked as an update for Adobe Flash Player.<br>\n<\/p><div id=\"attachment_18413\" style=\"width: 890px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071900\/flash-player-update-screenshot.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-18413\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071900\/flash-player-update-screenshot.jpg\" alt=\"\" width=\"880\" height=\"470\" class=\"size-full wp-image-18413\"><\/a><p id=\"caption-attachment-18413\" class=\"wp-caption-text\">Browsers other than Google Chrome offered to download adware disguised as Adobe Flash Player.<\/p><\/div>\n<p>In the case of Chrome, that was just the beginning: If the victim agreed to install the extension offered on the landing page, it began monitoring what websites the user opened. As soon as the victim navigated to Facebook, the extension stole their login credentials and the <a href=\"https:\/\/developers.facebook.com\/docs\/facebook-login\/access-tokens\/\" target=\"_blank\" rel=\"noopener nofollow\">access token<\/a> and sent them to the malefactors\u2019 server.<\/p>\n<div id=\"attachment_18417\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071902\/fake-youtube-screenshot.jpeg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-18417\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071902\/fake-youtube-screenshot-1024x527.jpeg\" alt=\"\" width=\"1024\" height=\"527\" class=\"size-large wp-image-18417\"><\/a><p id=\"caption-attachment-18417\" class=\"wp-caption-text\">A fake YouTube page offering to install Google Chrome extensions.<\/p><\/div>\n<p>The crooks had found an interesting bug in Facebook. As it turned out, the unsecure Facebook Query Language (FQL), which was <a href=\"https:\/\/developers.facebook.com\/docs\/reference\/fql\/\" target=\"_blank\" rel=\"noopener nofollow\">disabled a year ago<\/a>, was not completely wiped out; it was blocked for applications, but with a few exceptions. For example, Facebook Pages Manager, an iOS application, still uses FQL. Thus, to gain access to the \u201clocked out\u201d feature, malware simply has to act on behalf of the application.<\/p>\n<p>By using the stolen credentials and accessing the obsolete Facebook feature, the crooks could request that the social network send them the contact list of the victim, cull those who were not currently online, and randomly select 50 new victims from the remainder. Then, those users were bulk-messaged with a new link to Google Drive with a PDF file preview generated with the picture of the person on whose behalf the new messaging wave commenced. All in all, a vicious cycle.<\/p>\n<p>It is worth noting that among other things, the malicious script \u201cliked\u201d a specific Facebook page, apparently to collect statistics for the infection. In the course of the attack, Jacoby and Rosen observed, the malefactors changed several of the specific pages, possibly as Facebook closed the previous ones. Judging by the number of \u201clikes,\u201d there were tens of thousands of victims.<\/p>\n<div id=\"attachment_18415\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071903\/beautiful-videos-screenshot.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-18415\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/09\/04071903\/beautiful-videos-screenshot-1024x343.png\" alt=\"\" width=\"1024\" height=\"343\" class=\"size-large wp-image-18415\"><\/a><p id=\"caption-attachment-18415\" class=\"wp-caption-text\">One of the pages that infected users \u201cliked.\u201d<\/p><\/div>\n<p>Their analysis of the code revealed that the malefactors were initially planning to use localized messages but then changed their minds and resorted to the short and simple \u201cVideo.\u201d The <a href=\"https:\/\/cdn.securelist.com\/files\/2017\/08\/170831-facebook-malware-17.png\">localization function<\/a>\u2018s code showed that the crooks were primarily interested in Facebook users from several European countries such as Turkey, Italy, Germany, Portugal, France (also, francophone Canada), Poland, Greece, Sweden, and all countries with English-speaking users.<\/p>\n<p>The mutual effort of several companies has put an end to the infection\u2019s spread for now. Nonetheless, this story is a great reminder that extensions for browsers are not as harmless as they may seem. To stay safe and not fall victim to similar malicious campaigns, avoid installing browser extensions without absolute confidence that they are safe, that they will not steal your data, and that they won\u2019t track your online activities.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-cyberattacks\">\n<p>Also, clicking every link, even links that seem to be from someone you know, is out of the question. It is always a good idea to make sure that it is really your friend on the other end of the line, not some criminal who took control of your friend\u2019s account.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A story about a large malicious campaign carried out in Facebook Messenger \u2014 and how it worked.<\/p>\n","protected":false},"author":421,"featured_media":18414,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[1096,16,20,36,607],"class_list":{"0":"post-18412","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-anti-malware-research","9":"tag-chrome","10":"tag-facebook","11":"tag-malware-2","12":"tag-messengers"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/facebook-messenger-malware\/18412\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/facebook-messenger-malware\/11170\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/facebook-messenger-malware\/9241\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/facebook-messenger-malware\/4976\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/facebook-messenger-malware\/12546\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/facebook-messenger-malware\/11744\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/facebook-messenger-malware\/11224\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/facebook-messenger-malware\/14287\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/facebook-messenger-malware\/14169\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/facebook-messenger-malware\/18565\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/facebook-messenger-malware\/3702\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/facebook-messenger-malware\/9451\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/facebook-messenger-malware\/7317\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/facebook-messenger-malware\/14547\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/facebook-messenger-malware\/8392\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/facebook-messenger-malware\/17753\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/facebook-messenger-malware\/17810\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/facebook-messenger-malware\/17791\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/facebook\/","name":"Facebook"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18412"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18412\/revisions"}],"predecessor-version":[{"id":29922,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18412\/revisions\/29922"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18414"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}