Facebook Tag Scams are Back with Malicious Payload

[Reefa]

Bad week-end for Facebook users: a malicious tagging campaign ended up infecting at least 5 thousand computer users with a backdoor. This three-day campaign has been actively mirrored by the cyber-criminal(s) in order to prevent an early takedown.

The scam starts with an alleged video in which a number of friends are tagged in. The number of tagged friends is always 20 and the alleged video is always different. The so-called video shows the goo.gl host underneath, which should raise some flags with more experienced users, as it is a URL shortening service and not a video hosting one.

Users who click the respective video are sent to an external page, where their user-agent (the browser and operating system identifiers) are analyzed so hackers know where to redirect the victim. After all, it wouldn’t make any sense to redirect an Android user to Windows malware, would it?

The operating system check is quite thorough and include scenarios for multiple operating systems, ranging from Android mobiles to PlayStation consoles, media players, smart cars (yeah, you had that right), TV sets and even dumb phones. If the user is browsing from any of these “low-interaction terminals” they are redirected to a SMS fraud service that tries to hook you up with an useless premium service for as low as €3.00 / $3.5 (not including tax). This happens through a series of redirects, including one stopover to a mobile traffic monitoring service that provide hackers with insight about how many victims reached the scam and how many of them actually fell for it.

If you’re less fortunate (read: you’re using Windows), then you’re going to get the full service: a redirect to a fake Facebook page where you are prompted to download a so-called Flash Player update in order to be able to watch the video, which now turns out to be a spicy one rather than what was promised in the original Facebook post. Since we’re a family-friendly website, we had to censor a generous part of it.

Now, straight to the malware. The dropped payload is obviously not a Flash Player update, but rather a SFX file (a self-extracting executable archive built with WinRar). When clicked, it would install two pieces of malware contained within, called install.exe (detected by Bitdefender as Gen:Variant.Graftor.172986) and setup.exe (detected as Gen:Variant.Symmi.49919). The former is a generic backdoor that can be used to install various other malicious components, while the latter is responsible with propagating the scam on the Facebook accounts of the compromised victims.

We tracked three different versions of this scam that all seem to be operated by a Turkish cyber-criminal called “schwarzback”. Real-time analytics embedded in the scam page (and its two other clones) shows that more than 5000 people have landed on the scam page in less than one hour.

The domain hosting the payload for this tag scam has been registered on Saturday and it’s still up and running.

source