A new Trojan circulating since yesterday on Facebook has managed to spread to over 110.000 computers in just two days. Security researcher Mohammad Reza Faghani reports that its rapid transmission trojan εξυπηρετούν τα tags που προσθέτει και περιλαμβάνουν ονάματα φίλων του θύματος. Οι scams με τα Tags δεν είναι νέες, αλλά πρόσφατα χρησιμοποιούνται με αυξημένη συχνότητα.
The malicious μήνυμα περιλαμβάνει ένα ψεύτικο πορνό βίντεο που αν κάποιος ανυποψίαστος κάνει κλικ για να το παρακολουθήσει, θα οδηγηθεί σε μια σελίδα για την προβολή του. Το βίντεο θα διακοπεί λίγα seconds μετά την έναρξη του, ζητώντας από τον θεατή να κατεβάσει ένα κακόβουλο αρχείο που υποτίθεται ότι είναι μια ενημερωμένη έκδοση του Flash Player για να μπορέσει να παρακολουθήσει το υπόλοιπο κλιπ. Η διαδικασία λήψης ξεκινά αυτόματα.
Ο Mohammad Reza Faghani who discovered fraud, reports that the number of victims is on the rise.
The cybercriminals behind the Trojan, he says, use a very aggressive distribution method, which the researcher called "Magnet," or a magnet. The method allows friends of the victim's friends to see the malicious publication.
In earlier cases, the original victim could only send the malicious message to his friends, and only if they were infected could the fraud be transmitted to their contacts.
A brief analysis of the Trojan shows that the fake Flash Player update uses many executable file names (chromium.exe, wget.exe, arsiv.exe, verclsid.exe) stored on a hacked system.
Regarding the functional, Faghani reports that the malware takes control of the victim's mouse and keyboard.
According to Faghani, the two domains containing the Trojan were first registered in October of 2014. One of these, pornokan [.] Com uses a server located in Amsterdam (Digitalocean Amsterdam) and the other's IP (filmver [.] Com) shows on the Cloudflare network. In both, the domains provider is FBS INC, a company from Turkey, which offers domain name registration services.
An analysis by BitDefender concluded that the scammer was of Turkish origin and used the online nickname "schwarzback."
Beware, therefore, because malicious messages are still circulating, according to the researcher.
