Beware it's not about the Facebook hoax: A Kaspersky security expert has revealed a malware attack that led to the deception of around 10.000 Facebook users from around the world, leading to their devices being 'infected' . This was when users received a message saying that a friend had referred them on Facebook. The "infected" devices were used to hack into Facebook accounts to spread the virus through the victim's Facebook friends and perform additional malicious activity. Countries from the South American and European regions, as well as Tunisia and Israel, were among those most attacked.
Between June 24th and 27th, thousands of unsuspecting users received a message from a Facebook friend purporting to mention them in a comment. In fact, the message was initiated by attackers and launched a two-stage attack. The first stage was "dropping" one Trojan on the user's computer installing, among other things, a malicious Chrome browser extension.
Αυτό οδηγούσε στη δεύτερη φάση, δηλαδή στην κατάληψη του λογαριασμού του θύματος, όταν οι χρήστες συνδέονταν στο Facebook μέσω του παραβιασμένου προγράμματος περιήγησης. Μια επιτυχημένη επίθεση έδωσε στον απειλητικό φορέα τη δυνατότητα να αλλάξει τις ρυθμίσεις απορρήτου και να αποσπάσει δεδομένα και ακόμη περισσότερες πληροφορίες, επιτρέποντάς του να εξαπλώσει τη «μόλυνση» μέσω των φίλων του θύματος στο Facebook ή να αναλάβει άλλες κακόβουλες δραστηριότητες, όπως η αποστολή spam, η theft identity and the creation of fraudulent 'likes' and 'shares'.
Malware has tried to protect itself by putting a blacklist on some websites, such as those belonging to security software vendors.
Kaspersky Security Network has recorded almost 10.000 "infection" attempts around the world. The countries most affected were Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and Israel.
Those who use Windows computers to access Facebook were at a higher risk, and those using Windows-based phones were potentially at risk. Android and iOS handheld users were "immune", as malicious software used "libraries" that are incompatible with these operating systems.
The Trojan downloader used by the attackers is not new. It was reported about a year ago, where it used a similar "infection" process. In both cases, signs of language in malicious software appear to be Turkish-speaking threatening agencies.
Facebook is now mitigating this threat and blocking the techniques used to spread malware from "infected" computers. It says it has seen no further "contamination" attempts, while Google has also removed at least one of the culprits extensions from the Chrome Web Store.
"There are two points of the attack that stand out. First, the spread of the malware was extremely efficient, reaching thousands of users in just 48 hours. Second, the response from consumers and the media was almost as swift. Their reaction increased awareness around the campaign and led to immediate actions and research by the concerned providers", said Ido Naor, Senior Security Researcher of Kaspersky Lab's Worldwide Research and Analysis Group.
Consumers who think they may be "infected" should scan for malware on their computer or open their Chrome browser and look for unexpected extensions. If they do exist, they should be disconnected from their Facebook account, close the browser, and disconnect the network cable from their computer. Also, they should call a professional to check and remove malware.
In addition, Kaspersky Lab recommends consumers to follow some basic digital security practices:
- Install an anti-malware solution on all devices and keep your operating system software up to date.
- Avoid opening links that are in messages from people you do not know or unexpected messages from friends.
- Be careful, at all times, when you are online and when you're connected to social media: if something looks even a little suspicious, it probably is.
- Apply appropriate privacy settings to social media such as Facebook.
Kaspersky Lab products detect and exclude the threat.
More information about the attack process, how to find out if you are infected, and what to do in this case is available on the site Securelist.com.
