Προσοχή δεν είναι αφορά το hoax που κυκλοφορεί στο Facebook: Ένας ειδικός σε θέματα ασφαλείας της Kaspersky αποκάλυψε μια επίθεση με malware, που οδήγησε στην εξαπάτηση περίπου 10.000 χρηστών του Facebook απ' όλο τον κόσμο, οι οποίοι οδηγούνταν στη «μόλυνση» των συσκευών τους. Αυτό συνέβαινε όταν οι χρήστες λάμβαναν ένα μήνυμα, σύμφωνα με το οποίο, ένας φίλος τους είχε αναφέρει στο Facebook. Οι συσκευές που «μολύνθηκαν», χρησιμοποιήθηκαν για την παραβίαση λογαριασμών στο Facebook, ώστε να εξαπλωθεί ο ιός μέσω των φίλων του θύματος στο Facebook και να πραγματοποιηθεί επιπλέον κακόβουλη δραστηριότητα. Χώρες από τις περιοχές της Νοτίου Αμερικής και της Ευρώπης, καθώς η Τυνησία και το Ισραήλ ήταν ανάμεσα σε αυτές που δέχτηκαν τις περισσότερες επιθέσεις.
Between June 24th and 27th, thousands of unsuspecting users received a message from a Facebook friend purporting to mention them in a comment. In fact, the message was initiated by attackers and launched a two-stage attack. The first stage "downloaded" a Trojan onto the user's computer that installed, among other things, a malicious program extension browsing Chrome.
This led to the second phase, the takeover of the victim's account, when users logged into Facebook through the compromised browser. A successful attack gave the threat actor the ability to change privacy settings and extract data and even more information, allowing it to spread the "infection" through the victim's Facebook friends or undertake other malicious activities such as spamming, identity theft and creating fraudulent 'likes' and 'shares'.
Malware has tried to protect itself by putting a blacklist on some websites, such as those belonging to security software vendors.
Kaspersky Security Network recorded nearly 10.000 "infection" attempts worldwide. The countries most affected were Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and Israel.
Those who use Windows computers to access Facebook were at a higher risk, and those using Windows-based phones were potentially at risk. Android and iOS handheld users were "immune", as malicious software used "libraries" that are incompatible with these operating systems.
The Trojan downloader used by the attackers is not new. It was reported about a year ago, where it used a similar "infection" process. In both cases, signs of language in malicious software appear to be Turkish-speaking threatening agencies.
Facebook now mitigates this threat and blocks the techniques used to spread malware from "infected" computers. He says he has not noticed further "contamination" efforts, while Google has also removed at least one of the malicious extensions from the Chrome Web Store.
"There are two points of the attack that stand out. First, the spread of the malware was extremely efficient, reaching thousands of users in just 48 hours. Second, the response from consumers and the media was almost as swift. Their reaction increased awareness around the campaign and led to immediate actions and research by the concerned providers", said Ido Naor, Senior Security Researcher of Kaspersky Lab's Worldwide Research and Analysis Group.
Consumers who think they may be "infected" should scan for malware on their computer or open their Chrome browser and look for unexpected extensions. If they do exist, they should be disconnected from their Facebook account, close the browser, and disconnect the network cable from their computer. Also, they should call a professional to check and remove malware.
In addition, Kaspersky Lab recommends consumers to follow some basic digital security practices:
- Install an anti-malware solution on all devices and keep your operating system software up to date.
- Avoid opening links that are in messages from people you do not know or unexpected messages from friends.
- Be attentive at all times when you are online and when you are connected to social media: if anything seems to be a little suspicious, then it might actually be.
- Apply appropriate privacy settings to social media such as Facebook.
Kaspersky Lab products detect and exclude the threat.
More information about the attack process, how to find out if you are infected, and what to do in this case is available on the site Securelist.com.
