Hundreds of thousands of users have had their Web browsers hijacked by a piece of malware distributed through Facebook, a researcher reported.
Once it infects a computer, the Trojan installs an extension in the victim’s Web browser. The threat tags the victim’s Facebook friends in a post advertising an adult video. When users click on the link, they are presented with a preview of the video, after which they are instructed to install what appears to be a Flash Player plugin. This component is the malware downloader.
Security researcher Mohammad Reza Faghani, who dubbed this distribution method “Magnet,” says the technique can be highly effective because the friends of the tagged users are also likely to see the malicious posts. In order to keep a low profile, the malware only tags up to 20 of the victim’s friends, the expert said.
The first variants of the Trojan, which infected at least 110,000 users, were designed to like posts on a certain Facebook page. The newer variants, detailed by Faghani in an advisory published on his personal website, don’t like any posts and instead subscribe victims to the profile of one Hüseyin Karaman. According to the researcher, the profile already has roughly 260,000 subscribers and the number continues to grow.
The new variant also comes with a feature that checks if victims are logged in to their Twitter accounts. If they are, the malware forces them to follow a couple of Twitter accounts (@SnrtEmrah and @Organiktr). The accounts in question have been reported to Twitter, but they are still active at the time of writing.
The Web browser extension installed on the victims’ machines is designed to receive updates (scripts containing instructions), and prevent users from accessing certain security-related websites that could be utilized to clean up the infection.
Faghani has analyzed some of the affected Facebook profiles and determined that many of the victims are located in India, the northern part of Africa, and the western part of Latin America. Infections have also been spotted in most European countries.
Based on the MD5 hash provided by the researcher for the rogue Flash Player update, 36 of the 57 antivirus engines on VirusTotal detect the threat based on its signature.
Bitdefender also published an analysis of this campaign last week, but the number of infections was much smaller at the time. The security firm reported that Turkish cybercriminals appear to be behind the campaign, an assumption backed up by data from Faghani.
“We use a number of automated systems to identify potentially harmful links and stop them from spreading. In this case, we¹re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites,” a Facebook spokesperson told SecurityWeek. “We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.”