Not even a week has passed since ESET
warned users worldwide about an active Ray-Ban
scam campaign on Facebook, which tricks users into sending their payment
card details to the attackers. Today we bring you information on yet another
malicious activity targeting the world’s largest social network.
This time, malicious links are disguised as
a post on a Timeline you were tagged in, or as a message sent to you via
Messenger by a friend. Using one of the titles “My first video”, “My video”,
“Private video” or a string of randomly generated characters, it tags various
people from victim’s friendlist and lures them into clicking on it.
If an unsuspecting user falls for the scam,
the post redirects him/her to a fake YouTube website. After what pretends to be
an unsuccessful attempt to load the content, he/she is requested to install an
additional extension using the following message: Sorry, if you don't install Video Play plugin, you
will not be able to watch the video! Click
'Add Extension' to watch the Video
If the victim installs the malicious
plug-in, his/her browser becomes infected and carries the infiltration further.
As described above, his/her Facebook wall becomes flooded with fake video posts
tagging multiple friends from the victim’s friendlist and subsequently, all
online friends will receive an identical message via Messenger with the same
harmful contents.
ESET detects this threat as JS/Kilim.SO and
JS/Kilim.RG.
At this point, the infiltration only targets Chrome users, but there is no
guarantee that it will not spread to other browsers in the future.
How
does it work?
After clicking on “Add Extension” at the
fake YouTube site, malicious code installs a Trojan plug-in (containing
malicious Java Script code) into the Chrome browser. This is disguised as a
legitimate “Make a GIF” plug-in, but comes from a different developer - namely “freechatfor.org”.