When I logged into Facebook on Saturday morning to view information about an upcoming event, I found my feed was flooded with identical posts from many different, unrelated friends.
Each post followed the same template of poorly worded English followed by a link in the comments. Being the curious researcher that I am, I loaded up an analysis VM, logged into a fake Facebook account, and followed down the rabbit hole.
[Important Note: While the links in this attack have been deactivated, it is possible they may be reactivated in the future. Do not visit any links shown in the screenshots of this article.]
The link first took me to a very basic webpage. So basic in fact, that it displayed nothing at all. However, in the background the web page redirected my browser to a different webpage using JavaScript. I’ve shared that page’s source below:
This new webpage prompted a permissions request from Facebook to allow an application named Geni to view my public profile, followed by a second permissions request to allow the same application to post to my feed on my behalf.
After accepting both permissions requests (which you should never do unless you’re a researcher), the same Valentine post appeared on my fake Facebook account, thus solving the mystery of its spread.
Meanwhile, my browser redirected to a website claiming to contain “Premium Content,” and asking me to complete a survey to unlock it. These types of “complete a survey to unlock” pages are favorites amongst cyber criminals to deliver malware or phishing attacks. The fake survey pages often either host drive-by download attacks or display convincing login prompts to phish authentication credentials from victims.
I only had time to snap a screenshot before the page redirected a second time to a new malicious webpage hosting an old-school form of scareware. This webpage was styled to look like a legitimate Microsoft website but triggered a JavaScript alert window to notify me that my computer had been locked due to a virus infection. The alert instructed me to call a phone number so that an engineer could walk me through the virus removal process. All the while, the webpage played a looping audio track stating “Call Microsoft Now”.
In analyzing the webpage’s source code, I did not find any evidence of exploit kits running in the background, so the page appeared to just be basic scareware. This type of attack works by tricking the victim into calling a fake helpdesk for assistance cleaning up a nonexistent infection. The attacker (acting as a helpdesk technician) displays their technical prowess by instructing the victim to open Task Manager and informing them that all the running services are actually viruses. The attacker then tricks the victim into installing malicious AV software, which is usually a Trojan. For extra evil points, the attacker sometimes extorts a fee out of the victim in return for the fake AV software.
The application used earlier in the attack, Geni, appears to be backed by a real company. From their bio on Google, “Geni is a commercial genealogy and social networking website, owned by Israeli private company MyHeritage.” It remains unclear however, if they were complicit in the attack or completely uninvolved. The attacker could have used the company’s application simply as a mean of spreading malicious links, or they could be earning money from referral links by spreading the application while including the malicious links as a personal addition. Regardless, most other links used in the attack were dead within 24 hours, just showing how short-lived these campaigns can be.
While this attack appeared to end in a string of malicious websites, similar attacks often harvest Facebook authentication credentials, install malicious browser extensions, or spread ransomware. Based strictly off the number of my friends that fell for it, this attack campaign was very successful in spreading.
These types of attacks rely in the naivety or ignorance of their victims for success. To spread the Valentine post, the victim needed to grant permissions to the Geni application, allowing it to post on their behalf. Social media users should always be cautious about the permissions they grant to games and applications. Usually these permissions are used only to propagate spam, but sometimes they are the start of a cyberattack.
Furthermore, you should always be mindful of the links you click, especially if they are unsolicited. Drive-by downloads and exploit kits remain a major threat to all web users because simply clicking a link is often enough to infect your system with malware. Web users should keep their browsers, plugins, and extensions updated with the latest security patches to reduce the risk of falling victim to a drive-by download attack if they happen to fall for an attack or simply stumble upon a malicious webpage. –Marc Laliberte