Malware City/Blog/

Apr
23
Filed Under:
ALERTS

Facebook Application Spreading Adware

23 April 2010
Novel manners of monetizing Wall-To-Wall worms

BitDefender researchers today have uncovered a new scheme that allows cyber-criminals to monetize on unwary users by leading them into installing adware applications. Rather than using hidden vulnerabilities in the social networking platform, this novel approach relies on social engineering in order to trick users into interacting with the attacker.

Chapter I: The Application

The central element of the scheme is the Dance Class Video, application, a third-party extension of Facebook that has neither been developed, nor approved by the social network. The application’s page has been artificially populated with content and friends to increase the victim’s confidence. The application’s main purpose is to send specifically crafted messages and to continue recruiting new victims, as described below.

Facebook app

Chapter II: The Bait

The infection vector is simple yet efficient. Compromised accounts send spammy messages that impersonate a Facebook video: “[victim’s name], this video is from the dance academy i went to last week.. what do u think?”. As soon as the victim follows the link, the application would ask for confirmation to pull out personal data, to send message on users’ behalf, as well as permission to always send these messages without any further confirmations.

Facebook App Facebook app 2

Facebook app 3 Facebook app 4

 

 

Facebook app 5

 

Chapter III: The Payload

After all the necessary confirmations have been pulled from the victim, they would be redirected to the application’s page that displays a fake video player (which is in fact a JPEG image hosted outside of Facebook), prompting them to update their FLV player in order to be able to see the video.

The download page even contains an End-User License Agreement and the small provision that the SB 140 Alaska rule expressly forbids an application to engage in deceptive acts or practices described in this subsection using spyware by causing a pop-up advertisement to be shown on the computer  screen of a user by means of a spyware program”. The page also triggers the automatic download of a binary file called FLVDirect.exe.

Facebook 6

Once downloaded and installed, the binary file would hijack the browser’s start page and search settings without the user’s consent.

Apart from all the trouble a piece of adware may inflict to the average computer user, please remember that your social networking profile may hold sensitive information and granting third parties access to it or to act on your profile may have extremely dangerous repercussions on your privacy.





By Bogdan Botezatu
Bogdan never trusts anything until it is disassembled into small pieces and carefully inspected. The passion for writing and the almost obsessive attention to details are some of his greatest qualities and, at the same time, some of his greatest flaws.

Related

19-04-2010 | Trojan as Fake Google Chrome Extension

12-04-2010 | iPhone Unlocking Tricks get PCs into Trouble

09-04-2010 | Malware-Loaded Spam Waves Generously Wash the Shores of FacebookŪ and MySpace(TM)

08-04-2010 | Playing Games with Your E-Self.

Comments:

C. T. Gunn said on Dec-25-2010 08:15

What is particularly annoying about these scams is the inability of anti-virus and anti-spyware products to pick up what's happening. I mean technically if you have a good anti-spyware program you can run a scan and everything will be removed, but not being able to recognize and prevent is a problem that needs to be dealt with.

Bogdan Botezatu said on Dec-25-2010 11:44

Have you tried using the SafEgo application? It's quite nifty, free and it identifies these scams in the glimpse of an eye. Saved me from clicking on suspicious links a couple of times, plus that it will warn your friends that there's something fishy with the specific link.

Alberto G said on Feb-25-2011 15:06

We continue to be vulnerable to scams the bad guys continue to come up with and infect our computers. Keep your eyes open and be vigilant of anyone trying to trick you, special when receiving emails.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.