Facebook fake photo links lead to malware

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

A simplistic but seemingly effective bait leading to malware is apparently been circling on Facebook for a couple of weeks now.

Users are sent messages from their friends’ accounts simply saying Foto 😀 apps(dot)facebook(dot)com/photobf/index(dot)php.

If the user fails to find it strange or suspicious, a click on the link will take him to a page where the photo was allegedly posted prior to being moved:

The next click on the “View Photo” button triggers the download of what looks at first glance like a .png file because of its icon, but is actually an executable:

According to GFI, many rogue application pages were involved in the malware run, but have been deactivated by Facebook one by one. The external sites that have been serving the malware have also been taken offline.

The malicious file is a generic Trojan, and is currently being detected by more than two thirds of the AV solutions used by VirusTotal.