Fake AV peddlers have begun using Facebook to drive traffic to the malicious site that tries to trick users into believing their computer is infected.
With subject lines like “IMF boss Dominique Strauss-Kahn Exclusive Rape Video – Black lady under attack!” and “oh shit, one more really freaky video O_O”, they trick users into clicking on the link which does not take them to the desired destination but to a subdomain on newtubes.in, hosted on a Lithuanian server.
There are many interesting things about this scheme.
For one, it seems that it targets only USA and UK users. “When testing the link from Germany, Finland, France, India and Malaysia, we were safely redirected to youtube.com,” says F-Secure.
Also interesting is the fact that the attack is OS aware – the page recognizes whether the victim is using Windows or Mac OS and offers the appropriate fake AV solution.
According to the researchers, the attack has been going on for over 16 hours, but Facebook has still not blocked the links to the malicious page even though the subject text and the link haven’t been changed.
“This could be due to the fact the attack is utilizing Facebook ‘Likes’ rather than posting links to user’s Walls which can be more easily filtered by Facebook’s security team,” they speculate.