A new phishing / malware delivery scam is doing rounds on Facebook, warns ThreatTrack’s Chris Boyd.
The lure is a message saying “I’m serious guys If you people don’t stop posting this of me I will be erasing my account. [LINK TO A TUMBLR ACCOUNT]”
Those unfortunate enough to believe that the account holder has posted the message will likely follow the offered link, and end up on a spammy Tumblr that will try to redirect them fake Facebook login page.
The bogus page is very realistic, and asks the victims to enter both their Facebook account credentials as well as the answer to a security question (click on the screenshot to enlarge it):
After this information is submitted, the victims are faced with another obstacle to finding out exactly what kind of content their friend finds objectionable: a pop-up telling them that they need to download an update “Youtube Player”.
Of course, the offered executable (Flashplayerv10.1.57.108.exe) is not an update, but a malicious file that uses Windows Script Host to run a .VBS file that forces the victims to reboot their computers.
Under the surface, the malware does even more than that: it checks whether the computer runs Java and if not, it tries to install it. It they contacts a remote server and tries to download several more .JAR files, among which is a (Bitcoin?) miner and a proxy.