Unusual Facebook spam campaign delivers malicious Macros
A bizarre spam / malware delivery campaign is currently targeting Facebook users.
It starts with the offer to see a video of a girl performing a salacious act – and this is the first and only “standard” part of the scam – and leads victims to a fake video page that claims they have to download a “VMWare Console Remote Plugin” in order to see it (click on the screenshot to enlarge it):
The offered VMware.exe has nothing to do with the legitimate virtualization software of the same name, and it’s a bit strange that the scammers would misuse the name of such a specific software that is not so well-known to typical low-level Internet users.
By looking at the file properties, one can see that the file name and its description are at odds.
“Jitbit – the program mentioned in the file properties – is a Macro Recorder, and useful for automating all sorts of mundane tasks. It seems someone here has compiled an executable using the main Jitbit program, and started to distribute their home-made Macro,” explains ThreatTrack’s Chris Boyd, and makes sure to point out that the spammers are not distributing the Jitbit Macro Recorder itself.
Once the file is run, it creates a a timeline bar at the top left of the screen and opens the victims’ browser to a page that redirects to another one.
“From looking at the code in the page that opened up, it seems there was an attempt here to send users on to a Facebook application – however it returns a page not found. It’s possible the app in question was a fake version of a legit app,” says Boyd.
“Whatever it was, this is one of the least subtle and most peculiar attempts at pretending to be stealthy on a desktop that we’ve seen. If the frankly bizarre VMware messages / downloads didn’t tip an end-user off that something was amiss, the rather large ‘A Macro is now showing you the dance of his people’ timeline bar is probably the final nail in the fakeout coffin.”
The page on which the victims land is part of a bigger site that currently contains some “Facebook Crush” style pages, adverts that lead to toolbars and installers, and more. Some of them have already been reported as abusive and are blocked.
All in all, this is a very unconventional scam attempt that likely hasn’t had much success. Nevertheless, users are advised to avoid downloading files that have randomly been offered to them online, and stick to legitimate download sources.