Funny Facebook video scam leaves unamusing Trojan

A new funny video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser.

The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then redirects them to a malicious Flash Player.exe for an Adobe update.

“Scammers have created over 20,000 unique URLs that redirect victims to malicious websites and a fake alluring YouTube video, showing a woman taking her clothes off on a webcam,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “The video seems to actually play for a couple of seconds to entice male users to click. Malware writers faked the number of views so the video seems to have been watched by over a million users.”

Catalin Cosoi continues, “After stealing Facebook information, victims’ profile names are added into the fake YouTube URL parameters. This enables them to make the video seem more legitimate, as it looks like it is posted by users’ friends.”

In an attempt to bypass security, the hackers got their hands on over 60 API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified of the issue.

The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video redirects users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install.

On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can’t delete the malicious posts from their timeline and activity log.

“We advise users to exercise caution before clicking on Facebook videos,” adds Catalin Cosoi. “Keep your antivirus solution and other software updated and warn your friends if you believe they are at risk of becoming malware victims.”

Don't miss