Emma Watson leaked Facebook video delivers Trojans

A new scam is taking advantage of Emma Watson’s growing popularity and using the Harry Potter star as bait to spread malware on Facebook, warns antivirus solutions provider Bitdefender. The alleged sexy videos of the British actress – who has recently stood up against sexism in her new role as Goodwill Ambassador for Women – drop Trojans rather than the suggested images and, just as in many other sex tape scams, users do not get to see the promised content.

The scam comes just weeks after a nude photo leak threat targeting Watson turned out to be a hoax by a site calling itself Rantic Marketing, seeking to shut the 4chan forum. Bitdefender advises that the videos are no marketing stunt this time. They harbour several harmful Trojans, which scrounge for personal data, steal tokens of legitimate apps, and hijack Facebook sessions. To monetise their efforts, malware writers also subscribe victims to premium SMS scams.

“It all starts with a Facebook comment promising to reveal private or leaked videos of Emma Watson,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “The comments are automatically posted by users infected with the malware. As is the case with many Facebook scams, victims end up as marketers for cyber-crooks.”

Catalin Cosoi continues, “When users click on the malicious links, they are redirected to a salacious YouTube copycat. Future victims are then asked to update their Flash Player to the latest secured version of Video Player, as an error allegedly prevents them from watching the leaked videos of Emma Watson.”

To make the story more credible, the fake YouTube account used the Anonymous “Guy Fawkes’ mask, as the hacktivist group is often claiming celebrity video leaks. Besides stealing phone numbers through premium SMS scams, the malware that is disguised as a Flash Player update also changes browser settings, not allowing victims to see their list of extensions and Facebook activity and settings any more. Bitdefender detects the browser malware as Trojan.JS.Facebook.A, and the executable as Trojan.Agent.BFQZ.

The Trojan uses the authentic Flash Player icon and drops the browser infection components in “C:\Program Files\Internet Explorer,” together with the install.bat, a file it also executes and adds at Start Up. It also grabs the anti-CSRF token of the victim – a common mechanism of Facebook scams. The Cross-Site Request Forgery attack allows scammers to reuse an already authenticated session to perform unwanted actions on users’ behalf.

Once dropped on victims’ computers, the malicious browser add-on can grab a number of permissions. These include the ability to: abuse privileged paths of tabs and cookies; access hosts to stay in touch with the command-and-control center; steal access tokens of legitimate Facebook apps and use them to grab their permissions; post comments on users’ behalf at every post on their timeline; and automatically like and follow Facebook pages, activity that can later be monetised.

In September, fans of Emma Watson were also tricked with bogus nude pictures of the British actress by a group of social media marketers who created a web site titled “emmayouarenext.com,” in an attempt to shut down the 4chan website. At the time, journalists suspected the social media marketing “enterprise” Rantic could itself be just a hoax. In the meantime, their website went under maintenance.

Don't miss