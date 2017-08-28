New Delhi, August 28: A Kaspersky Lab researcher has discovered new malware, with advanced and obfuscated code, infecting victims with adware through Facebook Messenger.

The initial spreading mechanism seems to be Facebook Messenger, but how it actually spreads via Messenger is still unknown. It may be from stolen credentials, hijacked browsers or click-jacking. At the moment we are not sure because this research is still ongoing.

The message uses traditional social engineering to trick the user into clicking the link. The message reads “David Video” and then a bit.ly link. When the victim clicks on the fake playable movie, the malware redirects them to a set of websites which enumerate their browser, operating system and other vital information. Depending on their operating system they are directed to other websites.

The malware relies on social engineering for infection, inviting users to click on a link that points to a Google doc. This document has already taken a picture from the victim’s Facebook page and created a dynamic landing page which looks like a playable movie.

The adware uses the common “domain chain” technique, redirecting and tracking users through malicious websites depending on characteristics such as language, geo location, operating system, browser information, installed plugins and cookies, etc. For example, users of different browsers are directed to different landing pages with fake messages and notifications, disguised as updates of popular applications or extensions that can be installed. By clicking on them, adware is downloaded to the victim’s device.

The research, which is ongoing, suggests that no actual malware such as Trojans or exploits is being downloaded to devices – although the people behind the malware are likely to be making a lot of money from unsolicited advertising and getting access to many Facebook accounts. It has been a while since these adware campaigns using Facebook, and its pretty unique that it also uses Google Docs, with customised landing pages. As far as we could see no actual malware (Trojans, exploits) are being downloaded but the people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts.

