Malware is spreading via Facebook Messenger as part of an attack campaign designed to infect users with multi-platform digital threats. In early August, Kaspersky Lab senior security researcher David Jacoby received a curious message via Facebook's messenger service. The message originated from one of his friends with whom he rarely speaks on the social networking platform. It also consists of only three parts: the recipient's first name, the word "Video," and a bit.ly link.
Suspicious Facebook Messenger message. (Source: Securelist) His suspicions raised, Jacoby spent the next few minutes analyzing the message. He quickly determined that it consisted of malware that contains heavily obfuscated JavaScript code. The baddy also appears to be spreading via Facebook Messenger, but with an examination into the message still ongoing, it's unclear exactly how it's leveraging this distribution vector. Jacoby explains what the bit.ly link consists of and what happens when a recipient clicks on it:
"The link points to a Google doc. The document has already taken a picture from the victim’s Facebook page and created a dynamic landing page which looks like a playable movie. "When the victim clicks on the fake playable movie, the malware redirects them to a set of websites which enumerate their browser, operating system and other vital information. Depending on their operating system they are directed to other websites."
The Google Doc disguised as a playable movie. (Source: Securelist) For instance, the malware redirects Google Chrome users on any operating system to what appears to be a YouTube video. The web site displays a message saying the video won't play because the user lacks a "codec extension." It then prompts the user to install the extension, which is in actuality a downloader. As of this writing, no file came with the fake extension, but that might not be the case days or weeks from now. Attackers could easily leverage the downloader to infect unsuspecting users with malware. Meanwhile, if it detects a OSX user browsing the web via Safari, the malware redirects them to a fake website containing a Flash Media Player installation prompt. Clicking the "Install" button downloads an OSX .dmg executable. In reality, this file is adware.
Fake Flash Media Player installation prompt for macOS Safari users. (Source: Securelist) This malware isn't the first digital threat to abuse Facebook Messenger for distribution, and it certainly won't be the last. With that said, users should protect themselves by exercising caution around suspicious links, especially those that are shortened. They should also familiarize themselves with some of the most common Facebook scams so that they can enjoy the platform with a heightened sense of security awareness.