Thursday, 14 September 2017

Facebook video scam continues spreading undetected


Facebook and Google Docs continue to be used by scammers as a delivery channel for malware and adware.


In October 2016, Facebook users were sent the links to supposedly adult videos [1] that can be played from a fake Youtube portal only when a target downloads and install the malicious Video Plugin.

In August 2017, the same attack vector is used to spread adware [2].

And today, I saw the following message on my Facebook arrived from the hacked mobile Facebook app of one of my students in past. In addition to the message, I and other victim’s friends were marked in the comment to the post with a fake video.





Let’s figure out how this scam works.
As you can see, the link points to one Google Document:


https://docs.google.com/file/d/0B{CENSORED}UU/preview

URL is detected as clean:





Following the link (Facebook does not block it), you can see its preview.



The document named as “Video - <Name of the victim on Facebook>”
When downloading, you can see that the file type is PDF.



If you try to click the fake Youtube-style ‘Play’ button in the center of the  image, you will be first redirected to:

Then to:

And finally to:




It’s a pity, but scammers have no offer for me this time.


Predictably, the leadzuaf.com is registered by an advertising company called MOBUSI MOBILE ADVERTISING S.L. located in Madrid (WhoIs).


Let’s take a look at the downloaded PDF.
First, we can scan it on Virustotal. The result is fascinating - 0/59 ‘No engines detected this file’.


From inside, the PDF consists of only two parts: a stolen victim’s picture and URI.


  1. Clickable JPEG image embedded into the PDF:



  1. URI


Conclusion

Two things amazed me in this attack.
First, why Facebook and Google security teams haven’t yet stopped the scams of such kind.
Second, how aggressively an advertising company can attack the target audience.


Yara rule


No comments:

Post a Comment