British movie star Emma Watson is being used as bait to trap unsuspecting Facebook users who might be fooled by convincing looking images promising naked photos.
The scam has been uncovered by antivirus firm BitDefender, with its virus analyst Doina Cosovan stating: "The private videos harbour several harmful trojans that solicit personal data such as phone numbers, steal tokens of legitimate apps and hijack Facebook sessions. To monetise their efforts, the malware writers also subscribe victims to premium SMS scams.
"It all starts with a Facebook comment promising to reveal private or leaked videos of Watson. The comments are automatically posted by users infected with the malware and as with many Facebook scams, victims quickly become marketers for cyber criminals."
Click to enlarge
Once the malicious links are clicked, BitDefender says users are redirected to a bogus YouTube copycat site before being prompted to update their Flash Player, as an error allegedly prevents them from watching the leaked videos of Watson.
The error message reads: "Our system detected that you are using an outdated Video Player version, in order to watch videos on Youtube please update to the latest secured version of Video Player by clicking [the] 'Upgrade Now' button below. Once you download and install the update, refresh the browser to watch the video."
Cosovan says the fake YouTube account uses the Anonymous 'Guy Fawkes' alias to enhance credibility as the hacktivist group often claims to leak celebrity videos. The video also purports to have had more than 1.5 million likes, another important ploy in getting past people's mental defences.
Besides stealing phone numbers through premium SMS scams, the malware disguised as a Flash Player update also changes browser settings preventing victims from seeing their list of extensions, Facebook activity and settings. Bitdefender detects the browser malware as Trojan.JS.Facebook.A, executable as Trojan.Agent.BFQZ.
Cosovan notes that: "For added legitimacy, Trojan.Agent.BFQZ uses the authentic Flash Player icon and deposits the browser infection components in "C:\Program Files\Internet Explorer," together with the install.bat, a file it also executes and adds at start up. It also takes the anti-CSRF token of the victim; a common Facebook scam mechanism. The Cross-Site Request Forgery Attack allows scammers to reuse an already authenticated session to perform unwanted actions on the user's behalf.
Click to enlarge
"The malicious URLs also redirect users to various IP-localised surveys for added credibility whereby users can fill in the surveys in their own language. Upon clicking the "complete the survey" button however, user phone numbers are recorded and may be at risk of being sold in underground markets."
Just some of permissions the malicious browser add-on assumes once downloaded onto victims' computers include:
- Abusing privileged paths of tabs and cookies
- Accessing hosts to stay in touch with the command-and-control center (one of the host websites also spreads fb-color-changer.exe, a similar malicious file that lures victims with an add-on that claims it will change their Facebook colour)
- Using scripts on "http://*/*", "https://*/*" (and access code from other web sites)
- Stealing access tokens of legitimate Facebook apps and use them to grab their permissions
- Automatically liking and following Facebook pages (which can later be monetised) to post comments on behalf of the user in every post on their timeline
So the warning is clear: if something looks to good to be true on Facebook, or involves things that are illegitimate or involve immoral or illegal activity, there's a very good chance you're being played, with a not-so-tasty Trojan or other malware your potential and potentially extremely damaging "reward".
Stay safe out there online!