Malicious Facebook advertisements usually lead users to survey scams, pieces of malware, phishing sites and other types of dangerous cybercriminal schemes.
Bitdefender experts came across a polymorphic attack that could end in any of these scenarios.
It starts rather predictably, as users inadvertently share links to a supposedly leaked pornographic video. If their friends follow the link, they are faced with a request to download a Divx plugin in order to watch the video:
“The page recommending users to install the missing plugin features several other elements to encourage users to keep clicking,”
“The video’s name hints that the sex tape belongs to a celebrity; the warning that the user’s antivirus must be disabled works on reverse psychology: though prospective viewers know this action is risky, they do it precisely because they have been warned about it; and the reference to age verification further hints at the salaciousness of the video.”
When run, the downloaded “Extension YouTube” immediately changes all newly opened tabs to a page advertising an adult chat service, then leads the user to to another page that supposedly hosts the video the users wanted to check out in the first place.
But, now the users are asked to download another piece of software – the “7pic Video Premium Player”.
Unfortunately for them, it’s another bogus extension that allows the scammers to access hijack the users’ account by accessing the needed cookie information and propagate the scam further.
“This is an interesting and quite complex type of scam,” says Andrei Serbanoiu, Bitdefender Online Threats Analyst Programmer.
“In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed. If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishing.
Users are advised never to install browser extensions that come from untrusted sources, and more recently, even the ones that come from legitimate websites may turn out to be malicious.