A virulent malware campaign has hit Facebook Messenger over the past few days, linking users to malicious websites and downloading software onto their machines.
Security companies including Kaspersky Laband Avira have issued warnings about Facebook Messenger posts that appear to link to videos, coming from users’ friends on the social network.
The format of the message is the user’s first name, followed by ‘video’ and a shorted bit.lyor t.cn link.
“The link points to a Google doc,” writes Kaspersky Lab security expert David Jacoby. “The document has already taken a picture from the victim’s Facebook page and created a dynamic landing page which looks like a playable movie.”
Trying to play the video will redirect the victim to different pages, depending on their geographical location, operating system and browser. Kaspersky reports that Firefox users on Windows and Mac are taken to a fake Flash Player installer that downloads adware, while Chrome users find themselves on a fake YouTube page that downloads a malicious Chrome extension. On OSX Safari, the researchers reported a similar account to Firefox, but with a fake Flash Media Player installer for Mac.
It may be that the adware collects credentials for Facebook accounts, and hence perpetrates the spam campaign, although Jacoby notes that research into the use of Facebook Messenger is ongoing.
Attacks of this kind are not unprecedented, although using Google Docs and customised landing pages for the fake videos is novel. Researchers haven’t found evidence that the malware downloads trojans or more serious exploits, but it does seem to grant some level of access to user’s Facebook accounts. We’ve reached out to Jacoby for clarification.
If you do receive a suspicious messenger on the platform, do not click the link, but do try to contact the person who sent the message to let them know they should change their account password. It’s also worth making sure your antivirus protection is up to date.