New cross-platform malware for Windows/Mac/Linux spreading via Facebook Messenger

A cyber-criminal gang is using Facebook Messenger to spread a new malware specimen through links to spoof websites. This threat, which is highly sophisticated and has been customized for each Web browser, has been uncovered by a security expert who received a suspicious message from one of their Facebook friends and decided to analyze its content.

How malware works

The mechanics of the attack are relatively simple. The targeted user receives a Facebook message that includes the recipient’s name, the word ‘video’ and a shocked emoji followed by a shortened URL. As the message comes from one of the victim’s friends, they are very likely to click the link in order to view its content. The malicious link opens a Google document containing a blurry picture taken from the victim’s Facebook and which looks like a playable movie. Then, if the victim attempts to play the video, the malware will send them to one of a number of different websites, depending on their Web browser, operating system, location, and other factors. This site will then prompt the user to install malicious software.

Google Chrome users, for example, are redirected to a fake YouTube channel, complete with the official logo and branding. This site shows the user a fake error message designed to trick them into downloading a malicious Chrome extension. Firefox users, however, are sent to a website displaying a fake Flash update notice, which, once run, attempts to run a Windows executable to install adware. Finally, Safari users are taken to a similar site, customized for macOS, encouraging them to download a malicious .dmg file.

A highly complex, sophisticated attack

This type of malware is designed to track the victim’s browsing activity using cookies and display targeted adverts, but also to use social engineering to trick the user into clicking on them. The malware is capable of spreading across different platforms via Facebook Messenger, using multiple domains to prevent tracking and earning clicks.
The malicious code is highly sophisticated and complex, and researchers suggest that the malicious links are being sent from real Messenger accounts compromised as a result of stolen passwords, hijacked browsers or clickjacking techniques. Each click on the ads generates revenue for the malware authors, and even though there is relatively little known about the malware campaign and those behind it, the sheer number of Facebook Messenger users gives attackers access to an extremely large number of potential victims.

How to protect yourself from malware

One simple way to avoid falling victim to this scam is to use caution with any link received from a Facebook friend. For greater security, experts recommend having a trusted, up-to-date antivirus such as Panda Protection installed on your computer to protect your system with the best protection. In addition to this, a spokesperson for Facebook has confirmed that the company maintains a number of automated systems to help stop the distribution of harmful links and files via the social networking site.