It is the same old story – the user gets a message about the latest celebrity scandal or other irresistible information, but to see the video or read the article, etc. he is redirected to a scam webpage.
The Scam Is so Obvious, It Hurts
In order to make the story more believable, the crooks present the user with a fake YouTube page, where he allegedly can watch the video. This is supposed to be a red flag by itself, since it is well-known fact that the popular video sharing platform curates inappropriate content both automatically AND manually.
If the user does not smell the fire, and decides to click on the presented link anyway, the fact that he is asked to update the video player to the latest version so he could actually view the spicy footage of the famous actress, should set the alarm right away.
Security researchers have analyzed the file with alleged FlashPlayer update closely and found out that it was in fact a Trojan, which is configured to alter the configuration of the current browser on the affected machine and to block the access to the list of extensions. It also prevents the access to Facebook activity and settings.
A Trojan Capable of Hijacking Facebook Sessions
Trojan.JS.Facebook.A delivers malicious items in the installation folder of IE. The Trojan can also steal the anti-CSRF token, allowing the hackers to hijack a specific Facebook session and perform changes as if they were the actual user.
The researchers concluded that the Trojan can establish a connection to a C&C (Command and Control) server, employ scripts in order to access code from other webpages and get control over Facebook activity.
Apparently the hackers trying to make the most of the campaign before it is blocked. They are trying to make some money out of it as well, as the bad links redirect users to localized surveys. The surveys are presented in the users’ own language which is supposed to make the whole scam more believable. Although operations like this may seem harmful, users should underestimate the fact that personal data is required for the completion of the survey.
Experts believe that the scam relies on the massive leak of celebrity photos from the beginning of September.