Cybercriminals are using Facebook Messenger to spread adware, duping victims by redirecting them to fake versions of popular websites that are tailored to their browser.
Researchers have suggested that malicious links are being sent from Messenger accounts that have been compromised as a result of stolen credentials, hijacked browsers, or clickjacking.
How is it installed?
The user is sent a message composed of their name followed by the word ‘Video’, and a shocked emoji face with a shortened URL: for example, ‘David Video’.
The link leads to a compromised website which blurs a photo taken from the victim’s Facebook page and makes it look like a playable movie. When the victim clicks on this video, the malware will send them to one of a number of different websites, depending on their browser, operating system, location, and other factors.
This site will then attempt to encourage the target to install adware. For example, a Google Chrome user is sent to a website designed to look like YouTube, complete with the official logo and branding. The website shows the visitor a fake error message designed to trick them into downloading a malicious Chrome extension.
While little is known about the campaign or those behind it, the sheer number of Facebook Messenger users presents an extremely large base of targets for those behind the adware.