A new malware threat is spreading fast on the Internet, and this time it’s targeting Facebook Messenger users.
If you get this link via Messenger from one of your Facebook friends, do not click on it!
This malware, which replicates over Facebook’s messaging system, Messenger, is circulating and spreading massively. This malware is a form of social engineering used to trick people and steal their sensitive data.
Here’s how it works
The message includes a BIT.LY link which contains a video with the person’s name. Once the user clicks on the malicious link, it redirects the entire traffic through a lot of websites on different domains redirecting the user depending on user on some characteristics.
Un-shortening the URL leads to:
https [://] docs.google [.] com/file/d/0B7rArSLkL3A-dk9ZNVp1NzRUWjg/preview
Here is a series of the malicious URLs involved in delivering and keeping the distribution covert:
http://bitly [.] Com / 2v8tlRs?[Name of recipient] https://docs.google [.] Com / file / d / [unique ID] / preview
http://dilosi [.] Bid / ad / 1010442020
q.redirecting [.] Website
The final destination is a domain where the adware is downloaded.
This strain of adware tracks cookies monitors your online activity and shows different ads that lead to potentially malicious URLs.
Researchers have discovered that this campaign uses various attack angles, such as a browser extension for Chrome and Firefox (users have been sent to fake Sites), or a binary package that installs adware on users’ computers who are using Safari and Microsoft Edge / Internet Explorer.
According to SecureList, when we are using Firefox browser, it sends users to a website displaying a fake Flash Update notice and then showing a Windows executable.
The browser extension for Chrome is a downloader, which will download a file to your computer.
Here how it looks:
The adware is installed from www.currentcleannew.com and is named as a “VideoPlayer,” which looks like a playable movie file that users are tempted to click.
Here is an installation package that will be installed as default to the
c: \% program files% \ Fahi folder
VirusTotal indicated that 26 of 64 antivirus solutions were detecting this malicious code at the time this article was posted.
That’s all the information currently we have on this.
Until then, we firmly recommend being careful while navigating online. Once again: Please don’t click on suspicious links, and remember to install all the latest updates for any Softwares/apps you may be using. Add to that with a robust security tool that can block such malicious domains and you’ll make your online life a lot safer.