New Facebook malware has surfaced, but the type of trick it uses is at least 2 years old. According to Cheetah Mobile, which claims to be the first to report the latest iteration of the malware, the malware exhibits one or more of the following behaviors:
1. Provides a link claiming to lead to an app capable of changing the color of a user’s Facebook layout. If clicked, the link leads to a Facebook page that redirects the user to a malicious site.
2. At the malicious site, users are asked to view a tutorial video that allows them to steal the user’s access tokens.
3. If the victim is using a PC, the site tries to get them to download a video player.
4. If the victim is using an Android, the site warns them that their device may have malware and instructs them to download a suggested app.
Although Cheetah Mobile refers to the initial link claiming to lead to a color changer app as a phishing link, none of the behaviors described by the article appear, strictly speaking, to be phishing behavior. Cheetah Mobile does not claim that the link asks the user for personal information; only that it leads to malware. Thus, it is not strictly speaking a phishing link, but rather a drive-by download.
This malware does not appear to be widespread; Cheetah Mobile estimates that it has only impacted “more than 10,000” people. Nevertheless, the described behavior provides us with some important lessons on how to protect yourself against this type of malware. First of all, in order for you to be infected by this type of malware, you must click a link. The two ways in which attackers try to entice you into clicking a link are as follows:
1. By providing something they think you want. In this case, they tried to entice users with a color changer, a tutorial video containing helpful information, and a video player.
2. By offering a way to avoid a negative consequence. In this case, the malware provided a fake warning to entice people into downloading a malicious app.
Before you click a link, learn to recognize these two possibilities and the potential for apps and video players to be infection vectors. Also remember that a link can’t be considered safe just because it looks like it was posted your friend; their accounts could have been compromised by the malware already.
In this case, Facebook is at least partially at fault for allowing a Facebook link to redirect to a malicious site. Due to this vulnerability, even users who know how to read a link may be duped into believing the link is legitimate because the domain is “facebook.com”. The solution? Don’t click the link in the first place.