Twitter, Facebook Scam Tricks Users With Phony Adobe Flash Player


A spate of malicious links spreading on Facebook and Twitter tricks victims into downloading malware masquerading as Adobe Flash Player, according to a warning issued by security researchers at Avast.

The goal of the attack appears to be to perpetuate an extensive clickjacking campaign, said Jaromir Horejsi, a malware analyst at the Czech Republic-based antivirus vendor. In his analysis of the threat, Horejsi said a malicious script enables an attacker to hijack a victim's Twitter account to follow, post or retweet on behalf of the victim. It also can post to the user's Facebook feed, "like" a Facebook page or become its fan, he said.

"There were a few hard-coded Facebook pages, which were liked or subscribed by Facebook accounts on compromised computers," Horejsi wrote.

[Related: 6 Signs You've Been Sucked Into A Facebook Scam]

The attack installs a Firefox and Chrome browser extension on a victim's PC, designed to make the phony Flash Player install appear legitimate. Currently, the attack appears to be adding views to a YouTube channel, a Facebook page and several website surveys. The malware author behind the campaign could easily manipulate that, making it much more dangerous to victims, Horejsi said.

The attack currently only targets users from Turkey, but Avast's Horejsi said other cybercriminals could copy the techniques. Malicious links tied to similar click fraud campaigns have been identified in recent months targeting users in the U.S. and other countries.

"It can be easily adapted to target any service worldwide," Horejsi wrote.

Clickjacking attacks are common. The attacks spread quickly on social networks where users are more trusting of links shared by friends and other connections, say security experts.

Attackers frequently attempt to target users of social networks to spread malicious links, but the growth of social network attacks has been relatively flat, according to security firms. Facebook and Twitter aggressively monitor accounts for unusual behavior and suspend them when malicious activity is suspected. Links also are checked against known phishing sites, but attackers continue to attempt to use the platform to spread malware and other attacks.

In March, the Facebook Black scam promised users the ability to manipulate the color of their Facebook pages by installing a Chrome browser extension. Victims of that attack were instead treated to phishing surveys designed to collect data.

Much like the clickjacking attack identified by Avast, the scammers in the Facebook Black campaign used malicious JavaScript to control the victim's Facebook account. The attackers would create a new Facebook page on the victim's account to further spread the campaign.

PUBLISHED JULY 3, 2013