A Facebook scam redirected visitors to a popular attack toolkit, an unusual tactic that a Symantec researcher says highlights the growing aggressiveness of social networking threats.
The scam, which spread quickly before Facebook shut it down, appeared to support a spam campaign, according to Symantec researcher Ankit Singh, who wrote an analysis of the threat Wednesday. It delivered malware that attempted to turn infected systems into a bot, capable of delivering unwanted messages, he said.
The attack tricked Facebook users by advertising work-at-home jobs. The message, "EXPOSED: Mom Makes $8,000/Month," contained a link that led to a series of redirects to a third-party website containing the Nuclear exploit kit.
The attack toolkit preys on victims who don't keep their software fully patched. Code embedded in the website automatically scans the victim's system, typically seeking vulnerabilities in Adobe Flash, Java and other popular browser components.
The Nuclear exploit kit emerged in 2009. The second version, released in 2012, became increasingly popular following the arrest of the operator of the notorious Black Hole Exploit Kit last October.
The attacker uses various methods to lure people into spreading the campaign on Facebook, according to Singh.
"In cases of a compromise or where the victim follows through thinking they can make money, the attacker can lead the victim to click on 'Like' buttons or share a link for a third party, earning the attacker money in the process," Singh wrote. "In cases with a compromise, the attacker can use the victim’s computer to perform various actions and continue the scam."
Social networking threats that spread malicious links or redirect visitors to phishing and attack webpages are a continual problem and the main cause of infected systems, say solution providers. In March, more than 1,000 Facebook users were tricked into installing a phony Flash Player update. The Facebook attack also was detected on Twitter and quickly spread to other social networks before finally being contained. Security vendor Bitdefender said it was also tied to spam campaigns.
Businesses are bombarded with financially motivated attack campaigns out to steal passwords and other information, said Jon Sargent, president and CEO of Norfolk, Va.-based managed service provider Padlon. Many of the attacks are driven by automated toolkits and are very successful, keeping IT administrators busy cleaning up infected systems, Sargent said in a recent interview.
"The IT person not only has to be the jack-of-all-trades to fix things, but they have to have the tools in their back pocket to keep the bad guys out," Sargent said.
Symantec warned last year about the Facebook Black scam, which was supported using Amazon's S3 cloud storage service. It tricked Google Chrome users into clicking on a link to install a browser extension that purported to add functionality that would darken the Facebook page. Instead, victims were treated to a litany of survey pages attempting to obtain their address, birth date and other details.
PUBLISHED JULY 23, 2014