01 July 2016

Kaspersky Lab Exposes Facebook Phishing Attacks: 10,000 Victims in Two Days

A Kaspersky Lab security expert has uncovered a malware attack that tricked around 10,000 Facebook users around the world into infecting their devices after receiving a message from a friend claiming to have mentioned them on Facebook

A Kaspersky Lab security expert has uncovered a malware attack that tricked around 10,000 Facebook users around the world into infecting their devices after receiving a message from a friend claiming to have mentioned them on Facebook. Compromised devices were used to hijack Facebook accounts in order to spread the infection through the victim’s own Facebook friends and to enable other malicious activity. Countries in South America, Europe, Tunisia and Israel were hardest hit.

Between the 24th and 27th June, thousands of unsuspecting consumers received a message from a Facebook friend saying they’d mentioned them in a comment. The message had in fact been initiated by attackers and unleashed a two-stage attack.  The first stage downloaded a Trojan onto the user’s computer that installed, among other things, a malicious Chrome browser extension. This enabled the second stage, the takeover of the victim’s Facebook account when they logged back into Facebook through the compromised browser. A successful attack gave the threat actor the ability to change privacy settings, extract data and more, allowing it to spread the infection through the victim’s Facebook friends or undertake other malicious activity such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’. The malware tried to protect itself by black-listing access to certain websites, such as those belonging to security software vendors. 

The Kaspersky Security Network registered just under 10,000 infection attempts worldwide.  The countries most affected were Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and Israel.


People using Windows-based computers to access Facebook were at the greatest risk, while those using Windows OS phones could possibly have been at some risk.  Users of Android and iOS mobile devices were immune since the malware used libraries which are not compatible with these mobile operating systems.

The Trojan downloader used by the attackers is not new.  It was reported on about a year ago, making use of a similar infection process.  In both the cases, language signs in the malware appear to point to Turkish-speaking threat actors.

Facebook has now mitigated this threat and is blocking techniques used to spread malware from infected computers. It says that it has not observed any further infection attempts.  Google has also removed at least one of the culprit extensions from the Chrome Web Store.

“Two aspects of this attack stand out.  Firstly, the delivery of the malware was extremely efficient, reaching thousands of users in only 48 hours. Secondly, the response from consumers and the media was almost as fast. Their reaction raised awareness of the campaign and drove prompt action and investigation by the providers concerned,” said Ido Naor, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab.

Consumers who think that they may have been infected should run a malware scan on their computer or open their Chrome browser and look for unexpected extensions.  If these are present they should log out of their Facebook account, close the browser and disconnect the network cable from their computer. Get a professional to check for and clean away the malware.

In addition, Kaspersky Lab advises all consumers to follow some basic cyber-safety practices:

  • Install an antimalware solution on all devices and keep OS software up-to-date.
  • Avoid clicking on links in messages from people you don’t know, or in unexpected messages from friends.
  • Exercise caution at all times when online and on social media networks: if something looks even slightly suspicious, it probably is.
  • Implement appropriate privacy settings on social media networks such as Facebook.

Kaspersky Lab products detect and block the threat.

Read more about the attack process and how to find out whether you’ve been infected and what to do if you have in Facebook Malware: Tag Me if You Can at Securelist.com.  

Articles related to Virus News

  • The safest countries for web surfing include South Africa (16.0%) - Kaspersky Lab reviews the malware situation in Q3

    An extremely dangerous vulnerability known as Bash/ShellShock dominated the newsfeeds in Q3. The IT security community issued a red alert: Bash is easily exploited, providing full access to the operating system on popular devices – routers, wireless access points etc. In addition to this incident, Kaspersky Lab’s Global Research and Analysis Team discovered two cyber-espionage campaigns that hit more than 2,800 high-profile targets in more than 45 countries across the globe. As for non-targeted mass attacks, their geographical distribution is becoming truly global. Attacks by mobile malware alone were detected in 205 countries.

  • Kaspersky Lab: Financial Institutions and E-Commerce – are their minds on the security of your money?

    Most people would imagine that protecting payment data would be the top priority for any business that deal primarily with online financial transactions. However, according to a Kaspersky Lab survey of more than 3,900 IT professionals worldwide, financial organisations (banks and service providers) and e-Commerce providers (online retailers) don’t see the protection of financial information as more important than any other business…and in some cases, they believe it’s much less important than average.

  • Kaspersky Lab Adds 20+ Patents to its Intellectual Property Portfolio in Q3 2014

    In Q3 2014, Kaspersky Lab took out nearly two dozen technology patents in different countries.