The Inquirer-Home

A Trojan is circulating through Facebook Messenger

Targets users pretending to be a Facebook friend with a 'LOL' and a fake image file
Tue Mar 11 2014, 16:25
Image of Facebook logo and login screen

A TROJAN is circulating through the Facebook social network stealing account data and credentials, security firm Malwarebytes has claimed.

The Trojan spreads through Facebook's Messenger service by messaging a victim pretending to be one of their friends with the term "LOL" accompanied by a file waiting to be downloaded, which appears to be a photo, named "IMG_xxxx.zip".

"Once downloaded, the user unzips the file and clicks on what they assume is an image file, still called 'IMG_xxxx.jar'," Malwarebyte's Malware Intelligence manager Adam Kujawa said in an email to The INQUIRER. "The JAR file executes, downloads malware and infects the system."

The infected user's Facebook account is then compromised and used to send more malware to the users friends, and the vicious circle continues.

"Unlike previous versions of this scam, it is almost like the cyber criminals decided to make an amalgam of different infection tactics to obtain the normal goal," Kujawa added, saying that there are four such tactics revealed in this type of attack. "The first is the use of instant messaging; we have seen plenty of malware use instant messaging in various forms to send malicious files to victims, including Skype, MSN, Yahoo, etc."

The second, Kujawa said, is the use of the text 'LOL', which is nothing more than a clever hook to make the user open the file. Similar attacks are often performed using terms like "OMG, is this you?" or "I can't believe someone posted this," all with the same intention - to catch the user's attention.

Kujawa said the third tactic is the use of the zip format to hide the attack, such that the user has to download it from the attacker, or a compromised account, and unzip it in order to find the actual malicious file.

"The fourth [tactic] is the use of a JAR file, or java file. Usually we only see this kind of method used on drive-by attacks, where the Java is used to exploit the system and execute the malware," he said. "In this case, the java file (not inherently malicious on its own) reaches out and downloads the actual malware from a remote Dropbox account. It then installs the malware as a service on the system, silently."

Malwarebytes said that the malware installed is being analysed to determine its purpose, but that it can "say for sure" that it is some kind of Trojan that injects itself into legitimate processes running on the victims system.

"The origin of the threat is also currently under investigation however some of the text found within the Java file leads us to believe it was developed by someone who speaks Greek," Kujawa added.

To protect yourself, Mawalrebytes insisted that users must simply not download the file if they receive such a message.

The news is rather worrying for Whatsapp users, considering the recent acquisition of the short messaging service by Facebook last month. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?