Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
Figure 1. Spammed Facebook post
However, we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site.
Figure 2. Users are lead to this site that host fake Adobe Flash plugin
From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US.
Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs. We already blocks access to all the URLs related to this threat.