There are already many known ways by which cybercriminals target Facebook users. In the infographic we recently released, “The Geography of Social Media Threats,” we illustrated the different social networking features cybercriminals abused and the threats that these usually lead to.
In the course of conducting research, we found one specific attack that targeted Facebook users through a different route—malvertisements.
We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain based on this finding:
Upon accessing the application, the malvertisement gets loaded, triggering a series of redirections. The redirections finally lead to a malicious site, which then loads several exploits, particularly those related to Java and ActiveX:
The exploits were loaded to download more malicious files although we weren’t able to trace these anymore since the URLs they accessed were already inaccessible. Nonetheless, Trend Micro already provides protection for this kind of threat by not only blocking access to malicious URLs but also by protecting against the execution of the said exploits.
Malvertisements are considered grave threats, especially since much like website compromises, attacks related to these usually involve trusted sites that users already typically visit without risk of system infection. In 2009, visitors of the NYTimes were exposed to threats when malvertisements were found on its pages, leading users to FAKEAV variants. Earlier this year, Trend Micro researchers also found malicious ads being displayed in a Web-based email service, directing users to URLs serving PDF exploits.
For this particular incident, users are advised to be careful when it comes to installing Facebook applications and, more importantly, to utilize a security product with a strong Web reputation technology that can help determine bad links from good ones within a social networking environment.