Tweet

The downside of popularity is that cybercriminals tend to abuse it for their own nefarious ends. Case in point, social networking sites have been often used to proliferate malware. Just recently, we spotted a Facebook clickjacking attack that leverages and abuses Instagram to point users to malicious websites.

Users encounter this threat by being tagged in a photo posted by one of their contacts on Facebook. The post states that users can know who visited their profile on Faceboofk and how often. It also includes a photo posted via Instagram.

We noticed that the photo and the names used in the “Recent Profile Views” (see below) are used repeatedly for other attacks.

Should users decide to click the link, they are lead to a page with instructions on how to generate the verification code. Once done, a pop-up window appears, which is actually the Instagram for Facebook app asking users to click “Go to App” button. Once done, it redirects users to a page that looks like the Facebook Home page.

As seen in the screenshots below, the address bar is different from the legitimate Facebook homepage. Users are then asked to copy and paste the malicious URL (which varies per user)  in a certain dialog box and to click ‘continue’.

Once users complete these steps, the album Instagram Photos is generated together using the Instagram for Facebook and the post mentioned above. It also contains malicious link which serve as the propagation mechanism.

The said link also checks for the location of the affected users. Victims located in India are redirected to web advertisement/ online deal site that ask for email subscription. While those living in the Philippines, Pakistan, Egypt or Myanmar redirects to a stalking tool that requires subscription from the author.

It may also redirect to the websites {BLOCKED}pps.info/post.php and {BLOCKED}new.blogspot.in. Answering any of the questions given on these Web pages will lead users to Social Buzz App for Facebook.

Based on our investigation, these spammed posts only appear in Facebook and not in Instagram. As such, whether affected users have Instagram accounts or not, the images will still be uploaded in Facebook. Moreover, if the album, ‘Instagram Photos’ already exists, the spammed photo is posted in the said album as seen below. We also found out that this attack works in mobile devices and in secure connections like https.

My colleague Paul Pajares checked the link to be copy-pasted to how rampant this threat is. Based from this site, the link so far gathered 825,545 clicks worldwide, mostly coming from the Philippines and India. The said link is attributed to the account maygup88, who is also responsible for other 130 domains blocked.

This type of threat on Facebook has taken on different forms these past months, usually under the veil of popular brands such as Diablo 3 and iPad. It even expanded to other social networking sites like Pinterest and Tumblr, which only means one thing: users are still falling for these scams. With this in mind, users are advised to take precautionary steps such as double-checking the legitimacy of links and posts. And remember: just because a contact posted that link, it does not mean it’s safe.

Trend Micro Smart Protection Network protects users from this threat by blocking the related sites.

With additional analysis from Fraud Analyst Paul Pajares