Fake Flash player scams have been around for a long time, but remarkably they still haven’t gone away. Now, they’re targeting users in Turkey.
A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update ; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle.
This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey.
The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would not work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.
As we noted earlier, this threat is cyclical. The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K.
In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:
Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users. In addition, this attack’s behavior – blocking antivirus sites – is not actively harmful to users, although it would leave them vulnerable to future attacks.
Facebook is working diligently to prevent users from encountering these types of attacks. We protect users by detecting and blocking the files and sites related to this attack. Users can also protect themselves further through these simple tips:
- Don’t click or access any strange and unfamiliar URLs that pop up on your wall, profile, or from a private message.
- If you’re asked to update any software, go to the software vendor’s site directly, and not through any other supplied link.
- Get a security solution that automatically blocks malicious downloads and fraudulent websites.
With analysis from Anthony Melgarejo and Paul Tiu