Besides the fake Facebook Profile Viewer ruse, we found another Facebook scam that lures users into downloading a fake Adobe Flash Player plugin. We noticed countless feeds pointing to a Facebook page with more than 90 million “likes”. For some, this huge number of Facebook likes may be enough for them to check the page out. It also means that the page is quite popular and may lead users into thinking that it is legitimate and harmless.
Figure 1. Spammed Facebook post
However, we verified that this 91 million Likes is not true at all and is merely a social engineering lure. Once users visit the page, they are instead lead to this site.
Figure 2. Users are lead to this site that host fake Adobe Flash plugin
From the looks of it, the page is supposed to host an Adobe Flash Player plugin (detected as TROJ_FAKEADB.US). If user downloads the plugin and is browsing the page via Google Chrome, the page will automatically close and a Chrome extension file is dropped. This extension file is detected as TROJ_EXTADB.US.
Once installed, the malware will spam the same post using the affected user’s account (even tagging their friends in the message.) Also, TROJ_EXTADB.US was found to send and receive information from certain URLs. We already blocks access to all the URLs related to this threat.
Social networking sites are an integral part of the way we interact with our friends, colleagues, and loved ones. Though useful, cybercriminals and other bad guys out there are using the platform to launch their schemes. From threats that may steal your credit card information to garden-variety scams, users must always be careful with their social media accounts. Always be wary when clicking links, even if they are from your contact or friends. It also pays to know how social engineering works.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.
