Facebook continues to be a favorite target for attackers to spread fake wall-post messages or fake scams. Most of the time these fake messages are involved in fake scams that ask users to respond to surveys. Recently, I discovered a Facebook wall post with a malicious website address that was unknowingly shared by a friend. Once infected with this spam, the malicious wall post will also tag all the friends of an infected Facebook user. Here is the screenshot of a malicious wall post:
The link from this wall post redirects users to a malicious website that hosts malicious code. This site launches its main attack by identifying browsers with the help of the following code:
The preceding code from the malicious site targets Firefox and Chrome browsers on userAgent strings.
If the malware detects Firefox, it presents the following error message in Turkish:
The Google translation of the this message reads:
Please Refresh button, Firefox Add-Update your. Due to system errors and security bugs that are required by pressing the Reload button. Install Firefox Plug-in Update. As long as you have not updated the site faydalanamayacaksýnýz features.
If the malicious site detects Chrome, it will download the malicious file player.exe from the attacker’s dropbox account without asking the user. After using Chrome to visit the site, a victim will see a fake video page:
The name in the preceding script “Virusü Sil” is Turkish, which in English is “Delete Virus.” Malicious sites hosting the files present user with information in Turkish. This campaign is aimed against Turkish Facebook users, but it’s not limited to them. Once someone is infected with these extensions, a victim can spread the same post by tagging their friends.
Facebook has already removed these malicious messages from the infected users’ wall posts. The malicious apps have also been removed from Google Chrome store.