Facebook Messenger user? Watch out for fake messages rigged with malware

An adware campaign is using social engineering to trick victims into installing malware, using a web page tailored to their browser.
Written by Danny Palmer, Senior Writer

Cybercriminals are using Facebook Messenger to spread adware, duping victims by redirecting them to fake versions of popular websites that are tailored to their browser.

The attacks were uncovered by a security researcher who received a suspicious Facebook message from a contact and analysed its contents.

"This malware was spreading via Facebook Messenger, serving multi platform malware/adware, using tons of domains to prevent tracking, and earning clicks. The code is advanced and obfuscated," said David Jacoby, senior security researcher in the global research and analysis team at Kaspersky Lab.

Researchers have suggested that malicious links are being sent from Messenger accounts that have been compromised as a result of stolen credentials, hijacked browsers, or clickjacking.

The initial attack is fairly simple. Given the user knows the person they're receiving the message from, it's likely they'll trust what is being sent, and so click on what appears to be links to videos, memes, and other content.

The user is sent a message composed of their name followed by the word 'Video', and a shocked emoji face with a shortened URL: for example, in the documented case, the message said 'David Video'. The link leads to a Google Doc, which blurs a photo taken from the victim's Facebook page and makes it look like a playable movie.


A fake video in Google Docs is used to persuade the victim to click through to a landing page.

Image: Kaspersky Lab

When the victim clicks on this video, the malware will send them to one of a number of different websites, depending on their browser, operating system, location, and other factors. This site will then attempt to encourage the target to install adware.

For example, a Google Chrome user is sent to a website designed to look like YouTube, complete with the official logo and branding. The website shows the visitor a fake error message designed to trick them into downloading a malicious Chrome extension.


Chrome users are directed to a fake YouTube page.

Image: Kaspersky Lab

Firefox users get directed to a website displaying a fake Flash Update notice, which attempts to run a Windows executable to deliver the adware. Meanwhile, Safari users get a similar page customised for macOS, which offers the download of a .dmg file, which is also adware.


The trick to lure Firefox users into installing adware.

Image: Kaspersky Lab

These adware programs track browser activity using cookies and display targeted adverts across the web, which in some cases socially engineer the victim into clicking on them. Each click on one of these adverts will generate revenue for those behind the scheme.

While little is known about the campaign or those behind it, the sheer number of Facebook Messenger users -- 1.2 billion a month -- presents an extremely large base of targets for those behind the adware.

"The people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts," said Jacoby.

Naturally, one simple way to avoid falling victim to this particular campaign is to be very sceptical of any shortened URL links your Facebook friends send you.

A spokesperson for Facebook said: "We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook.

"If we suspect your computer is infected with malware, we will provide you with a free antivirus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help."

Related coverage

Facebook Messenger says it has 1.2 billion monthly active users

The messaging service now has as many monthly users as WhatsApp and twice as many as Instagram.

Facebook: We're adding information warfare to our fight against malware, fraud

Facebook's security team doesn't disagree with the US Director of National Intelligence's conclusion that Russia tried to sway the US Presidential election.


Editorial standards