Over the weekend we saw the death of a celebrity, Amy Winehouse, an English singer with no small stack of accolades; par for the course, cybercriminals leapt to the offensive the moment the news hit the fan. With a sudden surge in Google searches for her name and the news spreading like wildfire via social media, one of the first places to feel their bite happens to be Facebook.
This sort of ghoulishly opportunistic behavior is well known by now as malware and virus writers also took advantage of the death of Osama bin Ladin, a threat detected and reported by Kaspersky Labs at the time. Social media users are best to educate themselves in how these scams function, avoid connecting apps related to current events, and keep their antivirus subscriptions up-to-date.
On their TrendLabs Malware Blog, Trend Micro describes the primary vector of the biggest threat as a sort of Facebook confidence scam sucking in victims by offering a survey for users to take about Winehouse’s death.
First the user clicks on a Wall post suggesting that there’s a video taken before Amy Winehouse’s death (the hook) which leads to a video link; however, the video is actually an image and not a video. An easy way to check a video online is to right-click it on Windows machines and check the context menu that appears; most online video runs on Flash and if a Flash menu does not appear, that’s a giveaway.
Clicking on the fake video opens up an age verification dialog box, which leads the malware to getting permission to hook into the users Facebook Wall and finally asks for their mobile number. It finally leads to the survey after gathering this information. With permission to post to their Wall, the Facebook scam is then capable as posting as them to their friends to lead more people into the trap; and presumably the mobile number is the payload that can be gathered and sold to spammers.
Trend Micro says that they’ve seen other opportunistic behaviors crop up in the following days as well:
We’ve seen some other cybercriminal attempts to leverage news of Amy Winehouse’s death. We encountered some malicious URLs using the search string “amy winehouse death” in a blackhat search engine optimization (SEO) attack. According to Trend Micro threats researcher Marco Dela Vega, these malicious URLs led to malware that redirect users to a fake scanning page in order to scare them into downloading malware. The malicious file this downloads is a FAKEAV binary we currently detect as TROJ_FAKEAV.CLS.
The best way that users can keep themselves safe is to avoid strange-looking pages offering items too-good-to-be-true. Also, if a friend posts something like the above video and it’s entirely out of character for them; users should get into contact with their friend and ask them if they knew they’d sent it.
Many social media scams and malware apps function only due to the inattention of the users triggering them and like many Internet worms, they rely heavily on the interaction of users to spread themselves (and also to steal information.) To steal information they need to get permission, or the information directly, or download something to the victim’s computer or mobile phone.
Always stay vigilant for apps that are asking for things way beyond their worth. The privacy of my mobile phone number is worth more to me than some video sent to me on Facebook. Point-in-fact, if there was such a video, I should be able to find it on Google for free without disclosing my mobile number to some unknown party.
Meanwhile, between user education, antivirus vendors getting smarter, and a greater number of tools being put in the hands of users, the Internet might just grow an immune system. We’ve already seen its beginning with Google’s Malware Detector and Hotmail’s “my friend’s been hacked” security upgrade. Malware is big business for scammers just as much so as it is in the real world with 419 scams and confidence tricks.
The price of safety on the Internet is eternal vigilance and self-education.