As real Flash patches go out, fake ones hit thousands of Facebook users

On the heels of two real Flash Player security updates being distributed by Adobe Systems this week, hackers are spreading a fake update for the media player via a scam on Facebook that has exposed at least 5,000 users to the threat.

In the past week, Adobe has released two security updates that address newly discovered or zero-day flaws affecting the latest versions of Flash Player. One went out in the middle of last week and another was released over the weekend to address a separate flaw. Both updates addressed bugs that hackers were actively exploiting and prompted a fair amount of news coverage and concern from security experts.

But as Adobe whisked out a patch to protect its users from the latest threat, hackers began spreading a fake Flash Player update through a three-day Facebook scam beginning Friday that attempts to install a backdoor that can be used to install other malware.

While the attack is not particularly sophisticated in that it relies on trickery rather than exploiting a software flaw, BitDefender, the security firm that uncovered the Facebook campaign, said the hackers lured more than 5,000 Facebook users to their attack page within one hour.

The hackers are targeting the social network’s users by tagging would-be victims in photos that purport to be racy videos. In a nutshell, they’re abusing Facebook’s tag system to capture the attention of users and then lead them to a web page outside of the social network. From there, with the promise of a porn video, users are encouraged to install a fake Flash Player update that is actually malware.

There are a number of tell-tale signs that the promised videos are suspicious. For one, the tag comes from someone outside the target’s list of friends. Secondly, the URL at the bottom of the still-frame is a link from Google’s URL shortening service and not YouTube. Third, anyone who clicks on the supposed video is sent to a web page outside of the social network.

That page which visitors land on assesses the browser and the OS being used by visitors, with checks for Windows desktops, Android smartphones, Sony PlayStation consoles, media players, smart cars, TV sets and older feature phones. The hackers serve up a different threat for each platform.

According to Bogdan Botezatu, a senior threat analyst at Bitdefender, people visiting the site from a ‘low-interaction terminal’ — that is, one that Flash Player does not support — are directed to a bogus but premium-priced SMS service.

Windows users however “get the full service”, which leads to the fake Flash Player update. This includes “a redirect to a fake Facebook page where you are prompted to download a so-called Flash Player update in order to be able to watch the video, which now turns out to be a spicy one rather than what was promised in the original Facebook post, ” he noted.

Botezatu said the fake Flash update is actually an SFX file (a self-extracting executable archive built with WinRar) that installs two pieces of malware once clicked upon: one is the backdoor and the other is used to spread the scam on Facebook accounts through PCs that have been compromised.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Tags Enex TestLabadobebitdefendersecurity updatesCSO AustraliaGoogle’s URLFlash patchesFacebook usersBogdan Botezatuthousands

Show Comments