On August 24, CyRadar detected a Facebook phishing campaign on a large scale. This campaign was from Messenger, pretending Youtube and tricking the user into installing a malicious add-on.

Detailed fraudulent campaign

Starting from infected users, attackers spread malicious links through messages to their friends. This link is truncated and navigated to a Google Drive document. The interface of this document is the same as a normal video containing the intended user image, but in fact, this is a PDF file opened in full-screen mode. Pictures on this document are prepared before the victim spreads malicious links. For those who are gullible, after checking that domain docs.google.com is safe, they will click to play the video without knowing it is just another malicious link.

At this point, users will be randomly navigated through a series of advertisements so that an attacker can make a profit or a page with an impostor interface with youtube at docs [.] Mt2strom [.] Com /video/profile.php?u=[facebook_user_id]. This site even has an SSL certificate with a secure connection icon of the browser to make the phishing more convincing. The content on the site is largely a link to disguise the video as provocative or engaging. When a user clicks on any link on the page, the add-on dialog for the “Wiki It” add-on (available on icstfdnhdifmifbokddeceofadeikmmai on the webstore – currently uninstalled) will appear. If users accept this malicious add-on installation, they will fall into the second phase of the attack; otherwise, if the user does not accept the installation, they will be safe from this attack.

At the second stage of the attack, the malicious utility will fake the WikiWare utility, leaving its original features as text options for searching on Wikipedia. On the other hand, an attacker deploying another malicious code has been messed up to:

  • Prevent users from deleting this malicious add-on.
  • Get other scripts from their servers at the jsdo [dot] bid and postcdn [dot] bid servers and execute, which takes the user to the third stage of the attack.
Related posts: