Businesses warned over Facebook scam used to distribute ransomware
22 November 2016 |
Businesses have been warned about a new Facebook spam campaign that could trick their employees into downloading ransomware.
The scam, discovered by Bart Blaze and Peter Kruse, is relatively unsophisticated, but could fool unsuspecting users because its messages appear to come from their friends.
Victims receive an SVG image file via Facebook's messaging service. Malicious code in the file sends users to a fake YouTube site, where they are asked to download an extension.
Once it has been downloaded, the extension fetches the Nemucod downloader, which can be used install ransomware and has been spotted downloading Locky in Twitter campaigns.
It is believed the extension also secretly sends similar messages to all of the victim's Facebook friends in a bid to spread the malware and infect more computers.
Although the YouTube page users are directed to is a relatively low-quality fake, security experts are concerned that victims may play along because they trust Facebook.
“This looks like a relatively unsophisticated phishing campaign,” said Fraser Kyne, EMEA CTO at Bromium. “The hackers have made no visible attempt to target their victims.
“Those people not only have to click on the bad link, but then have to fall for a pretty suspicious looking webpage and agree to download the extension.
“You’d be forgiven for writing it off as a low risk, but the real threat comes from the use of Facebook as a vehicle. People are far more likely to click on a link or download something if it looks like it came from a friend.”
He added that there is a risk of the campaign infecting business systems.
“Given that so many users check their Facebook at work, there’s a big risk of this attack bleeding through into the enterprise,” Kyne explained. “The best thing for businesses to do to minimise their risk is to ensure employees are aware of this scam.
“However, experience shows that there will always be one who didn’t get the memo and clicks the link regardless. As such, they should also put a safety net in place to ensure users can’t compromise security.
“The best approach is to use micro-virtualisation techniques to run internet browsing sessions in a completely isolated environment, so even if a victim does fall for the scam, the malware is fully contained and can be eliminated simply by closing down the webpage.”