On the morning of 26th June, news of a phishing campaign hit the Israeli media. Thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment.
Kaspersky Lab decided to investigate. We quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. We also found that the attack was not confined to Israel, but was hitting targets worldwide.
The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. This was designed to lure the victim back into the social network site.
Upon logging back into Facebook the victim’s session was hijacked in the background and a new file was downloaded. This represented the second stage of the attack, as embedded in this file was an account-takeover script that included a privacy-settings changer, account-data extractor and other tools that could be used for further malicious activity, such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’. Further, the malware infection loop began again as malicious notifications were sent to all the victim’s Facebook friends.