Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

idealmike Level X³

July 3, 2016, 9:35 am

Write the reason you're deleting this FAQ

Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

Thousands of Facebook users have been infected by a new kind of malware that takes over a Facebook user's account in a latest phishing scheme which works in two ways. It all starts from a simple Facebook notification which when you click on it will launch a two stage attack on your Facebook account.

It's usual to receive a notification about something on Facebook and we never even think twice about clicking on it. However that simple action can now bring about a lot more than just getting to see what your friend said on something such as some dumb funny video or something. And cyber criminals are using this irresistible nature to attack Facebook users.

Facebook is the worlds biggest social networking site and is used by billions of people all around the world. However because it's the biggest, it's also the most susceptible to attack and makes it a bigger target for cyber criminals to target and try to run malicious scripts on. In their latest campaign, they launch a two stage attack that starts when you click on a simple notification. After which a malicious file tries to take control of the users browser and then terminates their current browser session and replaces it with a malicious one that contains a tab to a legitimate looking Facebook login page which is designed to lure the victim back to Facebook but then steals their login details.

As soon as the victim logs back into the Facebook their session is hijacked and the malware begins to download and install more malware. It will attempt to change the privacy settings in your browser and even try taking over your account and PC to install scripts which can be used for malicious activities on your PC without your knowledge. This ranges from ID theft, spam and more. However before all this happens, the malware starts by sending the same phishing notification to all your friends who all think it's a genuine notification and so the malicious cycle begins all over again.

This phishing scam was discovered by Kaspersky Labs on June the 26th who found out that over 10,000 Facebook users have been infected by the malware in as little as 48 hours. The true figure from then to now could run into 100's of thousands of infected users all blindly sending the same infected notification to people. However while it was a global attack most users effected were in Brazil, Poland, Peru, Israel, and Mexico.

Are you infected?

While this only effects/affects people on the Windows OS such as Windows phone users. You can find out if you've been infected by this particular Facebook malware phishing scam.

If you're a Chrome user

Look for an extension called "thnudoaitawxjvuGB"

If you're a Mozilla user

Go to StartRun >
Copy and run this command "%AppData%\Mozila"
Look for any folders and files called, "autoit.exe" or "ekl.au3"

If you can see any extensions of files or folders called this then you are definitely infected!

Since the phishing attack discovery, Google have removed the extensions from the Chrome Web Store which was used to launch the malicious phishing attacks on unsuspecting people. The particular phishing malware only affected Windows OS's and Windows mobile devices also. iOS and Android users were fully immune from the attack due to the malware libraries not being compatible with these OS's.

Comments

Please login or sign up to leave a comment

Join

procoder

Yeah, i have seen this and it's something to worry about. Actually this kind of "attack" happened to my account a few times, but thankfully i wasn't infected because my antivirus catch it before downloading it. If Facebook is vulnerable to this..what can happen to some other small sites...Hope that Facebook will set up a filter to protect our accounts from those malware.

10 years ago

Are you sure you want to delete this post?

Beverly

Wow! This is very worrisome! I'm always on Facebook and checking notifications. I don't usually check via my phone or even email - mostly just on site Facebook Notifications - but sometimes and to think this kind of thing is going on, makes me not want to check at all.

10 years ago

Are you sure you want to delete this post?

Everett

This is very interesting. You would think that Facebook, being a multibillion company, would have security measures in place to prevent this kind of an attack. I wonder since Kaspersky caught the malware, if Facebook released a statement. I highly doubt it though, they will probably overlook it, and not mention it to some PR tactics. Facebook users already have this odd relationship with their privacy policy, I'm sure facebook users won't like that they could've received malicious malware from simply clicking on their notificiations.

I wonder if the virus programs have updated their virus database to catch this malware, and if not I hope they do soon because you don't know what the malware does to your machine. :/

10 years ago

Are you sure you want to delete this post?

idealmike

Indeed Everett, the scariest thing about it is that they used a website that everyone trusts and thinks is safe you know? People think oh it's okay because it's Facebook. Effectively lulling people into a false sense of security and the phishers know this which is why they took advantage of it in this way. And yes, I am sure that Facebook really don't want this one to get out there too much and want to play it down and brush it under the carpet so to speak because they know that if people think that even Facebook isn't secure to go on many people will stop using it! As for virus programs updating, Kaspersky labs found out about it first and have updated their definitions and usually these are broadcast and shared with other anti-virus and anti-malware apps too within about a week or so. But I think this will happen again only with a similar thing that's simply been re-writen so all the code is different and the anti-virus and anti-malware apps wont be able to detect it until someone discovers and reports it but again by then, it could have already infected up to another 10,000 users.

Facebook should do more to detect this before it happens. They should scan all outgoing links that are added to the site in the way that these phishers done. I don't understand why they don't do that. I get that it would probably use a lot of resources and slow things down a bit (all that scanning) but that's something they'd need to refine and optimize and work on so that the time difference is unnoticeable and things like this can't get through.

10 years ago

Are you sure you want to delete this post?

Everett

If they were to include a scanner for malicious links, softwares, etc it'll probably slow down entire website. That's probably why they don't do it. They rather have a fast website, and probably don't care if it's users get viruses.

Facebook has been in a lot of heat due to malicious attacks, including one called "facebook virus". If you do a simple search to target on the title of the virus:

https://www.google.com/#q=%22facebook+virus%22

You'll see that there is about 199,000 results. This is very alarming as millions of facebook users use the site daily and up to an hour a day or more. All the users do is just click links their friends post, it can get very nasty especially if thousands of people are spreading viruses around.

10 years ago

Are you sure you want to delete this post?

Lynne

Gosh this is scary! If my Facebook gets hacked I have a load of pages, followers and friends. I would hate to be the cause of some nasty phishing scam going more viral

Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

Thanks for the instructions to check for this malware, I'll do that now!

10 years ago

Are you sure you want to delete this post?

Everett

Yeah, just think if one of your friends get hacked, you don't know, and they possibly won't know until it's too late. Think if they were posting links to malicious sites, or even the notification virus. A select few of the friends will see this post, and click and get infected. So scary!

10 years ago

Are you sure you want to delete this post?

idealmike

Yes! That is how they get you. They are getting much more sophisticated who they target now too. They use your own trust against you by sending you messages and notifications from people you know such as your friends or family on things they know you are talking about by looking at what conversations you're having online with people and then sending you a message about it because that way you are much more likely to click it.

Example being in the news earlier I was reading how ID theft is on the rise and still many are unaware about it. What with the recent referendum and the Brexit there are a lot of worried people in England and the crims are are using this against them by sending them things that are related to that and making them click on the links which of course are malware.

I mean, how cunning is that? First you think it's a message from your friend then you realize it's a message regarding something you've recently been talking about so why wouldn't you trust that?

Quite simply you should never click links in messages and emails unless you absolutely know for sure it's safe even if they're from one of your family or friends especially any random contact. They may have had their account compromised and not even realize it.

That's bad if you can't trust your own family and best friends don't you think?

10 years ago

Are you sure you want to delete this post?

Lynne

Yes Mike, it is truly scary how they are getting so clever with these scams now!

Even my mom could be caught out now and she has a complete phobia of being hacked, to the point where it is really funny. She is forever calling me because she thinks someone is trying to hack into her laptop because of the silliest things.

If I tell her about all the latest stuff she will live in fear forever... and my phone will ring non stop.

10 years ago

Are you sure you want to delete this post?

Corzhens

This is the first time I’ve heard that a malware had infected Facebook. I wonder how Facebook will react to the said malware. And if it’s a phishing malware then it will easily fool Facebook users when it is in the notification area. The user has the tendency to click on the notification without even thinking if it is a malware much more when the user in the notification looks strange. That’s a scary malware because it can spread fast and I hope it is stopped soon.

8 years ago

Are you sure you want to delete this post?

Avg Time	Count	SQL	Max	Min
0.100471	1	SELECT * FROM members WHERE show_freelancer = 1 AND status = 1 AND total_recommendations > 0 AND (skills LIKE '%exporters%') ORDER BY total_recommendations desc LIMIT 0,40	0.100471	0.100471

SEOClerks

Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

Comments

Please login or sign up to leave a comment

procoder

Beverly

Everett

idealmike

Everett

Lynne

Everett

idealmike

Lynne

Corzhens

Invalid SQL

Expensive SQL

Suspicious SQL

Match	Count	SQL	Script
SELECT * FROM members_ledger WHERE ip = ? AND added>=unix_timestamp(NOW())-86400	1	SELECT querystring, added FROM members_ledger WHERE ip = ? AND added>=unix_timestamp(NOW())-86400	/opt/clerks-staging/docroot/include/functions/includes/security.php 398 fetchMemberLedger() include_once()
SELECT * FROM `questions` as q JOIN categories_faq as c ON q.catid=c.CATID WHERE (q.status=1 OR (q.status=2 AND userid='') ) AND q.quesid='17834'	1	SELECT q.*, c.seo as CatSEO, c.name as CatName, c.parentid FROM `questions` as q JOIN categories_faq as c ON q.catid=c.CATID WHERE (q.status=1 OR (q.status=2 AND userid='') ) AND q.quesid='17834'	/opt/clerks-staging/docroot/viewfaq.php 496 () ()
SELECT * FROM seoclerks.members WHERE USERID='272'	1	SELECT * FROM seoclerks.members WHERE USERID='272'	/opt/clerks-staging/docroot/include/functions/includes/member.php 445 GetAllUserDetails() ()
SELECT * FROM categories_faq WHERE CATID='55'	1	SELECT CATID, seo, name, metatitle, h2header, metakeywords, metadescription, metaheader, parentid, image_name FROM categories_faq WHERE CATID='55'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() GetCategorySeoFromType()
SELECT * FROM seoclerks.members WHERE USERID=272	1	SELECT googleplus_profile FROM seoclerks.members WHERE USERID=272	/opt/clerks-staging/docroot/include/functions/main.php 16914 GetGooglePlusProfileFromId() ()
SELECT * FROM ratings_faq as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=17834 LIMIT 5	1	SELECT m.username FROM ratings_faq as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=17834 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM answers a, seoclerks.members b WHERE a.quesid='17834' AND a.userid=b.USERID and b.status='1' AND a.status=1 ORDER BY a.combined_votes DESC, a.date_answered asc	1	SELECT a.answer, a.USERID, a.upvotes, a.downvotes, a.ansid, a.parentid, a.combined_votes, a.date_answered, b.username, b.userlevel, b.profilepicture FROM answers a, seoclerks.members b WHERE a.quesid='17834' AND a.userid=b.USERID and b.status='1' AND a.status=1 ORDER BY a.combined_votes DESC, a.date_answered asc	/opt/clerks-staging/docroot/viewfaq.php 1245 () ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97340 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97340 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97324 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97324 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97328 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97328 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97338 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97338 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97638 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97638 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97443 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97443 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97766 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97766 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97767 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97767 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97887 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=97887 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
SELECT * FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=149163 LIMIT 5	1	SELECT m.username FROM ratings_faqanswers as r, seoclerks.members as m WHERE r.USERID=m.USERID AND r.upvote=1 AND r.PID=149163 LIMIT 5	/opt/clerks-staging/docroot/include/functions/main.php 17159 GetVoters() ()
UPDATE questions SET total_views = total_views + 1 WHERE quesid='17834'	1	UPDATE questions SET total_views = total_views + 1 WHERE quesid='17834'	/opt/clerks-staging/docroot/include/functions/main.php 1765 update_Faqviewcount() ()
SELECT * FROM questions WHERE quesid!='17834' AND status='1' AND (question like '%Simple Facebook Notification Infects 10,000 Windows OS Facebook Users 48 Hours%' OR question like '%Simple%' OR question like '%Facebook%' OR question like '%Notification%' OR question like '%Infects%' OR question like '%10,000%' OR question like '%Windows%' OR question like '%Facebook%' OR question like '%Users%' OR question like '%Hours%') -- ORDER BY RAND() LIMIT 15	1	SELECT quesid, question, seo, userid FROM questions WHERE quesid!='17834' AND status='1' AND (question like '%Simple Facebook Notification Infects 10,000 Windows OS Facebook Users 48 Hours%' OR question like '%Simple%' OR question like '%Facebook%' OR question like '%Notification%' OR question like '%Infects%' OR question like '%10,000%' OR question like '%Windows%' OR question like '%Facebook%' OR question like '%Users%' OR question like '%Hours%') -- ORDER BY RAND() LIMIT 15	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() ()
SELECT * FROM seoclerks.members WHERE USERID='7' limit 1	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='7' limit 1	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_member_profilepicture()
SELECT * FROM seoclerks.members WHERE USERID='498' limit 1	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='498' limit 1	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_member_profilepicture()
SELECT * FROM seoclerks.members WHERE USERID='9874' limit 1	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='9874' limit 1	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_member_profilepicture()
SELECT * FROM seoclerks.members WHERE USERID='3704' limit 1	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='3704' limit 1	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_member_profilepicture()
SELECT * FROM seoclerks.members WHERE USERID='1628' limit 1	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='1628' limit 1	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_member_profilepicture()
SELECT * FROM members_ledger WHERE script='/opt/clerks-staging/docroot/viewfaq.php' AND querystring LIKE '%id=17834%' AND added>=UNIX_TIMESTAMP(NOW())-1200 GROUP BY USERID	1	SELECT USERID, username FROM members_ledger WHERE script='/opt/clerks-staging/docroot/viewfaq.php' AND querystring LIKE '%id=17834%' AND added>=UNIX_TIMESTAMP(NOW())-1200 GROUP BY USERID	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() ()
SELECT * FROM categories	1	SELECT * FROM categories	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() parseRedundantQueriesCache()
select * from categories_software order by name asc	1	select * from categories_software order by name asc	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_GetSoftwareCategories()
select * from categories_wanttobuy order by name asc	1	select * from categories_wanttobuy order by name asc	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_wantcategories()
select * from categories_wanttotrade order by name asc	1	select * from categories_wanttotrade order by name asc	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_get_tradecategories()
SELECT * FROM seoclerks.members WHERE USERID='377074.png'	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='377074.png'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() getUserProfileImage()
SELECT * FROM seoclerks.members WHERE USERID='147.jpg'	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='147.jpg'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() getUserProfileImage()
SELECT * FROM seoclerks.members WHERE USERID='2951.jpg'	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='2951.jpg'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() getUserProfileImage()
SELECT * FROM seoclerks.members WHERE USERID='272.jpg'	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='272.jpg'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() getUserProfileImage()
SELECT * FROM seoclerks.members WHERE USERID='306632.jpg'	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='306632.jpg'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() getUserProfileImage()
SELECT * FROM seoclerks.members WHERE USERID='600657.jpg'	1	SELECT profilepicture FROM seoclerks.members WHERE USERID='600657.jpg'	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() getUserProfileImage()
select * from categories_faq order by name asc	1	select * from categories_faq order by name asc	/opt/clerks-staging/docroot/libraries/adodb5/adodb.inc.php 1899 CacheExecute() insert_GetFaqCategories()