Malicious Facebook advertisements usually lead users to survey scams, pieces of malware, phishing sites and other types of dangerous cybercriminal schemes. However, Bitdefender experts came across a polymorphic attack that could end in any of these scenarios.
The attack starts by promising users an alleged adult video. Once the link from the shady post is clicked, the user is taken to a site that replicates Facebook. Here, the victim is requested to install a Divx plugin for the browser, which is supposedly needed to view the much promised footage.
The clever thing about this page is this message: Temporarily disable your antivirus to continue (false alarm).
With this alert, the cybercrooks hope to determine users to ignore the potential warnings that their antivirus solutions may display.
When the install plugin button is pressed, the internaut is served with a rogue YouTube extension that basically takes control of the browser.
After the browser extension is installed, the whole fun starts, and with it, the user experiences firsthand the effects of a polymorphic attack.
It not only takes over the victims’ profile to Like and Share other malicious advertisements on their behalf, but it also takes control of the browser and starts serving other malicious elements.
“This is an interesting and quite complex type of scam. In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed,” explained Andrei Serbanoiu, Bitdefender online threats analyst programmer.
“If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishing.”
Users are advised never to install browser extensions that come from untrusted sources, and more recently, even the ones that come from legitimate websites may turn out to be malicious.