A malware attack specifically targeting Facebook users has been uncovered by security researchers, which affected around 10,000 users in just two days. Between 24 and 27 June, thousands of Facebook users received messages from a "friend", claiming to have mentioned them on Facebook. The message was in reality, issued by hackers to launch a two-stage malware attack.
According to security researchers at Kaspersky Lab, among the countries most affected by the malware were Brazil, Poland, Peru, Columbia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and Israel. Researchers also outlined that Windows PC users were at most risk from the malware, while Windows phone users could also be vulnerable. However, Android and iOS phone users were "immune" to the malware, since it used tools not compatible with these mobile operating systems.
"Two aspects of this attack stand out. Firstly, the delivery of the malware was extremely efficient, reaching thousands of users in only 48 hours. Secondly, the response from consumers and the media was almost as fast. Their reaction raised awareness of the campaign and drove prompt action and investigation by the providers concerned," said Ido Naor, senior security researcher, Global Research and Analysis Team, Kaspersky Lab.
The malware executes the attack in two stages. The first stage involves downloading a Trojan onto the victim's computer, which in turn installs, among other things a malicious Chrome extension. The attackers then leveraged the compromised Chrome browser to gain access to victims' accounts after they have logged back on to Facebook. Hackers then had control over user data and privacy settings, which they then manipulated to spread the malware to other users. Hackers were also able to conduct other malicious activities like identity theft, online identity hijacking and others.
Kaspersky Lab researchers highlight that the language signs in the malware as well as its deployment techniques have been spotted before and have been linked to "Turkish-speaking threat actors". Researchers, however, also said that Facebook has "mitigated" the threat and is blocking the techniques used by the hackers to spread the malware. Google is also believed to have removed at least one of the compromised extensions from the Chrome Web Store.
Researchers also advice users to check if they have been infected by running a malware scan on their computers. Users should also look for unexpected extensions on their Chrome browser and if any are found, they should immediately log out of Facebook, close the browser and disconnect their internet network cable from their systems. Seeking professional help to restore victims' systems is strongly advised.