It’s not exactly a new scam, but apparently it worked well enough for cyber criminals to dust if off and roll it back out. It’s a malicious color change app and security researchers say it’s compromising thousands of Facebook profiles.
According to the Cheetah Mobile CM Security Researcher lab, hackers are targeting Facebook users with the recycled security threat that leverages the social network to rapidly spread malicious software. Cheetah is calling it the Facebook Color Scam.
Here’s how it works: The virus reels people in by offering them the opportunity to change the colors of their Facebook profiles with an app called Facebook color changer. Although similar color changer scams have spread across the social media site in years past, Cheetah Mobile is reporting this one is especially successful -- it has already affected 10,000 people in several countries.
Two Ways To Attack
“Once clicked, it leads users to a phishing Web site,” the firm said in a blog post. “Cheetah Mobile researchers have found this issue to be happening due to a vulnerability that lives in Facebook’s app page itself, allowing hackers to implant viruses and malicious code into Facebook-based applications [that] directs users to phishing sites.”
Cheetah reports the phishing site has two ways of attacking consumers. The first way relies on stealing a user’s Facebook “access tokens.” A scammer does this by asking a user to view a color changer tutorial video. Once the victim views the video, the hacker wins temporary access to the tokens. The tokens, in turn, allow the hacker to connect with the Facebook victim’s friends.
“If a user doesn’t view this video, it then tries a new way to spread the malicious software, by getting consumers to download a malicious application,” Cheetah Mobile explained. “If a user is on a PC, the site leads them to download a pornography video player. If the user is on an Android device, it issues a warning saying the device has been infected and advises users to 'download now' a suggested app, images below.”
The good news is there is a solution -- both for users who have been already infected with the malware and users who are working to avoid falling prey to these hackers and other scammers trolling on Facebook. Cheetah Mobile reports Facebook users who have followed the instructions on the tutorial video can simply change their passwords and remove the malicious color changer app from their profiles in the app settings. Facebook users who haven’t visited the color changing site can install security software from Cheetah Mobile and other companies to ensure their devices stay safe.
So Hard To Tell
We caught up with Dwayne Melancon, chief technology officer at security firm Tripwire, to get his take on this malware. He told us attacks that mimic “enhancements” to Facebook are common ways the average user’s system is compromised these days.
“I think Facebook contributes to this phenomenon by supporting the huge numbers of app requests presented to the average user -- everything from ‘so and so wants you to play this game,’ to ‘hey, I want to know your birthday, and your family tree,’” Melancon said. “All of this makes it hard for the average person to tell what’s legitimate and what isn’t. I think it’s time to rethink how apps interact with services like Facebook so we can give people greater protection from malicious apps.”
Real Malware or Valid App?
Tim Erlin, director of IT risk and security strategy at Tripwire, told us there’s a certain amount of irony in the fact that this malware warns you that your Android device might be infected and then it asks you to download an app to fix it.
“One of the recommended actions is to click a link for a malware scanner, which will warn you if your device is affected and prompt you to download an app to fix it,” he said. “How is the average user supposed to tell the difference between real malware and a valid application or warning?”
As he sees it, while Facebook will no doubt work hard to eradicate this particular threat, the system is specifically built around users clicking links shared by "trusted" friends. As long as that’s the case, he said, we’re likely to see more of these kinds of attacks.
Calling the Facebook Police
Ken Westin, a security analyst at Tripwire, told us there have been an increasing number of these types of malicious apps appearing in Facebook. He said the fact that this app is still up, even after Facebook's users have been infected and the malicious app has been reported, is a serious issue. From his perspective, this makes it look as though Facebook has not been able to adequately police its platform.
“This is particularly dangerous because users tend to trust ‘walled gardens’ on social media Web sites and are more likely to click on links shared by friends,” Westin said. "This kind of malware has the potential to be dangerous for companies because of the high volume of that goes to Facebook since most of them allow access to the social media Web site during the day and it could lead to their systems and network being compromised.”