Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Facebook Scam Leads to Nuclear Exploit Kit

Created: 22 Jul 2014 22:25:38 GMT
Ankit Singh's picture
+3 3 Votes
Login to vote

Facebook Scam.png

Contributor: Himanshu Anand

Facebook scams are a regular occurrence in today’s world, but attackers have become more aggressive and are now using Facebook scams to exploit a user’s system. Normally Facebook scams trick users into filling out fake surveys, or sharing videos and pictures. It is very rare that a scam redirects to an exploit kit, but in the case of one famous Facebook scam targeting users who wanted to work from home, that was exactly what happened. The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook.

Facebook Scam 2.png

Figure 1. Example of a “work from home” scam

If people believe these jobs are legitimate and click on a Facebook link, they are redirected to a Facebook page. This page goes through a series of redirects and ultimately lands on a third-party website containing an iframe for the Nuclear exploit kit. This can allow the attacker to compromise the victim’s computer, but they do not have to infect the victim’s computer for the scam to be successful.

Facebook Scam 3.png

Figure 2. Nuclear exploit kit iframe

In cases of a compromise or where the victim follows through thinking they can make money, the attacker can lead the victim to click on ‘Like’ buttons or share a link for a third party, earning the attacker money in the process. In cases with a compromise, the attacker can use the victim’s computer to perform various actions and continue the scam.

The attacker may entice victims to share the following links or they may be shared automatically if the victim’s computer has been compromised.

  • Tin[REMOVED]ew7.com
  • Daily[REMOVED]alerts.com

The landing page is for the Nuclear exploit kit. Previously, the Nuclear exploit kit was known for exploiting the Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544), the Oracle Java SE and Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability (CVE-2010-0840), and the Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2010-0188).

The current version of the Nuclear exploit kit exploits the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) and the Oracle Java SE Remote Code Execution Vulnerability (CVE-2012-1723).

After successfully exploiting a vulnerability, the Nuclear exploit kit drops Trojan.Ascesso.A. Trojan.Ascesso.A is known for sending spam emails and downloading other files from a remote location.

The regions most affected by the Nuclear exploit kit have been North America and Europe.

Facebook Scam 4.png

Figure 3. Regions affected by Nuclear exploit kit

Symantec protection
Symantec has had detections in place against the Nuclear exploit kit since 2012, so customers with updated IPS and antivirus signatures are protected against this attack. We also advise that users regularly update their software to prevent attackers from exploiting known vulnerabilities.

Intrusion prevention:

Antivirus Protection: