Video Screencast Help

The New Black: Facebook Black Scam Spreads on Facebook

Created: 19 Mar 2013 22:38:57 GMT • Updated: 23 Jan 2014 18:08:53 GMT • Translations available: 日本語
Satnam Narang's picture
+2 2 Votes
Login to vote

Yesterday, Facebook users may have noticed an influx of their friends posting about something called Facebook Black.
 

Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
 

Similar to previous scams, users are tagged in a picture that contains a link to an external website. In this case, the link is found within the comments instead of the description field (Figure 1).
 

Figure 2. Iframe is used to redirect the user to the landing page, briefly displaying this page
 

If a user clicks on the Facebook link, they are redirected to a Facebook page. This page contains an iframe (Figure 2) that goes through a series of redirects and ultimately lands on a page promoting Facebook Black (Figure 3).

Some of the sites we have observed leading to the Facebook Black landing page include:

  • photocurious.com
  • phototart.com
     

Figure 3. Facebook Black Page
 

Users are then enticed to install a Google Chrome extension (Figure 4).
 

Figure 4. Fake Chrome extension for Facebook Black
 

The extension is used to download two JavaScript files that are hosted on Amazon’s Simple Storage Service, Amazon S3 (Figure 5).
 

Figure 5. Extension downloads more files
 

These JavaScript files are used to keep the scam spreading through each victim’s account. It does so by creating a new Facebook page on the victim’s account, which includes an iframe to the page that will redirect users to the Facebook Black landing page (Figures 6 and 7).
 

Figure 6. User account contains a new page
 

Figure 7. Newly created Facebook page contains iframe redirect (Welcome tab)
 

Ultimately, users that install this Facebook extension will be presented with a set of survey scams (Figure 8), which is how the scammers monetize these types of campaigns.
 

Figure 8. Survey scam pushed after extension is installed
 

Symantec customers are protected against this attack by our Web Attack: Fake Facebook Application 3 IPS signature and we detect the fake Chrome extension as Trojan Horse.

Google has already removed several of these Chrome extensions and continues to improve their automated detections for malicious extensions. Users that may have been tricked by this scam should uninstall the Chrome extension and delete the Facebook page that was created.