Bogus Chrome Video Installer Delivered via Facebook Messenger

[Karamjit]

Philippines records the largest number of infections

Although Google announced that it banned on Windows installation of Chrome extensions that are not in the Web Store, cybercriminals continue to bait users with the promise of a component for the browser, suggesting that the practice is still successful.

Crooks resort to the most common communication avenues to deliver malware and Facebook messenger is among them. Messages may pop up from a friend, instructing the recipient to access a page claiming to offer appealing video content.

Malware poses as installer for Chrome video player

Christopher Talampas, fraud analyst at Trend Micro, received such a message, and visiting the website he found a page mimicking Facebook’s layout and a web video player that claimed to provide content from YouTube.

These alone are sufficient clues (Facebook has its own video player that does not resemble the one on YouTube) to make the user steer away from the page as soon as possible.

However, Talampas stayed on the page and accepted a download delivered automatically for an executable file called “Chrome_Video_installer.scr,” named so to make it look like an innocuous Chrome browser extension necessary to play the video content.

If Chrome is used to download the file, an alert informs the user of the suspicious nature of the item.

“This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file - possibly the final payload - but the site is currently down. However, it should be noted that KILIM malware are known to be malicious Chrome extensions and plugins. KILIM variants have also been observed to spam Facebook messages and cause system infection,” the researcher says in a blog post on Tuesday.

Crooks employ tactics to increase success of the operation

Telemetry data from Trend Micro indicates that the most affected country is the Philippines, accounting for 36% of the infections.

Followed at a large distance are Indonesia, India and Brazil, all recording 6% of the compromises. Other countries in the list are the US, Australia, Taiwan, Japan, Thailand and Qatar.

Cybercriminals behind this campaign resort to tactics that hide the spam nature of the message and ensure a higher rate of success. By delivering the bait from a friend’s account and addressing the victim by their Facebook name, trust in the communication is established, and it is more likely that the instructions are followed through.

Furthermore, Talampas observed the use of a shortened link, which masks the address of the malicious page. Additionally, the name of the file looks legitimate, albeit the extension (associated with screensaver files) should trigger the alarm.

The researcher says that Facebook has been notified of the campaign and has marked the message as spam. However, this does not stop crooks from initiating a new operation.

From: http://news.softpedia.com/news/Bogus-Chrome-Video-Installer-Delivered-Via-Facebook-Messenger-482484.shtml