Malwarebytes Reveals Exploitation of Social Media by Attackers to Spread Worm

Security researchers of security firm Malwarebytes reveal that users with high interest in nasty content and trust in shortened links are helping to distribute a new Facebook worm which is supposed to belong to the infamous Kilim family mainly targeting social media networks.

Softpedia.com published news on 15th March, 2015 quoting Jerome Segura of Malwarebytes as saying "The bad guys have built architecture of multi-layer redirection using the ow.ly URL shortener, Box.com cloud storage and Amazon Web Services."

The infection scheme begins with a shortened URL which leads to another which in turn loads a page of Amazon Web Services.

The next step is to direct the victim to a malicious website responsible to filter the users; those browsing from mobile receive ads and users of desktop receive a request for downloading Trojan stored in Box's cloud.

Malwarebytes executed the Trojan and detected products as Trojan.Agent.ED concludes the infection cycle as it adds the worm to the computer from the domain porschealacam(.)com.

Segura says that the worm poses as an extension for Google Chrome and it has weak capacity to be detected by antivirus because Virus Total lists only one product marking it as a threat.

He says that some extra code is downloaded by the Trojan from a different domain apparently as a backup plan in case the user does not browse with Chrome.

Some URLs used by cybercriminals for this operation have already been disabled due to these attacks but they can always be replaced with others from different services.

Box issued a statement stating that it is aware of the attack. The company is removing the files, abolishing sharing privileges for malicious accounts and constantly scanning for viruses and related activity to tackle the issue.

SCMagazine.com published news on 13th March, 2015 quoting a statement of a Spokesperson of Amazon Web Services (AWS) as "activity which is being reported is not presently happening on AWS".

Facebook is also aware of the threat. The social media giant, while working with other targeted companies in this attack, blocked associated links and stopped the links from spreading on its platform during second week of March 2015.

» SPAMfighter News - 3/25/2015