Most attacks carried out and malware produced have an economic background - someone wants to earn money with it. Advertising networks are a popular way to gain money quite easily without necessarily harming the user, at least not directly. In this current case, we have discovered a sophisticated approach which suggests that this kind of attack really must be worthwhile!
It all starts with a post on someone’s Facebook wall:
The shortened URL leads to a long URL and its only function is to check the visitor’s country of origin. According to the result, the visitor is put into a quite impressive redirection chain with numerous ad services, built-in via iFrames. Each and every “visit” to these sites lets the money roll in for the attacker.
The redirection chain graphic shows the events happening if someone from Germany clicks the short URL in the fake profile checker wall post. The website checking the visitor’s country of origin distinguishes between three possibilities with three URLs involved:
If country is GB:
arLinks[0] = "the*****ter.com/313/index.php";
arLinks[1] = "the*****ter.com/313/index.php";
arLinks[2] = "the*****fly.com/final2.php";
If country is NL, IE, FR:
the*****ter.com/313/index.php
If country is US, AU, ZA, CA, BE, ES:
the*****fly/final2.php
Any other country:
justforfunapps.com
So, visiting the website from Great Britain, gives the visitor a chance of 2/3 to be redirected to the*****ter.com/313/index.php and a 1/3 chance to see the*****fly/final2.php. All other countries have a fixed destination.
As you can see, the target website reached from Germany is loaded with advertisements for various products and web services. Luckily, none of the embedded links and pictures is malicious, but the attackers can redirect the traffic to any website they like – and this is the point where a good http-filter comes in handy, to protect you and your computer!
On the other websites, we have seen various versions of gift coupon spam and lottery games which as the visitor for personal data such as the mobile number, email address, etc. If you want to know more about this kind of scam, read our previous blog entries, such as “Gift card mania” or “A 50€ gift card for free?! “Hey, I’m no fool!”” – In any way: It’s not a good idea to provide any personal data on these sites!
How does this fake profile checker spread?
The current Facebook app in question is called "Checker". As soon as someone installs it on a Facebook profile, it will post a very low quality screenshot of an allegedly existing "Recent profile Views" toolbar onto the wall – as you can see above. Such a toolbar does not exist and we warned against those fake announcements numerous times already and Facebook also explains it in the public help section.
As the app does not only post a picture on the victim’s wall, but also tags the profile owner and many, if not all, of his/her friends in this low-quality picture, even the friends who do not see the post on the wall, will get a notification, because they were tagged. This makes it more likely for more users to click the link – messages from friends are often treated as more trustworthy, but even a friend can fall for such a scam and therefore each and every message should be treated with caution.
If you get a request to install an app in your social network profile, have a look at the permission the app requests to function properly. Think about it and then decide whether you really want to grant those permissions!
What you can do: