A new strain of malware has been spreading on Facebook, leading victims into innocuous-looking websites tailored to their system and browser preferences.

Discovered by David Jacoby, Senior Security Researcher at Kaspersky Lab, he received a suspicious message from one of his friends who he rarely spoke to. “This malware was spreading via Facebook Messenger, serving multi platform malware/adware, using tons of domains to prevent tracking, and earning clicks. The code is advanced and obfuscated,” according to him.

The researcher further speculated that the malware spreads through stolen credentials, hijacked browsers, or clickjacking. The message reportedly contains the word “Video,” a shocked emoji, and a bit.ly link. Just by looking at the message, it is clear that a receiver is being lured to click on the link, a classic social engineering move.

Once opened, the link will display Google Docs. Jacoby then points out that the document has already taken a picture from the victim’s Facebook page and created a dynamic landing page which appears to be a playable clip.

A document disguised as a video

If the user chooses to hit the play button in the document, a set of websites will be opened, which will now record their browser, operating system, and other information. These will be used to send the user to other websites.

“By doing this, it basically moves your browser through a set of websites and, using tracking cookies, monitors your activity, displays certain ads for you and even, in some cases, social engineers you to click on links,” explains Jacoby.

It spares no one– even Macs

Exploring further, he modified the User-Agent header of his browser. When he set it to Firefox, the researcher was directed to a fake Flash Player update website, which offered him adware. With Google Chrome, a page that pretends to be YouTube will pop up, this time tricking the user to download a fake extension. The malware even worked for Safari on macOS, which like Firefox on Windows will bring up a fake Flash download, using a .dmg extension along the way.

We have contacted Facebook for comment and will update the story once we hear more.

While these types of attacks are nothing new, it is highly recommended to be careful when clicking on links found on messages, as they might contain malicious elements. Back in November of the past year, another malware for Facebook utilized SVG files to deceive users into propagating itself to other computers.

“As far as I can see no actual malware (Trojans, exploits) are being downloaded but the people behind this are most likely making a lot of money in ads and getting access to a lot of Facebook accounts,” Jacoby concluded.

Update: A Facebook spokesperson offered the following statement to Neowin regarding the issue:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help. In this situation, we have also reported the bad browser extensions to the appropriate parties.”

Source and images: Kaspersky Lab

[“Source-neowin”]