The New Black: Facebook Black Scam Spreads on Facebook

blackFacebook users may have noticed an influx of their friends posting about something called Facebook Black.

Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
Similar to previous scams, users are tagged in a picture that contains a link to an external website. In this case, the link is found within the comments instead of the description field (Figure 1).

Figure 2. Iframe is used to redirect the user to the landing page, briefly displaying this page
If a user clicks on the Facebook link, they are redirected to a Facebook page. This page contains an iframe (Figure 2) that goes through a series of redirects and ultimately lands on a page promoting Facebook Black (Figure 3).

Some of the sites we have observed leading to the Facebook Black landing page include:


Figure 3. Facebook Black Page
Users are then enticed to install a Google Chrome extension (Figure 4).

Figure 4. Fake Chrome extension for Facebook Black
The extension is used to download two JavaScript files that are hosted on Amazon’s Simple Storage Service, Amazon S3 (Figure 5).

Figure 5. Extension downloads more files
These JavaScript files are used to keep the scam spreading through each victim’s account. It does so by creating a new Facebook page on the victim’s account, which includes an iframe to the page that will redirect users to the Facebook Black landing page (Figures 6 and 7).

Figure 6. User account contains a new page

Figure 7. Newly created Facebook page contains iframe redirect (Welcome tab)
Ultimately, users that install this Facebook extension will be presented with a set of survey scams (Figure 8), which is how the scammers monetize these types of campaigns.

Figure 8. Survey scam pushed after extension is installed
Symantec customers are protected against this attack by our Web Attack: Fake Facebook Application 3 IPS signature and we detect the fake Chrome extension as Trojan Horse.

Google has already removed several of these Chrome extensions and continues to improve their automated detections for malicious extensions. Users that may have been tricked by this scam should uninstall the Chrome extension and delete the Facebook page that was created.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s