​Over 110k Facebook users infected by porn-disguised Trojan

Reuters/Ognen Teofilovski
More than 110,000 Facebook users accidentally installed malicious software over a recent two-day period, a security researcher says, allowing their computers to become infected with a dangerous porn-disguised Trojan that lets hackers take control.

According to awarningsent out to the Full Disclosure mailing list last Thursday by the researcher, Mohammad Faghani, social networking users have been falling victim to the attack en masse by clicking on posts purported to contain pornographic material and then installing what appears to be an update to Flash Player, a popular Adobe-made piece of software used to view video footage within web browsers.

“The Trojan tags the infected user's friends in an enticing post,” Faghani wrote. “Upon opening the post, the user will get a preview of a porn video which eventually stops,” he added. A prompt is then displayed, intended to persuade the target to install a phony Flash upgrade.

Once a computer is infected, the researcher warned, a hacker is able to hijack the target’s keyboard and mouse, effectively allowing an attacker to surreptitiously see every click and stroke being executed, as well as the contents of the computers.

This “Magnet” technique, as Faghani calls it, had been able to quickly spread among Facebook users because it targets less than 20 people at a time with each compromised posting, which apparently initially allowed it to stay off the radar of the website’s own security team at first.

According to the email, sent Thursday, the Trojan had by that point already claimed more than 110,000 victims.

Facebook has since responded to news of the Magnet attack and told Threat Post that an effort was underway to purge the social media site of the dangerous postings.

We use a number of automated systems to identify potentially harmful links and stop them from spreading,” a Facebook spokesperson told security news site Threatpost: “In this case, we’re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.”

Meanwhile, users of the actual Flash Player distributed legitimately by Adobe are being asked to watch out for another type of attack. The company said on Monday that it discovered a previously undisclosed security vulnerability within the current version of its Flash Player, and hackers are believed to be exploiting certain Windows, Mac and Linux machines running installs of Internet Explorer and Firefox.

According to Adobe, “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” A patch is expected to be released this week, but a fix had not yet been made available on Monday.

Faghani writes on his personal website that he is finishing his PhD in computer science and considers his main area of study to be malware propagation through social networks.