Leanne, a member of the Sophos fan page over on Facebook, contacted me earlier today to ask about videos being posted automatically on users’ profiles entitled “the sexiest video ever”.
A little digging discovered that thousands of Facebook users have woken up to discover messages posted on their walls, seemingly by their Facebook friends.
The messages read:
<name>, this is without doubt the sexiest video ever! 😛 😛 😛
accompanied by what appears to be a video with the title "Candid Camera Prank [HQ]". The message has what appears to be a movie thumbnail of a woman on a bicycle wearing a short skirt, and the video’s length is given as 3:17.
Now, maybe you’re in the habit of sharing and receiving videos like this with your online chums. I can certainly imagine a lot of blokes in particular might be tempted to play the video. Each to his or her own, but you should be extremely careful on this occasion.
Because if you click on the thumbnail you don’t view a video at all, but are instead taken to a Facebook application. When I tried for myself the application failed to run (maybe Facebook has already taken action?), but according to reports from users it told them that their video player was out-of-date and urged them to download a file.
Users then report that the same video was posted (using their avatar and name as though they had posted the message) to their Facebook friends and acquaintances, thus spreading even more quickly.
Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.
Update Patrik Runald, one of our friends over at Websense Security Labs, has produced this video demonstrating the attack.
As you can see, Patrik captured the attack in action – finding that aside from spreading it was designed to install the Hotbar adware to generate revenue for the bad guys.
If you’re regular user of Facebook, why not join the Sophos page on Facebook? We’ll do our best to ensure you are kept up-to-date with the latest security news.