We’ve said it many times before: if you see links promising nude celebrity photos or videos on Facebook or anywhere else, don’t click on them. The bad guys are trying to trick you into downloading malware, and it’s one of the oldest phishing tricks in their playbook.
But there will always be a few people who fall for it, so we need to keep sending up the red flags.
The latest example: a scam promising sex videos featuring Jessica Alba and other celebrities.
Researchers at Cyren discovered the latest scam, which appears as a malicious Google Chrome extension that spreads nude celebrity PDFs to Facebook groups. If opened, the PDF file takes the victim to a web page featuring the image of a play button. If clicked, the link redirects users to a page that barrages them with popups and ads featuring nudity and lottery scams.
From the Cyren advisory:
If the user is using Google Chrome, the link opened is “hxxps://rb-xxxxxx.xxx/gxxxxo.php“ and shows a phony YouTube site. Clicking the play button brings up a pop-up window inviting the user to install a Google Chrome extension. After installing that extension, the browser opens up a Facebook.com login page. The extension is able to read the user’s friend list, Facebook groups, plus all personal information and upload the PDF to groups, posts, and to friends in private chat.
To summarize, this advertising campaign is able to create a sort of botnet to spread via a combination of nude celebrity pictures, a Chrome extension, and Facebook posts – which all ultimately lead to an aggressive spam/advertising page.
Facebook runs on all kinds of devices, although this malware campaign targets the Chrome web browser platform, it is not impossible for the malware writers to find ways to propagate through other browsers, as all the other browsers also have their own browser plugins/extensions.
The malicious Chrome extension is packed with a list of antivirus and antispam domains it proceeds to block. It also keeps victims from accessing the Chrome extensions settings page.
Besides Alba, celebrity names used in the scam include Jennifer Lawrence, Selena Gomez, Hilary Duff, Rihanna, Scarlett Johansson, Kim Kardashian, Kelly Brook, Doutzen Kroes and Nicki Minaj.
To remove the infection, Cyren says the victim must delete the registry key from the registry editor and also the folder in AppData.