20,000 Unique URLs Redirect Facebook Victims to Trojan-Carrying, Fake YouTube Video

Posted on July 23, 2014 by .

Share and Enjoy:
Follow Me on Pinterest More More

Facebook scam leads to Trojan.Agent.BDYVFacebook users are facing yet another threat. Among the countless tragedies the cybercrooks use to gain profit, there is a new approach cybercrooks are trying, and it’s rather hilarious in its nature. The Trojan, known as Trojan.Agent.BDYV, spreads through a funny video of a woman taking her clothes off that enjoys increasing popularity on the social media site. The trojan is being introduced through a YouTube video and recommended from a person in the user’s Facebook friend list. Once activated, Trojan.Agent.BDYV gains access to personal data from the user’s browser.

20,000 Unique URLs Created to Redirect Users to Malicious Websites

The victim receives a video from a person in their friend-list. The link leads to a fake YouTube page, which to the unsuspecting user looks exactly like a real one. In order to see the footage, the user is redirected to a malicious page for a Flash Player update. The scammers have even created the first few seconds of a video of a woman, who is taking her clothes off. The page looks exactly like YouTube page and even takes count of the visitors. Clicking on the Flash Player update activates the Trojan, which results in the distribution of two files in the system – a password-protected archive and a BAT file that launches the executable in the archive, supplying the pass for the decompression.

Snapshot of the fake YouTube page that redirects users to a malicious Flash Player.exe for an Adobe update.
Fake YouTube Video Redirects Users to Trojan.Agent.BDYV
Source: Bitdefender

While the User is Laughing, the Trojan is Stealing Data

Trojan.Agent.BDYV gathers all the data needed from the user’s browser and automatically adds the names from the victim’s friend list to the fake YouTube URL, thus making the whole scam seem more believable. Due to the add-on framework the hackers have applied, the code is compatible with multiple browsers, including Mozilla Firefox and Google Chrome. In order to prolong the scam, the add-on tags 20 Facebook friends and injects ad services into the web page. Each of these contacts receives a link to the same video, and the trojan prevents the removal of the link from the infected user’s Facebook page.

In order to avoid security issues, the creators of Trojan.Agent.BDYV have acquired over 60bit.ly API keys, which are used to generate shortened URLs. These unique links are distributed to Facebook timelines. Based on the analysis of the data gathered until the moment of this writing, researchers are led to believe that the origin of the trojan is in Albania.
Be Aware of What You and Your Friends Share

As the trojan spreads through a video sent from a person the victim already knows, users should be extra careful opening links on the Web. PC users should keep their anti-malware program up-to-date and be aware of Facebook scams that may appear to come from their Facebook friends.

Popularity: 16%

Leave a Reply

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word