Facebook video scam carries fake antivirus malware payload

Facebook seems unable to stop scammers from circulating malicious web links that install fake antivirus software on victims' computers.

The scam was spotted Tuesday by antivirus vendor Sophos. At that time, the criminals behind it were luring victims into installing the software by offering links purportedly to a video of disgraced former International Monetary Fund Managing Director Dominique Strauss-Kahn and a hotel maid. On Wednesday, the scam switched and the link was supposed to be an X-rated video of celebrities Rihanna and Hayden Panettiere.

In both cases there is no such video. People who click on the link are sent to a website that tries to install the fake antivirus software. The scam is slightly different, depending on whether the victim is using a Mac or a PC. On the PC, the site tells victims that they need to install the latest version of Adobe Flash Player to watch the video. But the software they install is actually the fake antivirus program.

On the Mac, there's a po-up window that looks like a security warning. When victims click to "fix" the security problems, they end up installing the fake software.

Once installed, the software pops up scary warning messages and takes the victim to a pornographic website every five minutes until the victim pays for a software licence, usually a £30 to £50 charge. The software also posts the video links to the victim's wall in an attempt to lure new victims. Paying the money for the fake antivirus product apparently puts the software into a dormant state where it doesn't cause any more damage, said Chet Wisniewski, a researcher with antivirus vendor Sophos.

On Tuesday, the website used by the scammers was newtubes.in, but on Wednesday they switched to shockings.in.

Sean Sullivan, a security adviser with F-Secure Labs, said he isn't sure why Facebook isn't simply blocking posts that contain the malicious links. It "seems as if it would be easy," but attackers could be using tricks to evade Facebook's scam filtering systems, he said.

On Wednesday, a Facebook spokesman couldn't say why the links have been so hard to stop, but he did confirm that the company was "in the process of investigating, blocking the links and remediating any affected users."

This type of fake antivirus software has recently become a real problem for Mac users. This week Apple began offering daily security updates to its Mac OS X 10.6 operating system. But scammers have become so expert at modifying their programs to evade detection that they have been able to skirt Apple's detection with the latest version of their scam software, Wisniewski said.

The fake software goes by several names, including MacGuard and MacDefender.