Since the start of this week, the French media and online forums have been abuzz about a new Facebook Messenger “Trojan horse” arriving into their private message (PM) inboxes from network contacts. Some reports claim that this malware has been local within French Facebook users for weeks now, and that users continue to fall for the lure in spite of warnings.
The said unsolicited PMs have been described to contain the following elements:
- the receiver’s profile picture (or other picture)
- the receiver’s name
- the word “Video” juxtaposed beside the receiver’s name
- a link that says “xic.graphics” under the image, which is a fake YouTube video
Below is a screenshot sample of the message, courtesy of FrAndroid:
Essentially, the threat makes itself appear to be a video about the recipient from a friend on Facebook.
Note that this isn’t the first time we’ve seen online criminals employ this lure. Twitter users have been plagued with a direct message (DM) from purported contacts that were compromised back in 2011, asking recipients if it was them on a video link. Then recently, several Steam users have reported receiving chat messages with a link to a video from accounts that were believed to be taken over by criminals to spread malware.
Facebook scammers have used the lure of videos for years. With the number of users sharing and watching videos by the billions within the social platform, it’s no surprise that criminals have capitalized on this for their malicious purposes. Malwarebytes researchers have documented a number of these video-related scams, which you may want to check out here:
- “Hungry Bear Tears Woman to Pieces” Facebook Video Scam
- Scam Lures Facebook Users with “Hot Video”, Drops Trojan
- “Huge Snake Eats Man Alive!” Video Scam Spreads on Facebook
- Scam Banking on Roller Coaster Disaster Seen in the Wild
- Scammers Exploit Alton Towers Crash with Fake YouTube Video
Once recipients see the message from a contact, who may likely be compromised by this same social engineering tactic, and clicks the link, they then receive a notification asking them to install a Chrome browser extension, which is actually the “Eko” malware. It may affect other browsers.
After the extension is installed, users are then subjected to unwanted advertisements. Reports also say that “Eko” can spy on users, collecting their personal data, including bank account details. On top of this, affected user accounts send similar messages to all their Facebook Messenger contacts.
According to the Linternaute, Facebook is currently mitigating this threat. The paper also added that the Interior Ministry in France already warned contacts on Facebook about Eko, but the Trojan continues to thrive.
Users who are affected by “Eko” are advised to uninstall the extension and change their passwords, specifically on Facebook and other protected accounts they may have accessed.
As of this writing, there are no reports of “Eko” affecting users outside of France.