Yet another malicious Facebook app: “Father crashes and dies”

Over the weekend, a lot of Facebook users started receiving malicious chat messages from their friends that looked like this:

“Father crashes and dies because of THIS message posted on his daughters profile wall!” – followed by a shortened URL (using the bit.ly URL shortening services). The missing apostrophe in the word “daughter’s” – i.e. “daughter’s profile wall” – could be a clue that the message is not genuine, or at least that the author is not a native English speaker, but let’s take a look at what would happen to a user who falls for this social engineering trick.

Once clicked, the link takes the innocent user through a chain of redirections which ends up with a malicious Facebook app showing up on the screen and requesting several permissions.

As you can see, it’s not even remotely hard to determine that this application is malicious:

• • It looks like the app has a random name
• • The app just requires access to your “basic information” (aka list of friends) and to Facebook Chat (aka spreading like a worm).

So, what does it do? Let’s see what happens if you allow it to access your profile.

First of all, it will start replicating through your Facebook profile by sending chat messages (see screenshot above) to your friends who are online at that moment. In the meantime, you will get to see the following page which is trying to social engineer the user into taking an “Anti-Spam Verification” test, which gives you options to choose between some quizzes like “How stupid are you?”, “What’s your true love?” or “Spy phone”.

IP geo-location and automatic translation services are used by the attackers to perfectly tailor their social engineering strategy and to ensure a maximum efficiency rate by making sure they use the same language as their potential victim.

A very important part of this story: monetization, or how are the cybercriminals behind this scheme profiting from nave users? Once the quiz is completed, the user is asked to send a message to an SMS number in their own country to find out the results of the quiz. The average price for such a message is around 3 EUR.

Last but not least, let’s see who are the victims here. The graph below is taken from the bit.ly statistics page for the main URL of this attack:

Top 10 of countries affected by this threat:
Ukraine ( UA ) – 24.22%
India ( IN ) – 16.22%
United States ( US ) – 13.03%
Russian Federation ( RU ) – 12.76%
Belarus ( BY ) – 8.32%
Dominican Republic ( DO ) – 5.89%
Philippines ( PH ) – 3.14%
Sri Lanka ( LK ) – 1.78%
Mexico ( MX ) – 1.73%
Australia ( AU ) – 1.35%

We’ve notified all parties that can help limiting the damage: Facebook, for removing the malicious apps, and bit.ly for removing the short URL redirections.