14 DAY TRIAL // As it always happens when a significant world event occurs, scammers are quick at taking advantage, and the recent aviation disaster involving the shooting of the MH17 Malaysian airliner is nothing but a means to make more money for the crooks.
Almost 300 people died in the tragedy, but cybercriminals prey on the fact that regular users want to be exposed to gruesome video and started to circulate on Facebook a fake message that promises footage of the missile bringing down the aircraft.
The steps of the scam are the same as in other cases: the potential victim is presented with a video thumb purporting to offer access to the entire footage of the incident, but in order to play the video, they must first share it with Facebook friends, so that the deceit is spread to other users.
It appears that the scammers have built a fake Facebook page, with a counter of the people who are supposedly watching the video and a trend chart showing the popularity of the post.
A closer look at the counter reveals that it just displays random numbers that generally range between 80 and 90,000.
In fact, everything is fake about the page. The comments under the alleged video are actually a picture designed to calm down suspicions of the potential victim. It shows thousands of comments, the most recent ones, “posted” less than half an hour earlier, informing that the footage can be watched by simply clicking on it.
If the user is not logged into Facebook, a dialog pops up asking for the credentials; trying to avoid this step actually takes the potential victim to a page serving malicious files.
At the moment, Google Chrome accurately marks some of the redirects as phishing attempts, but an alert is not issued for all the redirects because in some cases they redirect to legitimate domains, as the crooks also rely on affiliate marketing to make more money.
Cybercriminals are not at the first attempt to profit from the MH17 Malaysian airliner. Last week, they used Twitter to spread short links that directed to web pages known to have been associated with a variant of Zeus Trojan as well as the Sality malware.
But in this case, the tweets with the MH17 hashtag seemed to have been created only to increase page views. Security researchers at Trend Micro found that the links resolved to two IP addresses of a webhost service in the United States.