14 DAY TRIAL // Twitter users might stumble upon direct messages (DMs), apparently coming from their friends, that read: lol ur famous now [Link]. This is part of a scheme that’s designed to advertise a shady Facebook app which leads to a nasty piece of malware.
The link contains the word “FailVids,” most likely with the purpose of making victims believe that they ended up on a funny videos website.
Once the link from the DM is clicked, the victims are taken to a Facebook application page where they’re required to enter their Twitter credentials. By handing over their usernames and passwords, users are basically giving cybercriminals access to their accounts, allowing them to further advertise the shady app via direct messages.
But the scheme doesn’t end after the Sign In button is pressed. Internauts are taken to a website – woot.tweetelf.info – where a fake YouTube video window is displayed.
Victims are urged to install an alleged Flash Player update in order to view the video. However, similar to other scams, the Flash Player isn’t legitimate. Instead it’s connected to the Umbra Loader – a popular botnet building tool.
The malicious element - Trojan.Win32.Generic!BT - checks for the presence of debuggers, and once its certain that there aren’t any security researchers around, it starts creating hidden files and executes additional programs.
Fortunately, after being notified by researchers, Facebook rushed to remove the rogue application. However, users should still be careful if they receive “lol ur famous now” messages on Twitter, since the crooks can set up a new app at any time.
If you fell for it and provided your Twitter credentials, be sure to change your password and check out your account’s setting menu to make sure that all suspicious apps are removed.