Recently I wrote about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English.
I have seen two different types in German.
Translation: Deadly accident on highway causes several fatalities
Notable about this one is that it was posted as a fundraiser and does not allow comments, which blocks me from posting a warning that this is a scam.
I reached out to the person that owns the account to find out if he knew how his account got compromised. He had no idea, but told me that it seemed like a lot of people were having the same issues. Not only did he see the same type of posts, but he also got a lot of Messenger messages prompting him to click a link.
In the past we’ve seen campaigns on Messenger where clicking such a link would install a Facebook app that required posting permissions. These apps would then spread further from the compromised user account.
The host storage.googleapis.com gives the link a legitimate feel, but that feeling is not justified. Although googleapis.com is a legitimate service provided by Google, it’s being abused by all sorts of cybercriminals for phishing, tech support scams, and in this case fingerprinting. The script on that site looks at your IP address, your type of machine and whether you are using a VPN. Based on the analysis of that information you are forwarded to the type of scam that is likely to be the most profitable.
An example of a redirect URL shows some of the elements that were fingerprinted.
https://byxzz.altairaquilae[.]top/?pl=Yyo1IAH5aE2Q4g9YuOImuw&click_id=da5d3q51mm737150e7&sub_id=18222478-Edge%20(Chromium)%20for%20Windows-Windows
Malwarebytes has already blocked the windyplentiful.com domain for Malvertising.
Malwarebytes Premium blocks the domain windyplentiful.com
The second example is easier to identify as a fake. Both the ambulance and the wrecked motorcycle hail from California, so this highly unlikely to have happened on the German autobahn.
Translation: Accident causes several victims including a child
Not only is the picture clearly not German, the grammar used in the sentence is another sign as it’s a bad translation.
When I set my VPN to pretend I was located in Germany, the script identified it as an anonymous proxy and stopped there.
Switching back to the Netherlands I got to “enjoy” sites with explicit content, scam sites where celebrities encourage investing in cryptocurrencies, and websites offering browser push notifications.
These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus.
Several attempts on both images led to different domains as well. Other blocks we encountered during our research:
Malwarebytes Premium blocks 188.114.96.0
Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top
You can recognize this type of scam because they usually tag several friends of the victim. And although the image looks like a click will start a video, it never has for me. The images were hosted at media.discordapp.net/attachments and although the pages contain a link to Vimeo, the videos there have already been removed or were never even there.
If you find your account has posted a message like this, you should assume that someone else has full control over your Facebook account. Simply changing the password is not always enough.
If you’re logged in but have forgotten your password or it has been changed to something you don’t know, follow the steps above to change your password, then click Forgot your password? and follow the steps to reset it. Keep in mind that you’ll need access to the email associated with your account.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.