An impersonation of the Adobe Flash Player is being used by cyber-criminals to get page likes for various campaigns in just two clicks, then sell them to other customers.
The story of a page that has gathered 40,000+ likes starts with an apparently harmless link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain – xn--47aaeaba.com – that performs the redirect to the fast[removed]e.com domain (registered yesterday – 2013-02-17 – in Turkey and whose owner asked that their contact information not be published). This page asks the victim to install a special version of the Flash Player in order to see the video content.
Fig. 1: the fake player asks for a special plugin
Victims using Google Chrome are then taken to the plugin’s page on the Chrome store where they are asked to install an extension named Business Flash Player!, a rogue extension for the browser that can access Facebook cookies and like pages on the user’s behalf.
Fig. 2: The malicious plugin on the Chrome Web Store
Please note the last line of code that instructs the user’s browser to artificially “like” a Facebook page with the ID of 274169846047328. A quick look on the social networking platform reveals it is associated with Mehmet Ozbilen, a fan page that managed to get 40,319 likes since its creation on February 12 with no content posted on it.
Fig. 4: Blank page with tens of thousands of “likes” ready to be purchased and customized
This type of scam is highly lucrative for its creators. With just a couple of lines of code – many of which have already been open-sourced on the web and are ready to be copied and pasted – crooks can gather significant numbers of likes from unwary Facebook users and grow a page that is ready to be sold to the highest bidder. After the transaction is done, the buyer gets administrative rights on the page and gets to pick a relevant username for it.
As the number of likes contributes to the page’s Edge Rank (a proprietary algorithm that decides which users see what is being posted on the page), shady companies and cyber-criminals alike are bidding for pages that already have a considerable number of likes.
Leave a reply