Symantec has analyzed this new scam – similar in concept and purpose to the one described by Sophos in November 2012. Its ultimate purpose is to deliver further survey scams.
The new Black scam directs its victims to a Facebook page promoting Facebook Black, and from there via a series of redirects to a separate Facebook Black landing page. This page promotes a Google Chrome extension – but if installed, the extension is used to download two JavaScript files hosted on Amazon’s Simple Storage Service, Amazon S3.
“These JavaScript files are used to keep the scam spreading through each victim’s account,” warns Symantec. “It does so by creating a new Facebook page on the victim’s account, which includes an iframe to the page that will redirect users to the Facebook Black landing page.”
Ultimately, says Symantec, “users that install this Facebook extension will be presented with a set of survey scams, which is how the scammers monetize these types of campaigns.” Put simply, the more people the scammers drive to the surveys, the more money they earn.
Back in November, Sophos warned, “Messages and images inviting users to change the color of their Facebook pages from the traditional blue have been appearing in rising numbers over the last few days, enticing users to click on a link to a third-party website.” Clearly the scammers are still finding enough users who are “sick of that BORING blue theme” (from the November iteration), and are willing to click on dangerous links to change it.
The current scam uses a Chrome extension. “Google has already removed several of these Chrome extensions,” notes Symantec, “and continues to improve their automated detections for malicious extensions. Users that may have been tricked by this scam should uninstall the Chrome extension and delete the Facebook page that was created.”