OFFICIAL SECURITY BLOG
July 2, 2014 | BY Christopher Boyd
Today, we’re going to take a look at a fake video page doing a roaring trade in clicks across social networks, with links being sent out to multiple sites (note that you may need Google Translate to read the page).
The site in question (written in Turkish) claims to play host to a “Facebook Video” and encourages visitors to play by clicking the red button – which offers up an executable file.
Despite commentary on various sites claiming this one “spreads” like a virus, in testing the file we obtained simply refused to run while also throwing out various errors.
It appears the files available may be in rotation and / or being re-rolled after takedowns, because this is what a passer-by will see if attempting to grab an executable at time of writing:
Given the mad rush of clicks has already peaked and flatlined (as you’ll soon see), they probably won’t bother to replace the dead links but it is possible there are fully functional copies still out there in the wild.
In terms of numbers, this one really took off. They used a Goo.gl shortening link for the file download (which we’ve reported), and that means we can take a look at the stats and see for ourselves how this one did:
In one day, they scored 130,062 clicks.
Normally, when a scammer uses a shortening service, they do it for the page they’re hawking – so you know how many people visited the URL, but you probably don’t know how many clicked on a rogue link inside the page such as a download.
Here, the shortened link leads directly to the EXE. So that’s 130,000 people who all specifically clicked the download link (of course, we don’t know how many ran the file or saw the download prompt then said “No thanks” and closed the tab but that’s a lot of direct clicks, however you look at it).
Jun 30, 2014, 5:00:00 AM
Jun 30, 2014, 6:00:00 AM
Jun 30, 2014, 7:00:00 AM
Jun 30, 2014, 8:00:00 AM
Jun 30, 2014, 9:00:00 AM
Jun 30, 2014, 10:00:00 AM
Jun 30, 2014, 11:00:00 AM
Jun 30, 2014, 12:00:00 PM
Jun 30, 2014, 1:00:00 PM
Jun 30, 2014, 2:00:00 PM
Jun 30, 2014, 3:00:00 PM
Jun 30, 2014, 4:00:00 PM
Total number of clicks by region? Sure, we can look at those too.
Here come the biggest clickers for this campaign – and again, this is just from the URL in the first screenshot – we haven’t taken into account additional URLs pushing the same file(s). Of course, there may well be other sites out there we don’t know about.
Very high numbers, and for what is essentially a rather lackluster looking fake video page with a small chunk of text on it.
It doesn’t even have fake Facebook comments or anything else designed to catch the eye. Even so, 100,000+ people decided to download a file they knew nothing about and potentially ran it on their PCs.
If you see pages trying hard to look a bit Facebook-ish and offering up videos, do the sensible thing and close the browser. More often than not, you’ll “just” be presented with a survey or mobile ringtone signup – other times, there’ll be a file knocking at the door and it simply isn’t worth the risk…no matter how tempting the people behind the file make things sound.