Facebook’s CDN servers are being used as a place to store malicious files.
A new malware campaign is taking place, and this time, the malware delivery is dependent upon Facebook. More specifically, the malicious file is being stored on Facebook’s Content Delivery Network (CDN). Why would the malicious actors use Facebook’s CDN for this purpose? The answer is because this domain is trusted my most security solutions, ensuring that the malicious payload reaches it’s victims.
Sadly, this is not a difficult thing to do. The malicious actors simply upload files into a public area of Facebook like Facebook groups, grab the url to the file, and proceed about their way to infect others.
In this particular case, it is Brazilian users being targeted with a banking Trojan. Hundreds of thousand of legitimate looking scam who click the file link in the email immediately download a RAR or ZIP file stored on those Facebook servers. A shortcut path included in the link invokes a legitimate application installed on the computer to run the malicious file, and provided the user checks out as one of the targeted class, the malware proceeds about it’s infection.
While this malware attack is going after an small subset of users when comparing to recent global attacks, we can be assured that with the success of payload delivery we shall be seeing this method of attack duplicated the world over.
As always, be extremely careful of what links you click in an email or other form of message. An unexpected message, even if it shows that it is from a contact you trust, may not actually be coming from that party after all.