Monthly Archives: June 2015

Facebook Users Left Red-Faced After Porn Malware Attack

Hackers spammed Facebook timelines and newsfeeds with malicious malware that spread pornographic videos and images.

The attack left hundreds of social media users in India red-faced as they had to clarify it to their friends that they hadn’t sent the message.

On Wednesday, majority of social media users in India refrain from using their FB accounts simply because they were scared that the X-rated material would attack their posts and messages.

The cybercrime cell of Agra Police firstly spotted the attack and claimed that it was triggered by a virus that belonged to the Kilim malware family. The same virus has caused such incidents all over the world.


Nitin Kasana, in-charge at the cybercrime cell, said that the attack “began with a message on social media which stated ‘watch urgent, because it is your video’. Every time someone clicked on the link, their entire timeline and inbox was spammed with pornographic material.”

Kasana further added that the message also included a shortened link, which took victims to a fake Amazon Web Services page. This in reality was a malicious website that was “was used by crooks to verify the platform used by the victim, such as the desktop computer or mobile phone, and direct them to a different path depending on their machine.”

Kasand revealed that “Mobile users were redirected to affiliate pages that contain various offers, while desktop users were asked to download a file from a folder containing the malware. The file pretended to offer a collection of pornographic videos. The malicious file was a downloader for the Facebook worm, which comes in the form of a Chrome extension and additional binaries. The last part of the attack was to spread among the victims’ Facebook friends, by sending the lure message.”

Naturally, the attack embarrassed users to a great extent as many called their friends and relatives immediately to clarify about the message and to warn them to not click on the link or images present in the malicious message.

One of the affected Facebook users, Atul Verma, stated: “I had to call and message over 50 people to inform them that my account has been hacked. I requested them not to open any files containing weird links. It was disgusting.”

Cybersecurity expert Rakshit Tandon warned users and said: “One should be extremely careful and inspect any link, specially shortened URLs, before clicking on them. Several thousands of Facebook accounts were subjected to the spam attack globally, including some parts of India, via porn malware, which unleashed massive quantities of violent and pornographic images across users’ newsfeeds.”

Tandon suggests that it was possible to avoid these kinds of attacks by immediately changing social network password, removing any or all unnecessary extensions from web browser and removing all Facebook apps on Facebook. He added: “Finally, every user should mark unknown links as spam, so that Facebook can take it down automatically.”


Not so long ago we at HackRead reported about the Kilim malware family. We also urged users to be careful about two active malware threats on the Facebook. One was about Google Chrome Video Installer the other about a Facebook worm infecting users’ computers through link (URL shortening service). 

Both of these threats are still active and operated though Kilim malware family. 


When a Facebook user clicks on the infamous link that promises “sex photos of teen girls in school,” it redirects immediately to an Amazon Web Services page and later the user gets redirected to a compromised Box website. The function of this website is to inspect the user’s system. Users are then prompted to download a file and when it is installed the system gets infected instantaneously leading to the download of the worm. It then spreads the link to all contacts of the user on Facebook.

Segura explained the modus operandi of this attack pretty comprehensively in his post. He says: “These offers usually end up being bogus apps or surveys. The file hosted on Box is trimmed down to a minimum size and its only purpose is to download additional components.”

This is typically done to avoid initial detection, but also to allow the bad guys to update the backend code on the server so that the trojan downloader can retrieve the latest versions of each module. After the additional components are downloaded (Chrome extension, worm binary) they are installed on the machine and simply wait for the user to log into Facebook.”

However, users who have clicked on the link via their mobile are taken to an offer page based on their geographic location and language.

Both the Facebook and Box are aware of the attack and the threat of this worm. For addressing this issue, Box is eliminating sharing privileges and deleting files from malicious accounts and is regularly performing security checks by scanning for viruses.

Conversely, Facebook is collaborating with the companies that have been targeted by attackers and the social media giant has blocked associated link as well as stopped the links from being spread on its platform.

Amazon Web Services (AWS) spokesperson in an official statement explained that the “activity being reported is not currently happening on AWS.”


oiginally posted on