Contributor: Himanshu Anand
Facebook scams are a regular occurrence in today’s world, but attackers have become more aggressive and are now using Facebook scams to exploit a user’s system. Normally Facebook scams trick users into filling out fake surveys, or sharing videos and pictures. It is very rare that a scam redirects to an exploit kit, but in the case of one famous Facebook scam targeting users who wanted to work from home, that was exactly what happened. The “EXPOSED: Mom Makes $8,000/Month” scam, which we observed recently, redirected users to the Nuclear exploit kit. This particular scam has since been removed by Facebook.
Figure 1. Example of a “work from home” scam
If people believe these jobs are legitimate and click on a Facebook link, they are redirected to a Facebook page. This page goes through a series of redirects and ultimately lands on a third-party website containing an iframe for the Nuclear exploit kit. This can allow the attacker to compromise the victim’s computer, but they do not have to infect the victim’s computer for the scam to be successful.
Figure 2. Nuclear exploit kit iframe
In cases of a compromise or where the victim follows through thinking they can make money, the attacker can lead the victim to click on ‘Like’ buttons or share a link for a third party, earning the attacker money in the process. In cases with a compromise, the attacker can use the victim’s computer to perform various actions and continue the scam.
The attacker may entice victims to share the following links or they may be shared automatically if the victim’s computer has been compromised.
The landing page is for the Nuclear exploit kit. Previously, the Nuclear exploit kit was known for exploiting the Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544), the Oracle Java SE and Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability (CVE-2010-0840), and the Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2010-0188).
The current version of the Nuclear exploit kit exploits the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) and the Oracle Java SE Remote Code Execution Vulnerability (CVE-2012-1723).
After successfully exploiting a vulnerability, the Nuclear exploit kit drops Trojan.Ascesso.A. Trojan.Ascesso.A is known for sending spam emails and downloading other files from a remote location.
The regions most affected by the Nuclear exploit kit have been North America and Europe.
Figure 3. Regions affected by Nuclear exploit kit
Symantec has had detections in place against the Nuclear exploit kit since 2012, so customers with updated IPS and antivirus signatures are protected against this attack. We also advise that users regularly update their software to prevent attackers from exploiting known vulnerabilities.