I recently received a notification from a family member through Facebook Messenger. It was a simple message which showed a YouTube logo. The message said, “It’s you?”, and nothing more. The link, on a PC, went through Facebook to the supposed YouTube video. On my Android device, it just showed a link to garotoo.xyz above the logo. Although the xyz domain is legitimate, it is often used by scammers to make their destinations look legitimate. But, since the URL said nothing about YouTube, I figured something was up.
I copied the link and tried it on the Tor browser to see what would happen. Interestingly, it took me to a YouTube video that had nothing to do with me. It was just some generic video about enjoying summer. It is quite likely that the scammers were prepared for being accessed through a Tor exit node and so allowed the video to be played. All Tor exit nodes are publicly listed so they can be factored into any scam.
Others who clicked on the link claimed that it went to a fake Facebook login page. This would seem odd because a Facebook login is often necessary to view messenger, so any communication in messenger read while on Facebook should not ask you to sign into Facebook simply to view a video. If messenger is being used independent of Facebook, that’s a different story. Of course, if you have no Facebook account, you have nothing to worry about. Messenger does not need a Facebook account for you to use it.
The key to this scam, or any successful scam, is the hook. It was possible that my relative found something about me or some mention of me in a YouTube video and sent me the link. The hook was sufficiently vague, and who wouldn’t want to see a video that they may have appeared in? Other hooks have been used in this exploit. They are “This video is yours?”, “You are in this video?”, and “Is this your video?” A more sinister version of this is now making the rounds in Europe. It includes the name of the contact as in “It’s you? (contact name)” The message will look like this and will include the contact’s profile picture to make it look more legitimate to the person getting the message.
Sometimes, the attack will take this form.
While others will suggest you’ve been caught in some compromising position.
Although sometimes you may be asked to login to a fake page, these new scams will take you to what appears to be a YouTube page and then tell you that you need to install something to watch the video. If you do this, malware will be downloaded onto your computer or device. Note as well that the URL in some of these messages is hidden in a bitly link.
If the malware so downloaded is a RAT (Remote Access Trojan), the attackers can get all of your login information to any site you need to log into. They could, then, take over your Facebook account by changing your password and, then, use it to send the same scam message to all of your contacts, and there will be nothing you can do about it because they are now the owners of your account.
If you get such a message from one of your contacts, it’s possible that that person may not know that their account has been taken over. In this case, you need to inform them. Do not inform them through messenger because, in most cases, they no longer control that account. Scammers have also been known to answer messages sent to them to keep themselves from being reported. Instead, email them or give them a call. Yes, it’s possible that they have also lost access to their email accounts, but maybe not.
One of the latest versions of this scam uses the target’s own profile picture to trick them into clicking. The fake video leads to a Google Doc page with the victim’s profile picture and a play button overlain on it that makes it appear to be a video. Unfortunately, clicking this fake play button leads to a site that determines what browser the victim is using. If the victim is using Firefox, they will be offered a fake Flash Player update. If they are using Chrome, they will be offered a malicious Chrome browser extension to install. Mac users will be offered the latest Media Player update. And, as mentioned above, Tor users will be served up a harmless video. This is probably not your profile picture, but if t was, an infected version could look like this.
Keep in mind that these messenger attacks are not harmless. They might only lead to getting more spam but they could be far more damaging. In the past, these messenger ploys led to ransomware attacks and the installation of banking Trojans. You could have all of your files encrypted until you pay a ransom in Bitcoins, or you could have your entire bank account cleaned out. In other words, be vigilant. Any video, even if it is from a contact and even if it contains your name, can be dangerous. Be especially cautious of any video that is too enticing, that is, any video that makes you curious. Curiosity does not only kill the cat.