Eko Malware Targets Facebook Users

Written by

A malware called Eko has been landing in Facebook Messenger inboxes since last week.

Eko subjects users to unwanted advertisements, and can spy on users, collecting their personal data, including bank account details.

 So far the scourge is limited to French users, who have complained about malicious spam landing in their private message (PM) inboxes, purporting to be from network contacts. Essentially, the threat makes itself appear to be a video about the recipient from a friend on Facebook.

The PMs contain the receiver’s profile picture (or other picture), the receiver’s name, the word “Video” juxtaposed beside the receiver’s name, a link that says “xic.graphics” under the image, which is a fake YouTube video.

Once recipients see the message from a contact, who may likely be compromised by this same social engineering tactic, and click the link, they then receive a notification asking them to install a Chrome browser extension, which is actually the Eko malware. Affected user accounts then send similar messages to all their Facebook Messenger contacts.

Facebook scammers have used the lure of videos for years. With the number of users sharing and watching videos by the billions within the social platform, it’s no surprise that criminals have capitalized on this for their malicious purposes.

“Note that this isn’t the first time we’ve seen online criminals employ this lure,” said Malwarebytes researchers, in a blog. “Twitter users have been plagued with a direct message (DM) from purported contacts that were compromised back in 2011, asking recipients if it was them on a video link. Then recently, several Steam users have reported receiving chat messages with a link to a video from accounts that were believed to be taken over by criminals to spread malware.”

Facebook said that it is mitigating this threat, and the Interior Ministry in France already warned contacts on Facebook about Eko. Users who are affected are advised to uninstall the extension and change their passwords, specifically on Facebook and other protected accounts they may have accessed.

Photo © Genier Tivadar/Shutterstock.com

What’s hot on Infosecurity Magazine?