May 22, 2010

Warning for "Distracting Beach Babes" on Facebook

Patrik Runald

For the second Saturday in a row Facebook users have had to deal with Facebook malware in the form of what looks like sexy videos but are in fact malicious apps.

This time the scam is spread in messages like this:

Just like in the previous malware attack, what happens if you click on the link is that you'll be taken to an application installation screen that requests access to your profile and access post on your wall:

This allows the application to send its message to your friends and post it on their walls. Once the user clicks Allow a page is displayed asking them to update their FLV Player which prompts the download of the malicious file:

While all the download sites for the file was unavailable at the time of writing, this attack is exactly the same as last weekend's so it's very probable that the file was yet another Hotbar Adware installer. If you haven't seen the video of how this attack works you can check it out on our YouTube channel. Facebook is aware of the problem and are actively removing both the wall posts and the malicious applications.

Taking a look at the malicious application's information page you can see that over 1,100 users "Like" it and every time the page is refreshed the amount of fans increase.

According to the page Gale Shull is the developer of the application but it's probably safe to say that it's a fake account. We did send "her" a friend request so we will update the page if she accepts it.

How to remove the malicious application

If you have installed the application but did not install the fake video player, we advise you to remove the application from your application settings. You do this by clicking on "Account -> Application Settings" in the top-right corner of your Facebook page. You will now see a list of all applications that can access your Facebook profile. Find the one that you just installed, in this case it's "Video wave". Just click on the X to remove it and click on "Remove" when asked. Just be careful not to remove applications that you would like to keep as there is no way to undo the removal except to reinstall it. If you also installed the fake video player make sure you scan your PC with an up-to-date antivirus software.

In addition, we advise users who installed the malicious application to change their Facebook password.

We certainly hope that "a new malware scam on Facebook every Saturday" won't turn into a trend.


Upon further investigation we found that over 99 different malicious applications were used in this and last weekends attacks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.