Simple Facebook Notification Infects Over 10,000 Users in Just 48 Hours


Thousands of users have been infected by a Facebook malware that tries to take over a user's account. This latest phishing scheme works in two parts, starting from a usual Facebook notification. Click on this notification, and the phishing scam will launch a two-stage attack on your account.

Facebook malware infects users with a simple "tag"

Receiving a Facebook notification informing you of a mention by a friend is almost a norm, and we never think twice before clicking on it. That simple action can now lead to a lot more than just a stupid video share by a friend as cyber criminals are using it to target users.

Facebook is one of the top social media networks that is used by billions around the world. Similar to all the other popular platforms, Facebook’s fame also makes it an attractive target for criminals to run malicious campaigns. In one of these campaigns, criminals have launched a two stage attack that starts when a user clicks on the mention. "A malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. This was designed to lure the victim back into the social network site," researchers at Kaspersky warned in a blog post.

Facebook Malware

Once the user logs back into Facebook, the victim's session was hijacked and a new malware file was downloaded. This malware file was coded to change privacy settings, and included account-takeover and account-data extractor scripts, that could be used for further malicious activities. Identity theft, spam, fraudulent likes and shares, and more such could be initiated once an account is stealthily taken over. Before all this, however, the malware starts working by sending the same phishing notification to all the victim's friends. Yes, we are back to those old malware tactics.

Kaspersky Lab was informed of this phishing scam on June 26th, and during their investigation found over 10,000 victims in the space of the next 48 hours. The attack was unleashed on Facebook users globally, with most affected in Brazil, Poland, Peru, Israel, and Mexico.

Facebook Malware Scam

Confirm if you were a victim of this Facebook malware scam

  • Open Chrome on your Windows device
  • Look for the extension named thnudoaitawxjvuGB


  • Go to StartRun >
  • Copy and run this command
    • %AppData%\Mozila
  • Look for folders and files like, "autoit.exe" and "ekl.au3"

If you find these files, your computer is most likely infected.

Facebook has now fixed this threat, and "is blocking techniques used to spread malware from infected computers." Google has also removed the extensions from its Chrome Web Store which was used to launch these attacks. The malware affected users on Windows operating system and possibly on Windows Mobile devices too. Researchers said that iOS and Android were totally immune to this attack because the malware libraries weren't compatible with these mobile operating systems.