A friend’s Facebook account sent a message with a video link titled, “When was this video?” My hackles were raised because:
- I rarely get messages from this person.
- It reminded me of the Is This You video Facebook Messenger virus.
If you clicked on either, then go to the link on #2 to get advice on kicking off the program with access to your account.
I grabbed the link, https://mnch.at/r?act=48a93ac45jkbhf455465548bc&u=236764556620374&p=112045350166462&h=c2446617ed and had wget download the content safely. It took a couple iterations having it ignore the SSL mismatch and supply a “valid” browser user-agent.
It looks like this new to me version uses a Web Bot service called Manychat to propagate. mnch.at is a short DNS name for it. That posts to the /r URI with the act variable. That redirects to Facebook. Unfortunately, the Facebook HTML is obtuse to read, so I stopped here. I miss the days of hackers using simple HTML on compromised web servers.
Being able to host it in Facebook makes it more difficult to discover what they are doing.
If you go to manychat.com/r, then it has a redirect to send your browser to Facebook. I’m thinking the hackers are exploiting the trust of manychat to get a way to come to Facebook in a way that looks natural to tools looking to block malicious traffic. Sneaky.