Facebook 'colour change' malware resurfaces, infects 10,000 users
One of the oldest Facebook scams is back — again.
The colour change scam tricks users into downloading malware via a site that claims to let users change the colours of their Facebook profile.
The latest iteration of the scam has already affected more than 10,000 people around the world, according to Cheetah Mobile, a Chinese internet company that highlighted the most recent appearance of the scam in its blog.
The malware begins by advertising an app that tells Facebook users they can change the colour theme of their profile. Download the app and you're directed to a malicious phishing site, according to Cheetah Mobile's security researchers.
The website targets users in two ways. First it steals the users' Facebook Access Tokens by asking them to view a colour changer tutorial video.
Temporary access to the tokens allows hackers to connect to the user’s Facebook friends.
If a user doesn’t view this video, the site then tries to get them to download the malicious application. If a user is on a PC, the site leads them to download a pornographic video player. If the user is on an Android device, the site issues a warning saying the device has been infected and advises users to download a suggested app.
Though the scam has been debunked repeatedly over the last two years, again and again, it seems like it just won't go away.
The problem, according to Cheetah Mobile, stems from "a vulnerability that lives in Facebook’s app page itself, allowing hackers to implant viruses and malicious code into Facebook-based applications that directs users to phishing sites."
It's not clear if Facebook plans to fix this vulnerability. The company did not immediately respond to a request for comment.
Anyone who has already fallen victim to the scam should uninstall the app immediately (this can be done from the "app" menu in your Facebook settings) and change their Facebook password.
Cheetah Mobile also recommends disabling Facebook's apps platform altogether—to ensure other malicious apps can't be installed in the future— but this will affect your ability to use third-party apps that rely on Facebook for login or other information.
This post originally appeared on MASHABLE