Ow.ly plus AWS plus Box roped into worm-spreading spree

Users with a bent for nasty content and too much trust in shortened links are helping to spread a Facebook worm, according to researchers at Malwarebytes.

Senior researcher Jérôme Segura has documented a Kilim-family worm that attracts users by promising smut with a link that's been shrunk by link-shortening service ow.ly.

The victim of the attack is either redirected to an offer site (if they're on mobile, because they're not going to be a useful target), but if they're on a Windows box, they get hit by a trojan downloader hosted on a Box storage account.

However, Segura notes, a fair whack of redirect happens between click and attack: the first ow.ly link redirects to a second ow.ly link; that redirects to an AWS link, which redirects to another site that points to the downloader.

The malicious file is a Chrome extension, and the malware creates a Chrome shortcut that “launches a malicious app in the browser directly to the Facebook Website”, Segura writes.

The malware blocks the ability to check chrome://extensions/ so as to hide itself, and posts the lure message to the victim's friends to keep itself spreading.

Since “don't click on that link” is the kind of advice users routinely ignore and have done ever since Anna Kournikova photos were a thing, The Register will skip it.

Vulture South will, however, note that sites like Unfurlr.com are a great place to check the destination of shortened links. ®