{"id":3702,"date":"2017-09-07T11:57:33","date_gmt":"2017-09-07T08:57:33","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=3702"},"modified":"2019-11-15T14:48:54","modified_gmt":"2019-11-15T11:48:54","slug":"facebook-messenger-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/facebook-messenger-malware\/3702\/","title":{"rendered":"Facebook Messenger Toplu Mesajla Yay\u0131lan K\u00f6t\u00fc Ama\u00e7l\u0131 Yaz\u0131l\u0131m"},"content":{"rendered":"<p>Bir s\u00fcre \u00f6nce K\u00fcresel Ara\u015ft\u0131rma ve Analiz Ekibimiz (GReAT)\u2019in antivir\u00fcs uzmanlar\u0131ndan David Jacoby, Facebook Messenger\u2019dan yay\u0131lan \u00e7oklu platforma sahip k\u00f6t\u00fc ama\u00e7l\u0131 bir yaz\u0131l\u0131m ke\u015ffetti. Birka\u00e7 y\u0131l \u00f6nce benzer vir\u00fcs salg\u0131nlar\u0131 olduk\u00e7a yayg\u0131nd\u0131. Ancak Facebook\u2019un benzer sald\u0131r\u0131lar\u0131 engellemek i\u00e7in g\u00f6sterdi\u011fi \u00e7abalar sonucunda yak\u0131n zamana kadar b\u00f6yle bir sald\u0131r\u0131 g\u00f6r\u00fclmemi\u015fti.<\/p>\n<p>\u00d6ncelikle konu hakk\u0131nda bir <a href=\"https:\/\/securelist.com\/new-multi-platform-malwareadware-spreading-via-facebook-messenger\/81590\/\" target=\"_blank\" rel=\"noopener\">\u00f6n rapor yay\u0131mland\u0131<\/a>. O zamanlar Jacoby\u2019nin bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131yla ilgili ayr\u0131nt\u0131lar\u0131 ara\u015ft\u0131racak vakti olmam\u0131\u015ft\u0131. Ancak art\u0131k zaman\u0131 var ve konu hakk\u0131ndaki ayr\u0131nt\u0131lar\u0131 payla\u015fmaya <a href=\"https:\/\/securelist.com\/dissecting-the-chrome-extension-facebook-malware\/81716\/\" target=\"_blank\" rel=\"noopener\">haz\u0131r\u0131z<\/a>. Kullan\u0131c\u0131 a\u00e7\u0131s\u0131ndan bak\u0131ld\u0131\u011f\u0131nda sald\u0131r\u0131 \u015fu \u015fekilde ilerliyor:<\/p>\n<ul>\n<li>Kullan\u0131c\u0131 bir arkada\u015f\u0131ndan Facebook Messenger arac\u0131l\u0131\u011f\u0131yla bir mesaj al\u0131r. Mesaj \u201cVideo\u201d kelimesini, g\u00f6nderenin ad\u0131n\u0131, herhangi bir g\u00fclen y\u00fcz ifadesi ve k\u0131sa bir ba\u011flant\u0131 i\u00e7erir. \u00d6rne\u011fin \u015f\u00f6yle bir mesaj gelebilir:<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3704\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/09\/07113001\/malicious-link-screenshot.png\" alt=\"\" width=\"261\" height=\"334\"><\/p>\n<ul>\n<li>Ba\u011flant\u0131 Google Drive\u2019a yeniden y\u00f6nlendirilir ve kullan\u0131c\u0131 burada orijinal g\u00f6nderenin resminin arka planda oldu\u011fu video oynat\u0131c\u0131ya benzer bir program ve Oynat tu\u015funa benzer bir tu\u015f g\u00f6r\u00fcr.<\/li>\n<li>Sald\u0131r\u0131ya maruz kalan ki\u015fi \u201cvideoyu\u201d Google Chrome\u2019da oynatmay\u0131 denerse Youtube sayfas\u0131na \u00e7ok benzeyen bir sayfaya y\u00f6nlendirilir ve Chrome i\u00e7in bir uzant\u0131 kurmas\u0131 \u00f6nerilir.<\/li>\n<li>Kullan\u0131c\u0131 kurulumu kabul ederse uzant\u0131 kullan\u0131c\u0131n\u0131n arkada\u015flar\u0131na k\u00f6t\u00fc ama\u00e7l\u0131 ba\u011flant\u0131lar g\u00f6ndermeye ba\u015flar ve ba\u011flant\u0131n\u0131n g\u00f6nderildi\u011fi her ki\u015fi i\u00e7in ayn\u0131 algoritma tekrarlan\u0131r.<\/li>\n<li>Ba\u015fka taray\u0131c\u0131 kullan\u0131c\u0131lar\u0131na ise bir uzant\u0131 \u00f6nerisi yerine s\u00fcrekli olarak Adobe Flash Player\u2019\u0131 g\u00fcncellemeleri gerekti\u011fi hat\u0131rlat\u0131l\u0131r. \u0130ndirdikleri dosya asl\u0131nda bir reklam yaz\u0131l\u0131m\u0131d\u0131r. Yani esas\u0131nda vir\u00fcs\u00fc yayan ki\u015filer para kazanmak i\u00e7in reklamlar\u0131 kullan\u0131r<\/li>\n<\/ul>\n<p>Jacoby ve \u201c<a href=\"https:\/\/www.kaspersky.com\/blog\/hunting-bugs-for-humanity\/14738\/\" target=\"_blank\" rel=\"noopener nofollow\">\u0130nsanl\u0131k i\u00e7in hata avlamak<\/a>\u201d adl\u0131 projede beraber \u00e7al\u0131\u015ft\u0131klar\u0131 ara\u015ft\u0131rmac\u0131 Frans Rosen, bu k\u00f6t\u00fc ama\u00e7l\u0131 sald\u0131r\u0131y\u0131 incelediler ve nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 ortaya \u00e7\u0131kard\u0131lar.<\/p>\n<p>Facebook Messenger\u2019daki ba\u011flant\u0131ya t\u0131klayan kullan\u0131c\u0131lar\u0131n y\u00f6nlendirildikleri sayfa asl\u0131nda Google Drive\u2019da yay\u0131mlanan bir PDF dosyas\u0131d\u0131r. \u00d6nizleme olarak a\u00e7\u0131l\u0131r. Dosya kullan\u0131c\u0131n\u0131n (kimli\u011fi k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131 yaymak i\u00e7in kullan\u0131lan ki\u015fi) Facebook sayfas\u0131ndan bir resim, resmin \u00fczerinde videoyu oynatmak i\u00e7in bir simge ve kurban\u0131n oynat tu\u015funa t\u0131klamaya \u00e7al\u0131\u015f\u0131rken a\u00e7t\u0131\u011f\u0131 bir ba\u011flant\u0131y\u0131 i\u00e7erir.<\/p>\n<div id=\"attachment_3705\" style=\"width: 1331px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-3705\" class=\"wp-image-3705 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/09\/07113106\/google-drive-pdf.jpeg\" alt=\"\" width=\"1321\" height=\"732\"><p id=\"caption-attachment-3705\" class=\"wp-caption-text\">Linke t\u0131klamak kullan\u0131c\u0131lar\u0131 bu sayfaya y\u00f6nlendiriyor.<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Ba\u011flant\u0131 bir\u00e7ok yeniden y\u00f6nlendirmeye neden olur ve kullan\u0131c\u0131y\u0131 birka\u00e7 web sitesinden herhangi birine y\u00f6nlendirir. Google Chrome d\u0131\u015f\u0131nda bir taray\u0131c\u0131y\u0131 kullanan ki\u015filer, Adobe Flash Player g\u00fcncellemesi g\u00f6r\u00fcn\u00fcm\u00fcne sahip reklam yaz\u0131l\u0131m\u0131n\u0131 indirmeyi tavsiye eden bir web sitesine y\u00f6nlendirilir.<\/p>\n<div id=\"attachment_3706\" style=\"width: 890px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-3706\" class=\"wp-image-3706 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/09\/07113414\/flash-player-update-screenshot.jpg\" alt=\"\" width=\"880\" height=\"470\"><p id=\"caption-attachment-3706\" class=\"wp-caption-text\">Google Chrome d\u0131\u015f\u0131ndaki taray\u0131c\u0131lar\u0131 kullananlara yaln\u0131zca Adobe Flash Player g\u00f6r\u00fcn\u00fcm\u00fcndeki reklam yaz\u0131l\u0131m\u0131n\u0131 indirmek \u00f6nerilir.<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Ancak Chrome kullan\u0131c\u0131lar\u0131 i\u00e7in bu sadece bir ba\u015flang\u0131\u00e7t\u0131r: Sald\u0131r\u0131ya maruz kalan ki\u015fi, giri\u015f sayfas\u0131nda \u00f6nerilen uzant\u0131y\u0131 kurmay\u0131 kabul ederse uzant\u0131 kullan\u0131c\u0131n\u0131n a\u00e7t\u0131\u011f\u0131 web sitelerini izlemeye ba\u015flar. Kullan\u0131c\u0131 Facebook\u2019u a\u00e7ar a\u00e7maz uzant\u0131 <a href=\"https:\/\/developers.facebook.com\/docs\/facebook-login\/access-tokens\/\" target=\"_blank\" rel=\"noopener nofollow\">oturum a\u00e7ma bilgilerini<\/a> ve eri\u015fim belirtecini \u00e7alarak bu bilgileri k\u00f6t\u00fc niyetli ki\u015finin sunucusuna g\u00f6nderir.<\/p>\n<div id=\"attachment_3707\" style=\"width: 1325px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-3707\" class=\"wp-image-3707 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/09\/07113729\/fake-youtube-screenshot.jpeg\" alt=\"\" width=\"1315\" height=\"677\"><p id=\"caption-attachment-3707\" class=\"wp-caption-text\">Sahte YouTube sayfas\u0131 Google Chrome eklentisi kurman\u0131z\u0131 \u00f6neriyor.<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Doland\u0131r\u0131c\u0131lar Facebook\u2019ta ilgin\u00e7 bir hata bulmu\u015ftur. Anla\u015f\u0131lan o ki <a href=\"https:\/\/developers.facebook.com\/docs\/reference\/fql\/\" target=\"_blank\" rel=\"noopener nofollow\">bir y\u0131l \u00f6nce devre d\u0131\u015f\u0131 b\u0131rak\u0131lan<\/a> ve g\u00fcvenli olmad\u0131\u011f\u0131 belirlenen Facebook Sorgu Dili (FQL) tamamen kald\u0131r\u0131lmam\u0131\u015f, birka\u00e7 istisna haricinde uygulamalar i\u00e7in engellenmi\u015ftir. \u00d6rne\u011fin bir iOS uygulamas\u0131 olan Facebook Sayfa Y\u00f6neticisi hala FQL kullan\u0131yor. Dolay\u0131s\u0131yla \u201ckilitli\u201d olan bu \u00f6zelli\u011fe eri\u015fmek i\u00e7in k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n yaln\u0131zca bu uygulama gibi davranmas\u0131 yeterli olur.<\/p>\n<p>Doland\u0131r\u0131c\u0131lar, \u00e7al\u0131nan kimlik bilgilerini kullanarak ve Facebook\u2019un bu eski \u00f6zelli\u011fine eri\u015fim sa\u011flayarak sosyal a\u011fdan sald\u0131r\u0131ya maruz kalan kullan\u0131c\u0131n\u0131n ki\u015fi listesini talep edebilir. O anda \u00e7evrimi\u00e7i olmayanlar\u0131 eleyerek geri kalan ki\u015filerden rastgele 50 yeni kurban se\u00e7ebilir. Daha sonra ad\u0131na yeni mesaj dalgas\u0131 ba\u015flat\u0131lan ki\u015finin resmi kullan\u0131larak bir PDF dosyas\u0131 olu\u015fturulur. Bu dosyay\u0131 i\u00e7eren Google Drive ba\u011flant\u0131s\u0131 toplu mesaj olarak di\u011fer kullan\u0131c\u0131lara g\u00f6nderilir. Neticede k\u0131s\u0131r bir d\u00f6ng\u00fc ba\u015flat\u0131lm\u0131\u015f olur.<\/p>\n<p>Bu arada k\u00f6t\u00fc ama\u00e7l\u0131 komut dosyas\u0131n\u0131n vir\u00fcs salg\u0131n\u0131 i\u00e7in istatistiksel verileri toplamak amac\u0131yla belirli bir Facebook sayfas\u0131n\u0131 \u201cbe\u011fendi\u011fini\u201d belirtmek gerekir. Jacoby ve Rosen, sald\u0131r\u0131 s\u00fcresince k\u00f6t\u00fc niyetli ki\u015filerin Facebook eski sayfalar\u0131 kapatt\u0131k\u00e7a bu belirli sayfalar\u0131 de\u011fi\u015ftirdi\u011fini g\u00f6zlemledi. \u201cBe\u011fenilerin\u201d say\u0131s\u0131na bak\u0131ld\u0131\u011f\u0131nda bu sald\u0131r\u0131ya on binlerce ki\u015finin maruz kald\u0131\u011f\u0131 g\u00f6r\u00fclebilir.<\/p>\n<div id=\"attachment_3708\" style=\"width: 2164px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-3708\" class=\"wp-image-3708 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2017\/09\/07113906\/beautiful-videos-screenshot.png\" alt=\"\" width=\"2154\" height=\"722\"><p id=\"caption-attachment-3708\" class=\"wp-caption-text\">Vir\u00fcsl\u00fc kullan\u0131c\u0131lar\u0131n fark\u0131nda olmadan \u201cbe\u011fendi\u011fi\u201d Facebook sayfalar\u0131ndan biri<\/p><\/div>\n<p>\u00a0<\/p>\n<p>Ara\u015ft\u0131rmac\u0131lar kodu analiz ettiklerinde k\u00f6t\u00fc niyetli ki\u015filerin \u00f6ncelikle <a href=\"https:\/\/cdn.securelist.com\/files\/2017\/08\/170831-facebook-malware-17.png\">yerelle\u015ftirilmi\u015f mesajlar<\/a> kullanmay\u0131 planlad\u0131klar\u0131n\u0131 ancak daha sonra fikirlerini de\u011fi\u015ftirip sadece k\u0131sa ve basit \u201cVideo\u201d kelimesinde karar k\u0131ld\u0131klar\u0131n\u0131 g\u00f6rd\u00fc . Yerelle\u015ftirme fonksiyonukodu, doland\u0131r\u0131c\u0131lar\u0131n esas olarak T\u00fcrkiye, \u0130talya, Almanya, Portekiz, Fransa (ayr\u0131ca Frans\u0131zca konu\u015fan Kanada), Polonya, Yunanistan, \u0130sve\u00e7 ve \u0130ngilizce konu\u015fan di\u011fer \u00fclkeler gibi bir\u00e7ok Avrupa \u00fclkesini hedef ald\u0131\u011f\u0131n\u0131 g\u00f6stermi\u015ftir.<\/p>\n<p>Birka\u00e7 \u015firketin ortak \u00e7abas\u0131yla \u015fu an i\u00e7in vir\u00fcs salg\u0131n\u0131n yay\u0131lmas\u0131 durduruldu. Ancak bu olay taray\u0131c\u0131 uzant\u0131lar\u0131n\u0131n g\u00f6r\u00fcnd\u00fc\u011f\u00fc kadar zarars\u0131z olmad\u0131\u011f\u0131na dair m\u00fckemmel bir hat\u0131rlat\u0131c\u0131 olabilir. G\u00fcvende kalmak ve buna benzer k\u00f6t\u00fc ama\u00e7l\u0131 sald\u0131r\u0131lar\u0131n hedefi olmamak i\u00e7in g\u00fcvenli olduklar\u0131na, verilerinizi \u00e7almayacaklar\u0131na ve \u00e7evrimi\u00e7i etkinliklerinizi izlemeyeceklerine tam olarak g\u00fcvenmeden taray\u0131c\u0131 uzant\u0131lar\u0131n\u0131 kurmaktan ka\u00e7\u0131n\u0131n.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"gandalf30\">\n<p>Ayr\u0131ca tan\u0131d\u0131\u011f\u0131n\u0131z birinden gelmi\u015f gibi g\u00f6r\u00fcnen ba\u011flant\u0131lar dahil olmak \u00fczere her ba\u011flant\u0131ya t\u0131klamak kesinlikle yanl\u0131\u015ft\u0131r. Di\u011fer taraftaki ki\u015finin arkada\u015f\u0131n\u0131z\u0131n hesab\u0131n\u0131 ele ge\u00e7irmi\u015f bir su\u00e7lu de\u011fil ger\u00e7ekten arkada\u015f\u0131n\u0131z oldu\u011fundan emin olmak her zaman i\u00e7in iyi bir fikirdir.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bir s\u00fcre \u00f6nce K\u00fcresel Ara\u015ft\u0131rma ve Analiz Ekibimiz (GReAT)&#8217;in antivir\u00fcs uzmanlar\u0131ndan David Jacoby, Facebook Messenger&#8217;dan yay\u0131lan \u00e7oklu platforma sahip k\u00f6t\u00fc ama\u00e7l\u0131 bir yaz\u0131l\u0131m ke\u015ffetti. Birka\u00e7 y\u0131l \u00f6nce benzer vir\u00fcs salg\u0131nlar\u0131 olduk\u00e7a yayg\u0131nd\u0131. Ancak Facebook&#8217;un benzer sald\u0131r\u0131lar\u0131 engellemek i\u00e7in g\u00f6sterdi\u011fi \u00e7abalar sonucunda yak\u0131n zamana kadar b\u00f6yle bir sald\u0131r\u0131 g\u00f6r\u00fclmemi\u015fti.<\/p>\n","protected":false},"author":421,"featured_media":3703,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[20,1027,74,36,553],"class_list":{"0":"post-3702","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-facebook","9":"tag-facebook-messenger","10":"tag-google-chrome","11":"tag-malware-2","12":"tag-zararli-yazilim-2"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/facebook-messenger-malware\/3702\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/facebook-messenger-malware\/11170\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/facebook-messenger-malware\/9241\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/facebook-messenger-malware\/4976\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/facebook-messenger-malware\/12546\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/facebook-messenger-malware\/11744\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/facebook-messenger-malware\/11224\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/facebook-messenger-malware\/14287\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/facebook-messenger-malware\/14169\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/facebook-messenger-malware\/18565\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/facebook-messenger-malware\/18412\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/facebook-messenger-malware\/9451\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/facebook-messenger-malware\/7317\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/facebook-messenger-malware\/14547\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/facebook-messenger-malware\/8392\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/facebook-messenger-malware\/17753\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/facebook-messenger-malware\/17810\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/facebook-messenger-malware\/17791\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/facebook\/","name":"Facebook"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/3702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=3702"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/3702\/revisions"}],"predecessor-version":[{"id":7035,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/3702\/revisions\/7035"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/3703"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=3702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=3702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=3702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}