Facebook 'Farm Town' Users Hit by Malicious Ad Linked to Fake Antivirus

Users of the popular Facebook game "Farm Town" were hit with a rogue antivirus scam tied to malicious advertising.

SlashKey, the developer behind "Farm Town," issued a warning about the malware scam, which drew hundreds of comments to its user forum. According to findings posted here by researcher Sandi Hardmeier, the ad in question was a banner advertisement for greeting cards. If it is displayed, the user is redirected to various sites and eventually lands on one pushing rogue antivirus.

“If you suddenly get a warning that your computer is infected with viruses and you MUST run this scan now, DO NOT CLICK ON THE LINK, CLOSE THE WINDOW IMMEDIATELY,” SlashKey warned in a post to its user forum. “You should then run a full scan with your antivirus program to ensure that any stray parts of this malware are caught and quarantined.”

Reports of users getting infected continued to come through early this morning (EDT); however, Hardmeier has since posted in the user forum that the ad network serving the malicious ad has identified and disabled it.

The issue of malicious advertisements is not new. In fact, just last week Blue Coat Systems reported several major ad-serving networks appeared to have been tricked into including ads from a partner site, Daniton.com, which had malicious JavaScript in some of its banner ads. When the JavaScript decrypted itself, a malicious iFrame was injected into the host page. The iFrame in turn instructed the user's browser to call a malware server and download a malicious PDF file.

 “The daniton.com site appears to have been registered back in January, and I could only find one site that mentions it with any connection to malware—and that just mentions it in passing,” blogged Chris Larsen, senior malware researcher at Blue Coat. “Accordingly, my best guess is that the Bad Guy behind daniton.com probably spent some time carefully building up a clean reputation as an ad server so that it would be trusted by the bigger ad networks—and then he threw the switch to start serving the malware.”

As for the "Farm Town" situation, Hardmeier noted the attack was blocked by Google Chrome, though not by Internet Explorer. Apple Safari also blocked the attack, according to reports in the user forum. Though the problem appears to have been addressed for now, several questions remain to be answered, the researcher noted, such as how the advertisement was accepted in the first place and what training the "Farm Town" staff needs to avoid future incidents.

The game is among the most popular applications on Facebook and has more than 9.6 million users.

“Hundreds of Farm Town players have responded on the forum, saying that they have been on the receiving end of the attack—but the worry is that many, many more users may not have seen the warning and could have been tricked by the fake antivirus warnings into infecting their computers or handing over personal information,” blogged Graham Cluley, senior technology consultant at Sophos.