The scam first appears as a message in a Facebook group, promising nude videos of a female celebrity. Possible choices include Jessica Alba, Kim Kardashian and Jennifer Lawrence.
That's tempting, perhaps, but the accompanying text is anything but promising: “found it on youtube... if you are on mobile you need to install Google PDF viewer from play store to watch this video. OMG it's really you.” If your Facebook friend actually talk like this, consider finding new friends.
Cyren, a security firm based in McLean, Virginia, discovered this scam and wrote about it on the company’s blog.
The takeaway here is the same as always: Don’t click on poorly written Facebook scams that promise pornographic videos. (Frankly, there are safer and more reliable ways to access risqué content online.)
Your first clue that the message isn’t legit (or your second or third, depending on how dismissive you are of poor grammar and obviously fake celebrity nude photos) should be the attached file. The file is a PDF, even though it includes an MP4 in the description just to mislead people. PDFs are, obviously, not video files.
If you’re unlucky or gullible enough to open the PDF, you’ll see a half-nude picture of ... someone. (Celebrity? Random person from YouTube? Some mysteries are beyond the ken of mortal man.) A “play” button on top of the picture links to a malicious website. For Internet Explorer, Firefox and Safari, the malicious site displays fairly innocuous stuff — more nude scams and fake lotteries.
If you're using Google Chrome, however, things get really ugly. The link will instead lead to a phony YouTube copycat, which insists that users have to install a Chrome browser extension before viewing the promised salacious video. The Chrome extension infects your Facebook account, propagating the sex-tape scam with randomized celebrities and in local language. Then, it blocks Chrome’s ability to access popular antivirus and anti-malware sites, meaning the extension will be that much harder to get rid of.
If you’ve already installed the extension, a good antivirus program will clean up most of the gunk on your system. After that, you’ll need to do a little registry cleanup.
In the Registry Editor (type “regedit” into the command line on Windows), find HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extension, then delete whichever files look questionable. (Go ahead and delete everything; you can always reinstall your legitimate extensions later.) Then, go to C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions, and delete the illicit extension firsthand. Running a program like CCleaner afterward to excise the data once and for all wouldn’t hurt, either.