Celebrity's "Final Words" Fake Video Leads to PUP

The Life and Death of a “Facebook Video” Campaign

Today, we’re going to take a look at a fake video page doing a roaring trade in clicks across social networks, with links being sent out to multiple sites (note that you may need Google Translate to read the page).

The site in question (written in Turkish) claims to play host to a “Facebook Video” and encourages visitors to play by clicking the red button – which offers up an executable file.

Fake video

Despite commentary on various sites claiming this one “spreads” like a virus, in testing the file we obtained simply refused to run while also throwing out various errors.

It appears the files available may be in rotation and / or being re-rolled after takedowns, because this is what a passer-by will see if attempting to grab an executable at time of writing:


Given the mad rush of clicks has already peaked and flatlined (as you’ll soon see), they probably won’t bother to replace the dead links but it is possible there are fully functional copies still out there in the wild.

In terms of numbers, this one really took off. They used a Goo.gl shortening link for the file download (which we’ve reported), and that means we can take a look at the stats and see for ourselves how this one did:


In one day, they scored 130,062 clicks.

Normally, when a scammer uses a shortening service, they do it for the page they’re hawking – so you know how many people visited the URL, but you probably don’t know how many clicked on a rogue link inside the page such as a download.

Here, the shortened link leads directly to the EXE. So that’s 130,000 people who all specifically clicked the download link (of course, we don’t know how many ran the file or saw the download prompt then said “No thanks” and closed the tab but that’s a lot of direct clicks, however you look at it).

Some numbers:

Jun 30, 2014, 5:00:00 AM Clicks: 9,074

Jun 30, 2014, 6:00:00 AM Clicks: 18,389

Jun 30, 2014, 7:00:00 AM Clicks: 20,057

Jun 30, 2014, 8:00:00 AM Clicks: 16,893

Jun 30, 2014, 9:00:00 AM Clicks: 19,995

Jun 30, 2014, 10:00:00 AM Clicks: 15,915

Jun 30, 2014, 11:00:00 AM Clicks: 10,132

Jun 30, 2014, 12:00:00 PM Clicks: 5,576

Jun 30, 2014, 1:00:00 PM Clicks: 5,385

Jun 30, 2014, 2:00:00 PM Clicks: 4,929

Jun 30, 2014, 3:00:00 PM Clicks: 3,119

Jun 30, 2014, 4:00:00 PM Clicks: 622

Total number of clicks by region? Sure, we can look at those too.

Here come the biggest clickers for this campaign – and again, this is just from the URL in the first screenshot – we haven’t taken into account additional URLs pushing the same file(s). Of course, there may well be other sites out there we don’t know about.

Peru: 35,680

Columbia: 32,065

Philippines: 13,992

Venezuela: 12,672

Ecuador: 12,135

Very high numbers, and for what is essentially a rather lackluster looking fake video page with a small chunk of text on it.

It doesn’t even have fake Facebook comments or anything else designed to catch the eye. Even so, 100,000+ people decided to download a file they knew nothing about and potentially ran it on their PCs.

If you see pages trying hard to look a bit Facebook-ish and offering up videos, do the sensible thing and close the browser. More often than not, you’ll “just” be presented with a survey or mobile ringtone signup – other times, there’ll be a file knocking at the door and it simply isn’t worth the risk…no matter how tempting the people behind the file make things sound.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.