Facebook Scrambles to Pull Fake Clubhouse Ads Full of Malware
Facebook has taken down a collection of ads about a fake PC version of Clubhouse created by scammers attempting to implant malware on the computers of those who clicked on the ad, as first reported by TechCrunch. The ads linked to a website deceptively similar to the still iOS-exclusive social audio app’s real web address as a way of tricking people who want to join Clubhouse but have not received an invite or don’t have a compatible device.
Whoever ran the fake ads went to some lengths to make nearly a dozen all-too convincing variations. Realistic mock-ups of what Clubhouse on a PC might look like and a web address that merely added “-pc” to Clubhouse’s actual homepage were enough to fool some unknown number of Facebook users, who would be directed to a website that looked a lot like Clubhouse’s real homepage, but with a button to download a collection of malware disguised as the fictional “Clubhouse for PC.” Installing the software would unleash an existing Trojan Horse of ransomware able to rename, delete, and modify files, possibly stealing a user’s identity and utterly wrecking the computer along the way. Presumably, only the creators of the malware would be able to remove it and would only do so if they were paid the ransom.
The manipulated images and links only made it past Facebook’s guardrails for a short period, luckily. The ads started running on April 6, and Facebook took them down and deleted them from the Ad Library before April 9, when the malicious website vanished. The good news is that without the server supporting the website, the malware ceased to operate. No group has claimed credit, but TechCrunch discovered the websites were hosted in Russia. Facebook and Clubhouse have not responded to a request for comment as of yet.
The fact that the cyber thieves saw mimicking ads for Clubhouse as the best way to spread their ransomware is a kind of backward compliment to the social audio startup. Clubhouse’s accelerated growth, well past the 10 million it hit in late February, makes it a tempting treat with which to disguise the hidden digital razor. This isn’t the first fake Clubhouse app either. It’s not even the first time criminals attempted to make a fake Clubhouse app. Just a few weeks ago, malware researchers at ESET discovered a very fake ad for an Android version of Clubhouse that, if downloaded, would secretly install a piece of malware named BlackRock capable of stealing user credentials for several hundred online services. Clubhouse has explicitly talked about expanding to Android, but for now, anything about Clubhouse that’s not on an iOS device is a financial scam or worse.