It's bad enough that consumers are downloading malware to their Android devices thanks to fake apps on Google Play. Now they have even more to worry about when browsing through the apps listed in Google's Chrome Web Store. It's no wonder the industry is trying to shift over to pure HTML5 -- it just doesn't seem safe to download and install anything anymore.
Kaspersky Lab reports that cybercriminals are uploading malicious Chrome browser extensions to the Chrome Web Store that will hijack the end-user's Facebook account. These extensions claim to allow the user to change the color of their profile pages, remove social media viruses, track profile visitors and more. But instead they hand over complete control of the Facebook account to hackers which in turn can be used to spam friends and family with links to legit-looking web pages with malware lurking under the surface.
In a blog posted on Friday, Kaspersky Lab expert Fabio Assolini said he has observed an increase in the number of Facebook scams using malicious Chrome extensions. The current "epidemic" originates in Brazil where Chrome has become one of the most popular web browsers, and where Facebook has become to most popular social network, toppling Orkut.
The blog focuses on the Chrome extension which pretends to remove viruses from Facebook accounts. It starts as a Facebook page detailing how to remove a virus. Click on the link, and users go straight to an extension located on Google's Chrome Web Store. Thing is, the malicious extension presents itself as "Adobe Flash Player." v184.108.40.206. Once installed, the malware gains complete control of the Facebook profile by downloading a script file.
"The script file has instructions to send commands to the victim’s Facebook profile, such as spreading a malicious message, inviting more users to install the fake extension," Assolini said. "The script also has commands to use the profile of the victim to 'Like' some pages."
Ok, so sending spam to friends and family isn't exactly ideal, but who cares if your hijacked account starts "linking" other pages, right? There's more to it than a simply press of a virtual button.
"They have total control of the victim’s profile, so they created a service to sell 'Likes' on Facebook, especially focused for companies that want to promote their profiles, gaining more fans and visibility," he explains. "Of course, to sell the 'Likes' they use the profile of the victims."
Called Trojan.JS.Agent.bxo, Kaspersky first detected the malicious extension back on March 6 when it was distributed in a similar attack. Most of the victims resided in Brazil and Portugal, but there were a handful that fell prey to the extension here in the States before Google pulled the malware from its Chrome Web Store.
"We noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game," he said which apparently is what is happening now with the new Facebook-focused attack. "Be careful when using Facebook. And think twice before installing a Google Chrome extension."