Security Experts:

Rogue Google Chrome Extension Used in Facebook 'Like' Scam

A rogue Google Chrome extension, a fake version of Adobe Flash Player and some Facebook "Likes" are at the center of a scam recently uncovered by researchers at Bitdefender.

According to the firm, the scam starts with a link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain - xn--47aaeaba.com – that redirects users to the fast[removed]e.com domain, which was registered Feb. 17  in Turkey. This page then asks the victim to install a special version of the Flash Player in order to see the video content.

Victims using Google Chrome are then taken to the plugin’s page on the Chrome store and asked to install an extension named 'Business Flash Player!' - a rogue extension for the browser that can access Facebook cookies and "Like" pages on the user’s behalf.

The extension is still available, and was installed roughly 40,000 times yesterday alone, noted Bogdan Botezatu, senior e-threat analyst at Bitdefender. The script that dictates to the users' browser what page to automatically "Like" however is currently down, he said.

"We have also detected a similar extension for Firefox spread via the same scam, but we’re just digging into it, so we can’t offer much info yet," he told SecurityWeek.

"We know that at some point, the Chrome extension was also used for posting messages from the victims’ accounts, not only for liking specific pages," he said. "Since the script is fetched by the extension from the web, the extension can easily be programmed to do pretty much anything with the Facebook account. We found one of these spam messages on Facebook and that is how we got to the extension in the first place."

The page pointing to the malicious Chrome extension is targeted at Turkish users, and the spam messages posted on Facebook were written in Turkish. Bitdefender does not know however if there are other pages that redirect to the extension as well.

According to Botezatu, scamming their way to Facebook "Likes" can be a road to profit for cyber-criminals. Facebook "Likes," he noted, increase the EdgeRank for a specific page. A page's EdgeRank measures the likelihood the page will appear in a Facebook Newsfeed.

"Up until July 2012, Facebook pages were grown and then sold to whoever had an interest in buying a page with a huge community around it, pending rebranding," he explained. "However, as the name of the page can’t be changed anymore if it has 200 likes or more, cyber-criminals are now focused on increasing the visibility of a page on demand – it’s basically inexpensive and borderline illegal social media for various businesses. This can also be used for disseminating malware – for instance, if the page owner suddenly decides to post malicious links on it, all users who have liked the page will see these links and some of them would probably fall for clicking them."

Subscribe to the SecurityWeek Email Briefing
view counter