Security Experts:

Malicious Firefox, Chrome Extension Hijacks Facebook Profiles

Researchers at Microsoft are reporting a wave of malicious browser extensions attempting to hijack Facebook profiles.

The malware, known as Trojan:JS/Febipos.A, specifically targets Google Chrome and Mozilla Firefox users. As of late last week, the malware seemed to be focused on infecting users from Brazil or Portugal.

Once installed, the extension will try to download and update itself using the following URLs (a portion of the URL is altered for user safety): du-pont.info/updates/<removed>/BL-chromebrasil.crx for Chrome and du-pont.info/updates/<removed>/BL-mozillabrasil.xpi for Firefox.

"To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook," blogged Microsoft Malware Protection Center [MMPC] Antivirus Researcher Jonathan San Jose. "It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do."

Depending on the file, the malware can hijack a Facebook user's profile and take a number of actions. For example, the configuration file contains a command to post the following message on Facebook in Portuguese: "15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK." The post also includes a link that is currently being blocked by Facebook.

The malware also was observed forcing users to post a comment on a Facebook page promoting an offer for a Chevrolet Celta. The message varies depending on the configuration file, the researcher blogged. In the span of a few hours, the number of 'likes' for this page grew from 2,746 to 3,177 and the number of comments jumped from 165 to 183.

The malware does not just stop there however. It also may send out other messages in Portuguese via chat, posts or comments, such as 'Sorry guys, but this is ridiculous!!' and 'The coolest tune at the moment. It's really nice!'.

"There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time," the researcher blogged. "In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection."

view counter