Researchers at Microsoft are reporting a wave of malicious browser extensions attempting to hijack Facebook profiles.
The malware, known as Trojan:JS/Febipos.A, specifically targets Google Chrome and Mozilla Firefox users. As of late last week, the malware seemed to be focused on infecting users from Brazil or Portugal.
Once installed, the extension will try to download and update itself using the following URLs (a portion of the URL is altered for user safety): du-pont.info/updates/<removed>/BL-chromebrasil.crx for Chrome and du-pont.info/updates/<removed>/BL-mozillabrasil.xpi for Firefox.
“To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook,” blogged Microsoft Malware Protection Center [MMPC] Antivirus Researcher Jonathan San Jose. “It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.”
Depending on the file, the malware can hijack a Facebook user’s profile and take a number of actions. For example, the configuration file contains a command to post the following message on Facebook in Portuguese: “15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.” The post also includes a link that is currently being blocked by Facebook.
The malware also was observed forcing users to post a comment on a Facebook page promoting an offer for a Chevrolet Celta. The message varies depending on the configuration file, the researcher blogged. In the span of a few hours, the number of ‘likes’ for this page grew from 2,746 to 3,177 and the number of comments jumped from 165 to 183.
The malware does not just stop there however. It also may send out other messages in Portuguese via chat, posts or comments, such as ‘Sorry guys, but this is ridiculous!!’ and ‘The coolest tune at the moment. It’s really nice!’.
“There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time,” the researcher blogged. “In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
