Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Rogue Google Chrome Extension Used in Facebook ‘Like’ Scam

A rogue Google Chrome extension, a fake version of Adobe Flash Player and some Facebook “Likes” are at the center of a scam recently uncovered by researchers at Bitdefender.

A rogue Google Chrome extension, a fake version of Adobe Flash Player and some Facebook “Likes” are at the center of a scam recently uncovered by researchers at Bitdefender.

According to the firm, the scam starts with a link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain – – that redirects users to the fast[removed] domain, which was registered Feb. 17  in Turkey. This page then asks the victim to install a special version of the Flash Player in order to see the video content.

Victims using Google Chrome are then taken to the plugin’s page on the Chrome store and asked to install an extension named ‘Business Flash Player!’ – a rogue extension for the browser that can access Facebook cookies and “Like” pages on the user’s behalf.

The extension is still available, and was installed roughly 40,000 times yesterday alone, noted Bogdan Botezatu, senior e-threat analyst at Bitdefender. The script that dictates to the users’ browser what page to automatically “Like” however is currently down, he said.

“We have also detected a similar extension for Firefox spread via the same scam, but we’re just digging into it, so we can’t offer much info yet,” he told SecurityWeek.

“We know that at some point, the Chrome extension was also used for posting messages from the victims’ accounts, not only for liking specific pages,” he said. “Since the script is fetched by the extension from the web, the extension can easily be programmed to do pretty much anything with the Facebook account. We found one of these spam messages on Facebook and that is how we got to the extension in the first place.”

The page pointing to the malicious Chrome extension is targeted at Turkish users, and the spam messages posted on Facebook were written in Turkish. Bitdefender does not know however if there are other pages that redirect to the extension as well.

According to Botezatu, scamming their way to Facebook “Likes” can be a road to profit for cyber-criminals. Facebook “Likes,” he noted, increase the EdgeRank for a specific page. A page’s EdgeRank measures the likelihood the page will appear in a Facebook Newsfeed.

“Up until July 2012, Facebook pages were grown and then sold to whoever had an interest in buying a page with a huge community around it, pending rebranding,” he explained. “However, as the name of the page can’t be changed anymore if it has 200 likes or more, cyber-criminals are now focused on increasing the visibility of a page on demand – it’s basically inexpensive and borderline illegal social media for various businesses. This can also be used for disseminating malware – for instance, if the page owner suddenly decides to post malicious links on it, all users who have liked the page will see these links and some of them would probably fall for clicking them.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.