Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Rogue Google Chrome Extension Used in Facebook ‘Like’ Scam

A rogue Google Chrome extension, a fake version of Adobe Flash Player and some Facebook “Likes” are at the center of a scam recently uncovered by researchers at Bitdefender.

A rogue Google Chrome extension, a fake version of Adobe Flash Player and some Facebook “Likes” are at the center of a scam recently uncovered by researchers at Bitdefender.

According to the firm, the scam starts with a link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain – xn--47aaeaba.com – that redirects users to the fast[removed]e.com domain, which was registered Feb. 17  in Turkey. This page then asks the victim to install a special version of the Flash Player in order to see the video content.

Victims using Google Chrome are then taken to the plugin’s page on the Chrome store and asked to install an extension named ‘Business Flash Player!’ – a rogue extension for the browser that can access Facebook cookies and “Like” pages on the user’s behalf.

The extension is still available, and was installed roughly 40,000 times yesterday alone, noted Bogdan Botezatu, senior e-threat analyst at Bitdefender. The script that dictates to the users’ browser what page to automatically “Like” however is currently down, he said.

“We have also detected a similar extension for Firefox spread via the same scam, but we’re just digging into it, so we can’t offer much info yet,” he told SecurityWeek.

“We know that at some point, the Chrome extension was also used for posting messages from the victims’ accounts, not only for liking specific pages,” he said. “Since the script is fetched by the extension from the web, the extension can easily be programmed to do pretty much anything with the Facebook account. We found one of these spam messages on Facebook and that is how we got to the extension in the first place.”

The page pointing to the malicious Chrome extension is targeted at Turkish users, and the spam messages posted on Facebook were written in Turkish. Bitdefender does not know however if there are other pages that redirect to the extension as well.

According to Botezatu, scamming their way to Facebook “Likes” can be a road to profit for cyber-criminals. Facebook “Likes,” he noted, increase the EdgeRank for a specific page. A page’s EdgeRank measures the likelihood the page will appear in a Facebook Newsfeed.

Advertisement. Scroll to continue reading.

“Up until July 2012, Facebook pages were grown and then sold to whoever had an interest in buying a page with a huge community around it, pending rebranding,” he explained. “However, as the name of the page can’t be changed anymore if it has 200 likes or more, cyber-criminals are now focused on increasing the visibility of a page on demand – it’s basically inexpensive and borderline illegal social media for various businesses. This can also be used for disseminating malware – for instance, if the page owner suddenly decides to post malicious links on it, all users who have liked the page will see these links and some of them would probably fall for clicking them.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.