Facebook profiles can be hijacked by Chrome extensions malware





Cybercriminals are uploading malicious Chrome browser extensions to the official Chrome Web Store and use them to hijack Facebook accounts, according to security researchers from Kaspersky Lab. The rogue extensions are advertised on Facebook by scammers and claim to allow changing the color of profile pages, tracking profile visitors or even removing social media viruses.

The attacks manifest as suggestions to download Facebook apps. Those apps are, alas, not real. Instead they are malware and, in one case, a malware-laden Chrome extension hosted in Google's very own Chrome Web Store. To do that, they must follow a series of steps, which include installing a fake Adobe Flash Player Chrome extension. The launchpad for the fake Flash Player is a Facebook app called "Aprenda". If Aprenda is installed it redirects users to Chrome Web Store, encouraging them to install the fake Flash extension.





This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension is hosted at the official Google's Chrome Web Store. If the user clicks on 'install application' he will be redirected to the official store. The malicious extension presents itself as "Adobe Flash Player ", Be careful when using Facebook. And think twice before installing a Google Chrome extension ," he adds. ", wrote Fabio Assolini. "," he adds.





Uploading multiple rogue extensions on the Chrome Web Store and running several Facebook spam campaigns to advertise them allows attackers to quickly compromise thousands of accounts. The malware operates in much the same way as other Facebook scams, such as inviting friends to install it, however the purpose of the highjacking accounts is to generate fraudulent "Likes" which are sold for about US$27 per 1,000.





Now, the extension Assolini found was concentrated in Brazil, where Chrome enjoys 45% of the browser market and Facebook is by far the most popular social network. That does not, however, mean that the problem is isolated to Brazil. The malicious extension was installed in numerous countries, including the U.S..