Malicious Chrome extensions hijack Facebook accounts

Malicious Chrome extensions hijack Facebook accounts

Summary: Cybercriminals are pushing malicious Google Chrome extensions that hijack Facebook accounts. To make matters worse, the extensions are being hosted on Google's official Chrome Web Store.


Cybercriminals are uploading malicious Google Chrome extensions which hijack Facebook accounts to the official Chrome Web Store. The rogue extensions are advertised on Facebook by scammers and claim to do things such as "Change the color of your profile" or "Discover who visited your profile" or "Learn how to remove the virus from your Facebook profile."

Once you install one of the rogue Chrome extensions, it gives attackers complete control over your Facebook account. The scammers then use your account to spam your friends with a tempting message suggesting they also download the malware. Furthermore, the malware also automatically Likes certain Facebook Pages as part of a pay-per-Like scheme.

That's how the scammers make their money: they're in the business of selling Likes, and once they accumulate enough Facebook accounts, they can give companies quite a boost on users' News Feeds by Liking corresponding Facebook Pages. In one example, scammers offered packages of 1,000, 10,000, 50,000, and 100,000 Likes, for R$ 50 ($28), R$ 450 ($248), R$2,115 ($1,164), and R$3,990 (2,196), respectively.

As you can see in the screenshot above, one such rogue extension masqueraded as Adobe Flash Player. Before it was reported to Google so that the search giant could remove it from the Chrome Web Store, it had already been installed by almost 1,000 users. Unfortunately, when such malicious extensions are taken down by Google, new ones quickly take their place, along with new Facebook spam campaigns. The result is thousands of compromised Facebook accounts.

"We reported this malicious extension to Google and they removed it quickly," Kaspersky Lab Expert Fabio Assolini said in a statement. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game."

The security firm says it has seen a sudden increase in such attacks originating from Brazil. This might be because of two Internet milestones that happened late last year: Chrome surpassed Internet Explorer to become the most popular browser (according to StatCounter) and Facebook became the most popular social network (see Facebook finally overtakes Google Orkut in Brazil).

Since the scams, which have been around for weeks, are written in Portuguese, they are mainly confined to Portuguese-speaking Chrome and Facebook users. It wouldn't take much, however, to have them translated into English and other languages. Both Facebook and Google will have to work to fight this one.

Malicious browser add-ons and extensions are not a new strategy for scammers. That being said, leveraging the official Chrome Web Store is a smart move, because users are more likely to trust an extension that looks like it was approved by Google. It doesn't help that many legitimate Chrome extensions exist for altering Facebook (1, 2, 3, 4, 5, 6).

Furthermore, few users know that browser extensions can intercept everything they do through the browser. This means changing your password won't help you if an extension is performing unauthorized actions on active sessions while you browse the Web.

"Be careful when using Facebook," Assolini warned. "And think twice before installing a Google Chrome extension."

See also:

Topics: Social Enterprise, Browser, Google

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And who claimed Chrome was more secure than IE again

    Popularity says it all, and things are about to get dirty on the chrome side of the table; the chrome store is about to become a mess just like the android market :)
    • user stupidity

      is not as the same as browser insecurity.
      The Linux Geek
      • Maybe not... But....

        Regardless of browser, just how are most exploits introduced?
      • Spoken like the pot

        to the kettle.
    • And who claimed Chrome was more secure than IE again

      I see see it...why is everyone else blind? Oh yeah they are too busy clicking their heels over Chrome being #1 and faster than IE by a few milli-seconds. You wouldn't buy a car from Kraft so why use a browser or device from an AD Agency? Foolish indeed.
  • If you download Flash

    From a company called "AppFace" in category "Fun" written solely in Spanish on an English version market, don't you kind of get what you deserve?
  • Huh?

    Facebook? What's that then? ;->
  • Just Ask

    FB is sooo 2010 . . . for the price of a beer, they can have my account!
  • Phuck it, extensions are bullwhazz anyway (except Yoono)

    EXTENSIONLESS chrome is safer than Firefox/IE. Comparisons are normally drawn on extensionless, and/or private/safemode sessions.
    Also, when you are changing ANY passwords, perform it in private or safemode session to ensure no qucking wyrooz can eat it.
  • What are you talking about?

    People are basically good, so if you give them freedom they'll always do what's right. Just look at Google's lax vetting policies if you don't believe me.
  • news?

    A spyware browser, infected with spyware plugins?

    Is this the news?
  • Chrome PWN, ROFLMFAO

    Chromeo, Chromeo, where for art my security Chromeo????

    Like danbi said and I quote:

    "A spyware browser, infected with spyware plugins?

    Is this the news? "
  • Chrome

    Google and Chrome.. just be aware and know what you are getting!!