Malicious Chrome and Firefox extensions found hijacking Facebook profiles

Malicious Chrome and Firefox extensions found hijacking Facebook profiles

Summary: Malicious extensions for Google Chrome and Mozilla Firefox that hijack Facebook profiles to post messages have been flagged up by Microsoft Malware Protection Center.

TOPICS: Security

Malicious browser extensions that hijack Facebook profiles have been found in the wild.

The browser extensions for Google Chrome and Mozilla Firefox were discovered in Brazil and reported by Microsoft's Malware Protection Center on Friday.

The extensions, which harbour Trojan:JS/Febipos.A, will check whether the user is logged in to Facebook before performing various actions via the user's account, including Liking pages, sharing links, posting updates, joining groups, chatting to friends and commenting on posts.

The malware may also post a message in Portuguese about a teenage bullying victim who killed herself, together with a video link that has been blocked by Facebook.

It also tries to Like and comment on a Portuguese Facebook page selling cars, as well as attempting to send various messages in Portuguese via chat, posts or comments. Some of these messages (translated into English) are: "Sorry guys, but this is ridiculous!!!" and "The coolest tune at the moment. It's really nice!"

The malware downloads the list of Facebook commands it uses in a PHP configuration file named sqlvarbr.php.

A Facebook spokeswoman said the malicious browser extensions are not compromising Facebook accounts themselves, but rather using permissions given to them by the user to carry out these actions on Facebook on their behalf.

Facebook has systems to detect and block these malicious browser extensions, she added.

Topic: Security


Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nick

    Did you forget to put the original links as well as the names of the alleged extension and where those are available?
  • Links

    Nope, had to take out the original links because a technical issue was breaking them. As soon as it's sorted I can stick them back in.
    Nick Heath
    • technical issue?

      Oh, you mean like legal action by Mozilla and Google? Yeah, I suppose that is rather 'technical. Sigh.
      • Links

        Problem with broken links has been fixed and original links are included now.
        Nick Heath
  • Browser extensions and add-ons are like

    giving a thief a key to the can have a pretty darn good web experience with crap.
  • Hey Nick, it would have been nice to be a bit more emphatic about

    this only being an issue if you had downloaded the specific extensions. And since you say there was an issue with naming the extensions, can you state what they do so people will have an idea of if they have it or not, please?
    Deadly Ernest
    • More info can be found at the link below

      Browser extension hijacks Facebook profiles
  • Errr.....

    Adds to the reason why the Chrome browser was the #2 most vulnerable browser in 2012 [after Safari] according to Secuna and Symantec [in separate reports]. [ ] I think Ftrefox was #3.
    • In a Zero-Day World, It’s Active Attacks that Matter

      “Between January 2011 and September 2012, Krebs counted 89 days on which Internet Explorer users were exposed to actively exploited security vulnerabilities, compared to none at all for either Google Chrome or Mozilla Firefox. Krebs argues that, "Active exploitation is the most important qualifier of a true zero-day." He believes that this is what matters from a user perspective.”
  • Say WHAT?

    If these browser extensions you mention exist, please name them, and explain why they aren't by antivirus/antimalware applications? This sounds like another 'urban ledgend', and not naming the extensions steals all credibility. Not only that, if someone were posting as me on Facebook, I believe I would notice.
    • exactly

      Moreover, the original link provided above by daikon doesn't name them either.
  • In the official extension stores?

    Where are these extensions hosted, and are they available in the browsers' official extension stores, reached from within the browsers?
    • What little info I found

      The MSFT site doesn't provide any answers to those questions. All I could find by search was a quote from a Firefox spokesman on SCMagazine that it was never on their official site and they've blocked it.

      Even though the extensions on the official sites are vetted, there are still concerns - if someone managed to crack the account of an extension's developer, they could push malicious updates to that extension. Be very careful with extensions.