Malicious Chrome extensions hijack Facebook accounts

Cybercriminals are pushing malicious Google Chrome extensions that hijack Facebook accounts. To make matters worse, the extensions are being hosted on Google's official Chrome Web Store.
Written by Emil Protalinski, Contributor

Cybercriminals are uploading malicious Google Chrome extensions which hijack Facebook accounts to the official Chrome Web Store. The rogue extensions are advertised on Facebook by scammers and claim to do things such as "Change the color of your profile" or "Discover who visited your profile" or "Learn how to remove the virus from your Facebook profile."

Once you install one of the rogue Chrome extensions, it gives attackers complete control over your Facebook account. The scammers then use your account to spam your friends with a tempting message suggesting they also download the malware. Furthermore, the malware also automatically Likes certain Facebook Pages as part of a pay-per-Like scheme.

That's how the scammers make their money: they're in the business of selling Likes, and once they accumulate enough Facebook accounts, they can give companies quite a boost on users' News Feeds by Liking corresponding Facebook Pages. In one example, scammers offered packages of 1,000, 10,000, 50,000, and 100,000 Likes, for R$ 50 ($28), R$ 450 ($248), R$2,115 ($1,164), and R$3,990 (2,196), respectively.

As you can see in the screenshot above, one such rogue extension masqueraded as Adobe Flash Player. Before it was reported to Google so that the search giant could remove it from the Chrome Web Store, it had already been installed by almost 1,000 users. Unfortunately, when such malicious extensions are taken down by Google, new ones quickly take their place, along with new Facebook spam campaigns. The result is thousands of compromised Facebook accounts.

"We reported this malicious extension to Google and they removed it quickly," Kaspersky Lab Expert Fabio Assolini said in a statement. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game."

The security firm says it has seen a sudden increase in such attacks originating from Brazil. This might be because of two Internet milestones that happened late last year: Chrome surpassed Internet Explorer to become the most popular browser (according to StatCounter) and Facebook became the most popular social network (see Facebook finally overtakes Google Orkut in Brazil).

Since the scams, which have been around for weeks, are written in Portuguese, they are mainly confined to Portuguese-speaking Chrome and Facebook users. It wouldn't take much, however, to have them translated into English and other languages. Both Facebook and Google will have to work to fight this one.

Malicious browser add-ons and extensions are not a new strategy for scammers. That being said, leveraging the official Chrome Web Store is a smart move, because users are more likely to trust an extension that looks like it was approved by Google. It doesn't help that many legitimate Chrome extensions exist for altering Facebook (1, 2, 3, 4, 5, 6).

Furthermore, few users know that browser extensions can intercept everything they do through the browser. This means changing your password won't help you if an extension is performing unauthorized actions on active sessions while you browse the Web.

"Be careful when using Facebook," Assolini warned. "And think twice before installing a Google Chrome extension."

See also:

Editorial standards