Quantcast
Channel: TechNet Blogs
Viewing all articles
Browse latest Browse all 34890

Browser extension hijacks Facebook profiles

$
0
0

We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A.  The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.  

When installed, it attempts to update itself using the following URLs:  

Chrome browser:

du-pont.info/updates/<removed>/BL-chromebrasil.crx 

Mozilla Firefox browser:

du-pont.info/updates/<removed>/BL-mozillabrasil.xpi 

Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.

To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.

Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:

  • Like a page

  • Share

  • Post

  • Join a group

  • Invite friends to a group

  • Chat to friends

  • Comment on a post

At the time of writing this blog, we have also seen the following behavior.

The configuration file contains a command to post the following message in Facebook:

  • GAROTA DE 15 ANOS VÍTIMA DE BULLYING COMETE SUICÍDIO APÓS MOSTRAR OS SEIOS NO FACEBOOK

    Vìdeo no link abaixo:<Currently unavailable link>

It is written in Portuguese and here’s an English translation:

  • 15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.

    Video on the link below: <Currently unavailable link>

The above URL is unavailable and already blocked by Facebook.

We also found this threat tries to "like" and "comment" on a Facebook page:

 

Facebook page targetted by this browser extension

It also attempts to comment on a post from this Facebook page with one of the following messages, written in Portuguese: 

  • Tenha um Celta 0km pagando R$13,00 por dia!!

    English translation: Get a brand new Celta paying R$13 per day!! 

 

  • Concurso valendo um Vale-Compras de R$1000,00!

    English translation: R$1000-voucher contest!

Note: This message may vary depending on the configuration file.As we can see on the Facebook page, there’s a link that has been shared with about 165 comments and 167 likes. There is a possibility that these people are infected with Trojan:JS/Febipos.A. 

This trojan may also send out the following message via chat, posts or comments:

  • Desculpa ai galera, mas isso eh um absurdo!!!

    English translation: Sorry guys, but this is ridiculous!!!

 

  • Sonzinho sensação do momento. Muito show!!

    English translation: The coolest tune at the moment. It’s really nice!

 

  • Léo Max e Renan - Rebolada de Gama (Clipe Oficial)

    English translation: <song title> (Official Clip)

 

  • Eu, não tenho carro do ano, não tenho grana sobrando, mas chego junto e...♫♫

    English translation: I don’t have a new car, I don’t have spare cash, but I get really close...

 

It may also post links on Facebook profiles. For example, the posted link from the Facebook page in the image above redirects to a website that sells cars.

At the time this blog was written, there were more users “liking” and “commenting” on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected.

The number of “likes” for this page grew as we analyzed this malware. When we began analysis the page statistics looked like this:

  • Facebook page likes: 2,746

  • Facebook shared link likes: 167

  • Number of comments: 165

 

After several hours this had risen to:

  • Facebook page likes: 3,177

  • Facebook shared link likes: 201

  • Number of comments: 183

 

All of the information above is what we found at the time of our analysis. There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection. 

Jonathan San Jose
MMPC

 

 

 


Viewing all articles
Browse latest Browse all 34890

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>