Scammers Use Browser Extensions to Help Spread Facebook Scams

Facebook spam is already a significant problem as it is, so users of the social networking site probably won’t be happy to learn that scammers have found yet another way of circulating their various scams across Facebook.

Facebook scams, usually survey scams which trick users into parting with their personal information, are typically spread by tricking users into sharing the external websites that harbour the scheme by either of the following –

  1. Fooling a victim into copying and pasting Javascript into their address bar
  2. Clickjacking/Likejacking using hidden Like buttons on external websites
  3. Using a Facebook Share/Jaa/Like button and telling the Facebook user to proceed they must click the button

However, the latest bunch of scams will be adding a fourth option, and are now requesting users download and install browser extensions to help their scams circulate. The format of the scam is nearly the same – Facebook users are spammed links on Facebook to external websites offering various freebies like vouchers, coupons or intriguing videos. Upon clicking the links, users are now asked (amongst other things) to install browser extensions before being allowed to proceed to their “freebie” [which – of course – do not exist]

A browser extension is simply a small computer program that allows a browser (Internet Explorer, Firefox or Chrome – basically the software you surf the Internet with) to do something it normally could not do. In this case, these browser extensions let scammers use your browser to post spammy messages across Facebook, containing links to the same external websites that tricked the original account into installing the malicious browser extension in the first place! Web security vendor Websense examined the payload of the extensions and has reported that they use the Facebook API interface to automatically post spammy links from a Facebook account using an infected browser.

So how do you spot such “Facebook browser extension” scams? For the most part, it is the same as spotting other types of scams that circulate Facebook – be on the watch out for spammy links offering various free goodies such as vouchers, coupons, videos, images or application bonuses and features. Not clicking these links will ensure you and your computer stay safe. However if you do click the link, you’ll be taken to a webpage that requests you download a browser extension to proceed. Presently variants exist for Chrome and Firefox (IE just requests you download an unknown file extension) In the examples we have seen so far users a tricked into installing the malicious extension on the assertion that it is a video plug-in.

 


Example page of a site using a browser extension scam. Clicking the Install button initiates
the malicious installation

There is some good news however. Luckily for users of Firefox and Chrome browsers, certain pre-emptive warnings do exist to warn people of the potential dangers of downloading extensions, and hopefully these will be enough to discourage most from carrying on. See the images below.

 


Image 1: Yellow bar warns of potential problems


Image 2: Followed by download confirmation

 

Firefox – Upon clicking a link that requests you install an extension, Firefox first presents a yellow bar (image 1) saying it prevented the site from asking you to install potentially dangerous software. (top image) – if a user clicks allow they first have to confirm the installation in the bottom image (image 2). Upon confirming the installation, the users browser is then infected.

 


Image 3: Like Firefox, Chrome warns of potential problems with downloading an extension.


Image 4: And again, like Firefox, requests users confirm the installation

Chome – Google Chrome works in a similar fashion. Upon clicking a link a similar banner appears at the bottom of the window warning of the potential dangers of installing an extension (image 3). Clicking Continue is again followed by a confirmation of the installation (image 4).
Security experts are hoping these warnings and confirmations will discourage most from proceeding with a dangerous installation.

If you’re a victim…

If you do find yourself the victim of such a scam, then you need to do some clean up work. First, you need to uninstall the browser extension that is spamming your Facebook contacts.

In Firefox, go to Tools and select Add-ons. Select Extensions and locate the offending extension and click the Disable button and restart the browser.

In Google Chrome, click the wrench icon, click Tools and select Extensions, and again locate the offending Extension and remove it.

Upon doing this, go to your Facebook profile and select and remove any posts that your account may have posted as a result of the scam. To do this go to the icon at the top right hand corner of each post and select Delete Post from the drop down menu.

If you think you downloaded further malware onto your computer, remember to do a full system scan of your computer with up-to-date antivirus software. Not sure about your antivirus software? Click here for our recommendations.

Presently we have only seen this scam used in conjunction with those annoying Facebook survey scams, but new variants may very well soon exist. Remember to warn your Facebook friends of this new emerging tactic.

Share
Published by
Craig Haley