Mar 23, 2011 08:53 GMT  ·  By

Security researchers from Symantec have identified a new Facebook scam that tricks users into installing a rogue Firefox extension in order to remain active longer.

The scammers promise users the ability to see their most active profile viewers, a feature that doesn't exist on Facebook.

The spam messages read: "I cant believe that you can see who is viewing your profile! I can see the TOP 10 people and i am really OPENMOUTHED that my EX is still checking me every hour. You can also see WHO CHECKS YOUR PROFILE here: [link]"

As with most scams, the link takes users to a rogue Facebook app which asks for permission to access their data post on their profile.

If allowed, the app starts posting spam on the victims' walls without their knowledge. They are then redirected to a page instructing them to install a special Firefox extension called "Facebook Connect."

To make it look more credible, the page uses graphics stolen from the Mozilla Add-ons website and claims the extension has over 27,000 downloads per week.

"Of course this 'Facebook Connect' Firefox extension is not found on the official Mozilla domain but is hosted on a third-party site. This is not uncommon, so most users might ignore the generic warning displayed to them when installing the extension," says Symantec researcher Candid Wueest.

The add-on is actually a compiled Greasemonkey script which opens pop-ups every time the user visits Facebook.

They display a site that advertises the same "profile statistics" feature, but asks users to participate in a survey first. For every user that does this, scammers earn a commission.

By leveraging the Firefox extension attackers increase the lifespan of their scams, because even if the users remove the rogue Facebook app or the spam posted on their walls, the add-on will continue to display pop-ups.

In addition, the content can be changed to something even more malicious if the attackers desire, such as scareware ads pushing fake antivirus products.