Facebook Valentine’s Day Theme Leads to Trojan

Beware of malicious web browser extensions advertised on Facebook

By on January 31st, 2012 13:16 GMT

As Facebook users are preparing for Valentine’s Day, cybercriminals are relying on the fact that lovebirds may be tempted to install a so-called Valentine’s theme to make their profiles more special.

Trend Micro researchers came across one of these scams that attempts to dupe victims into downloading a malicious Trojan that later places itself in the browser with the purpose of aiding the crooks make tons of money.

Facebook customers who fall for the phony advertisement and click it are taken to a website that displays a large Install button. Once clicked, the page prompts the user to download a file called FacebookChrome.crx, identified by the security firm as Troj.Fookbace.A.

Upon execution, the Trojan not only executes a script that’s capable of displaying ads from other sites, but it also installs itself on the browser as an extension named Facebook Improvement.

After it’s successfully installed, the malicious extension monitors web activities, redirects sessions to survey pages that request sensitive information, performs likejacking attacks, and posts ill-intended messages on behalf of the victim.

Experts believe that these attacks are specially designed to target Chrome users, but they work just as well with Mozilla Firefox. Facebook members that utilized Internet Explorer are directly taken to the survey site because the extension doesn’t work on this certain browser.

Facebook users are advised not to click on ads that offer a Valentine’s Day theme, or any similar element, and refrain from providing sensitive information such as phone numbers or credit card data online.

Of course, with the large number of legitimate apps out there, it’s hard to tell real applications apart from fake ones. This is why experts recommend the use of an up-to-date antivirus solution, since most security programs are able to detect these malicious plots.

Finally, if by mistake you’ve already installed the browser extension, you can go to your browser’s settings menu and remove it before it causes too much damage.

Comments