14 DAY TRIAL // Security researchers from ThreatTrack Security have come across another Facebook profile viewer scheme.
Experts have found a Tumblr blog, Candycrushsagafreelifes(dot)tumblr(dot)com, that’s designed to trick users into installing an app that can allegedly allow them to see who has been viewing their Facebook profile.
Users who follow the instructions on the screen and download the so-called profile viewer are served an executable file called “ProfileViewersSetup.exe.”
When launched, the executable appears to do nothing. However, a rogue web browser extension is installed onto the victim’s computer.
The interesting part about this attack is that the rogue extension is installed very quickly. If the victim uses Firefox and the browser is open when the executable is launched, the application closes and restarts.
Right after re-opening, a notification window appears on the screen. This notification is the one that usually appears when users install extensions.
However, this one stays on the screen only for around one second, so the user can’t uncheck the “Allow the installation” checkbox.
If Firefox is not open when ProfileViewersSetup.exe is executed, the browser is launched and the same notification appears for a second or so.
When Chrome is opened on the infected computers, the user is immediately redirected to another shady “Profile Viewer” website that’s designed to trick internauts into participating in surveys that help the crooks make some money.
As far as the Firefox extension is concerned, experts haven’t managed to determine what it’s designed for. However, it can’t be anything good.
Victims of this attack are advised to check Firefox for an extension called WhoViewS 5.2 by “Crosk Safari.” Uninstall it before it starts causing any harm.
“Files such as the above are always going to be a problem to some degree so for now, please think twice before downloading / installing any form of profile viewer regardless of social network,” ThreatTrack Security’s Chris Boyd noted in a blog post.
“These scams have been around for years and will continue to do so unless we become a touch more skeptical about incredibly common fakeouts such as the above.”
