This article was published on May 13, 2013

Microsoft warns users of new malicious Chrome extension and Firefox add-on that hijack Facebook accounts

Microsoft warns users of new malicious Chrome extension and Firefox add-on that hijack Facebook accounts

Microsoft has discovered a new piece of malware in the form of a Google Chrome extension and Firefox add-on that can hijack Facebook accounts. It does not appear that there are equivalent plugins for Internet Explorer nor Safari.

The threat, detected by Microsoft as Trojan:JS/Febipos.A, was first found making the rounds in Brazil. Like other browser plugins, it attempts to keep itself updated with the latest instructions from its malware authors.

The trojan in question checks to see if the current user is logged-in to Facebook. If you are, it attempts to download a configuration file that includes a list of commands. Depending on the file, Microsoft has found the malware is capable of doing any of the following with the user’s Facebook profile: Like a page, share content, post on people’s profiles, comment on other posts, join a group, invite friends to a group, and chat with friends.

Microsoft monitored a Facebook Page that the plugin often posted on and noticed that its Likes and comments increased, suggesting that users are actively installing these plugins. It’s not clear how criminals are getting users to install them, but they are likely using basic social engineering tactics employed in email and social networking spam.

Here is what Microsoft concludes in its analysis:

There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.

In other words, while the threat seems to be currently focused on targeting Facebook users in Brazil (its messages are all written in Brazilian Portuguese), it’s easy to see how the threat could be modified to target more users. The fact that it uses a configuration file shows that the criminals specifically designed it to be modular.

The good news here is that this malware currently isn’t widespread. Nevertheless, you should make a point to only install browser extensions and add-ons from trusted sources such as the Chrome Web Store and Add-ons for Firefox.

See also – Google further secures Chrome against malicious extensions

Top Image Credit: spencereholtaway / Flickr

Also tagged with