Facebook Profile Hijackers Post Extensions In The Chrome Web StoreBy: Shaylin Clark - March 26, 2012
Google’s Chrome browser has grown immensely in popularity in the three years since its release. Though still playing a distinct second fiddle to Microsoft’s Internet Explorer, Chrome has become one of the most popular browsers in the world – even beating out Mozilla Firefox in many places. Chrome, like Firefox, allows the installation of third-party browser extensions – little pieces of software that modify the browser to add any number of useful, entertaining, or just plain random features. With Chrome, these are hosted in the Chrome Web Store.
Thanks to Google’s philosophy on openness, anyone can upload a browser extension to the Chrome Web Store, and according to a recent security report, that may not be such a good thing. According to Fabio Assolini, security expert with Kapersky Lab, scammers have been uploading malicious extensions to the Chrome Web Store and disguising them as ordinary browser extensions. In this case, the extension was listed as Adobe Flash Player. Instead, once installed the extension takes control of a user’s Facebook profile.
Once it has control of your profile, it starts posting messages encouraging your friends to install the same extension. It also starts liking various pages. This last part is the reason for the extension’s existence: the extension is part of a scam whereby scammers sell Likes to companies that want to promote their pages. The businesses pay the scammers, and the scammers use the extension to drum up the promised number of likes.
When Assolini found the extension in the Chrome Web Store, it had 923 users. Once Google was notified of its existence, it was removed. Shortly thereafter, though, extensions from the same scammers were popping back up in the Chrome Web Store. Malicious browser extensions can be more problematic than other forms of profile hijacking. If a scammer gets their hands on your Facebook (or Twitter, or email) password, then the solution is simply to change your password. In this case, though, changing your password does not help so long as you continue to use the infected browser, and since the extension masquerades as something else, it can be difficult to identify the culprit.
Now, the extension Assolini found was concentrated in Brazil, where Chrome enjoys 45% of the browser market and Facebook is by far the most popular social network. That does not, however, mean that the problem is isolated to Brazil. The malicious extension was installed in numerous countries, including the U.S.:
Of course, as is nearly always the case, there are clues that indicate that this is a scam. First and foremost, Adobe Flash Player isn’t a browser extension. It’s a plug-in, and it’s installed outside the browser. Second, there’s the app’s publisher: it’s listed as AppFace, not Adobe. An official Adobe extension would be listed as coming from Adobe.
The moral of the story is one of the basic rules of safety on the internet: be cautious and use your head when installing anything, be it software or a browser extension. The popularity of Google Chrome combined with the open nature of the Chrome Web Store make for a ripe target for scammers, and malicious browser extensions have the potential to be very nasty indeed.