Dodgy browser extensions targeting Facebook users

By on
Dodgy browser extensions targeting Facebook users

Malware could spread.

Malicious browser extensions downloaded by Google Chrome and Mozilla Firefox users are being leveraged to take over victims' Facebook accounts, according to Microsoft.

The software giant detected the malicious Chrome and Firefox add-ons as the Febipos trojan which is being used to spread spam on Facebook.

After users login to the social networking site, the trojan tries to obtain a configuration file from Facebook that gives it a list of commands to launch, including sharing and commenting on posts, liking Facebook pages, joining groups, inviting victims' friends to groups, and even chatting with users' friends. 

Researchers did not say how attackers are delivering the malware to victims.

Jonathan San Jose, a researcher for Microsoft's Malware Protection Center, wrote in a Friday blog post that Facebook messages written in Portuguese were being spammed to victims in Brazil. In some cases, it advertised cars or included links to a website that sold cars.

Symantec security response manager Satnam Narang told SC it was a tactic spammers used to increase their profile on Facebook for self-marketing purposes.

"It's likely they are trying to gain traction with these pages in the underground market to get more 'likes' because they have their own currency in today's social media world," Narang said.

In addition to luring users to download malicious extensions on official stores, attackers can also trick victims by passing the malware off as plug-ins that enhance their Facebook profiles or allow them to upgrade movie players, Narang said.

"I'm not sure how they are delivering them, but I've seen a few [malicious plug-ins] that have been in the Chrome store," Narang said. "And we've reported them to Google to get them taken out in the past." 

Microsoft's San Jose advised users to keep their security software up to date.

Facebook spokesman Fred Wolens told SC the malware did not hijack victim accounts.

"It's important to note that these browser extensions do not hijack Facebook accounts; instead, as these browser extensions essentially exist between the browser and our service, they act on behalf of the user," Wolens wrote.

"We advise all our users to report any spam they find on the Facebook site, and remember Facebook will never ask for your credit card [or] Social Security [numbers], or any other sensitive information other than your username and password while logging in," Wolens said.

SC reached out to Google and Mozilla, but did not immediately hear back.

This article originally appeared at

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?