Malware targeting Facebook profiles
Facebook users, especially those accessing the service on Chrome and Firefox browsers, here’s something that you ought to take note of.
On its Technet blog, Microsoft has revealed that it has received reports about a wave of malware-ridden browser extensions attempting to hijack Facebook profiles. This threat, which they have detected as Trojan:JS/Febipos.A., was first discovered in Brazil. It has been found to be specifically targeting Chrome and Mozilla Firefox.
Detailing on the nature of the malware, Microsoft says that upon installation, the malware tries to update itself using URLs like –
- Chrome browser – du-pont.info/updates/<removed>/BL-chromebrasil.crx
- Mozilla Firefox browser – du-pont.info/updates/<removed>/BL-mozillabrasil.xpi
Importantly, updated versions of this malware have been verified too, and have been detected as Trojan:JS/Febipos.A.
At the outset, the Trojan sees if a user is logged in to Facebook at the time. It then tries to get a configuration file from the website – <removed>.info/sqlvarbr.php. This configuration file comprises a host of commands of what the browser extension will do.
Worryingly, depending on the file, here’s what the malware can do any of the following in the Facebook profile of an infected system:
- Like a page
- Join a group
- Invite friends to a group
- Chat to friends
- Comment on a post
The post adds that the configurating file was also found to contain a command to post the following message in Facebook –
GAROTA DE 15 ANOS VÃTIMA DE BULLYING COMETE SUICÃDIO APÃ“S MOSTRAR OS SEIOS NO FACEBOOK
VÃ¬deo no link abaixo:<Currently unavailable link>
Written in Portuguese, here’s what it reads like in English:
15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.
Video on the link below: <Currently unavailable link>
The link mentioned above is unavailable, and has been blocked. Interestingly, this threat even tries to “like” and “comment” on a Facebook page.
This malware may even post links on Facebook profiles. “At the time this blog was written, there were more users “liking” and “commenting” on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected,” the post notes.
As Microsoft got down to analysing this malware, the number of Facebook page likes, shared link likes and number of comments grew.
When they began analysis, the numbers were –
- Facebook page likes: 2,746
- Facebook shared link likes: 167
- Number of comments: 165
Hours later it had risen to:
- Facebook page likes: 3,177
- Facebook shared link likes: 201
- Number of comments: 183