Facebook users are being warned of malicious Firefox and Chrome extensions that can give an attacker remote control over a Facebook profile.
Microsoft has seen an increase in activity around these extensions, in particular in Brazil. The threat is detected as Trojan:JS/Febipos.A and has been updated recently.
“This Trojan monitors a user to see if they are currently logged in to Facebook. It then attempts to get a configuration file from the website <removed>[,]info/sqlvarbr.php,” said Jonathan San Jose of the Microsoft Malware Protection Center. “The file includes a list of commands of what the browser extension will do.”
The malware can add posts to a profile, like pages, join groups or invite others to join groups, chat and comment on posts. So far, Microsoft said it has seen posts in Portuguese on hijacked profiles trying to get users to click on a link, purported to be a video about a bullying-related suicide. Facebook has already blocked the link as malicious.
The Trojan, meanwhile, acts as a dropper and opens backdoor connections. When the malware infects Chrome, it tries to connect to du-pont.info/updates/[removed]/BL-chromebrasil[.]crx, while on Firefox, the connection is to du-pont.info/updates/[removed]/BL-mozillabrasil[.]xpi. The malware then attempts to update itself from either of those domains.
The malware’s capabilities and messages it posts to entice other users to infect themselves depends on the configuration file downloaded to the malware, Microsoft said. One link Microsoft shared as an example had 2,746 Likes, had been shared 167 times and had 165 comments, indicating a notable number of potential victims. Within hours after the initial analysis, all of those numbers had risen.
“There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time,” Microsoft’s San Jose said.
IE users are not at risk, Microsoft added.
Google and Mozilla have recently added protections that address threats via browser extensions. Google, in December, announced that it would halt silent extensions in Chrome. These used to be done without permission via the Windows registry mechanism, a feature that allows the installation of extensions alongside other applications, enabling third parties to opt-in users without their permission.
Those are now disabled by default in Chrome and a dialog pops up explaining the effect of the extension on the browser and any potential risks. The new feature also automatically disables any extensions installed using external deployment options in the past as well.
Mozilla, meanwhile, added a click-to-play feature beginning with Firefox 17 in November that prevents users from running out of date or vulnerable plug-ins or extensions. The move was designed to block exploits targeting these older versions of plug-ins such as Adobe Flash and Reader.