Faux-Facebook Notifications Lead to Browser Hijack Malware

Italian security researchers report that as many as 800,000 Chrome users had browser sessions hijacked after falling victim to phony Facebook messages that eventually led users to malware posing as a video plug-in.

An attack on the world’s largest social network is drawing users to a third party site with fake tag notifications and prompting victims to download malware masquerading as a video-codec extension.

The malware is reportedly capable of hijacking the Facebook accounts and Chrome Web browsers of affected users once initiated.

The attack, uncovered by a group of Italian security researchers led by Carlo De Micheli and first reported by the New York Times Bits technology blog, is attracting victims with links in emails and Facebook messages claiming that the user has been tagged in a post. If a user chooses to follow one of these links, it will lead to an unaffiliated, third party site informing the user that in order to watch the video hosted there, they will need to download a browser extension or plug-in.

Of course, there is no video. Users who download the extension are actually installing a piece of malware capable of hijacking their Google Chrome browser. The Times reports this attack is particularly troubling given the fact that many users give their browsers permission to store login credentials for their email, social media, and any number of other online accounts. Once the malware takes control of a user’s Chrome browser, the attacker can then leverage any of the credentials stored within the browser to access the accounts to which they grant access.

Micheli told the Times in a phone interview that the malware is proliferating by hijacking the Facebook and – to a lesser extent – email accounts of its victims and using that access to phish the victim’s unsuspecting contacts with messages similar to those that caused their infection in the first place. The malware has proven difficult to mitigate because it blocks Chrome’s settings page where a user could uninstall the malicious plug-in, which also blocks access to the sites of various antivirus providers.

Google is aware of the attack and has disabled the malicious browser extension causing it. Facebook also detected the attack and is working to rid the social network of malicious links.

“In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” said Facebook spokesperson Michael Kirkland. “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”

Micheli and company said that the attack spread fast, claiming some 40,000 victims per hour at its peak, and infecting more than 800,000 Chrome browser users in all.

Earlier this week, Facebook generated headlines by finally producing a transparency report, giving the wider public a glimpse at how the company handles government requests for its users data and revealing that the social network complies with 79 percent of such requests. The move followed similar ones by other large technology firms like Google and Microsoft as the companies attempt to clarify their level of complicity in and involvement with the National Security Agency’s broad-reaching surveillance programs.

Suggested articles