Scams on Facebook are a daily thing. Websense® Threatseeker® Network recently detected some Facebook scams that now utilize the power of browser extensions to spread to other users' profiles. Scam pages typically utilize social engineering tricks - like enticing users with videos or offers for a free voucher, all of which lure victims to take part in the scam. Now on top of that, we've found that victims are also asked to install a browser plugin. The plugin is an integral part of how the scam is spread. Once installed, the plugin connects to a script that uses the Facebook API and then posts the scam to the victim's friends' pages. One of the advantages of using a plugin is the
ability to persist in the victim's browsers and propagate to other profiles - that is similar to malicious Facebook applications we've seen before.
We have noticed that at the moment, only Chrome and Firefox plugins are used. This is how a sample scam page looks using Chrome and Firefox browsers respectively:
The code checks which browser is installed and serves the compatible malicious plugin. Chrome plugin files end with a CRX file extension and Firefox plugin files end with the XPI file extension. Chrome and Firefox plugin files come in a compressed form. Looking inside these malicious plugins reveals some code that loads a script from external websites. This code is ultimately loaded by the browser that connects to Facebook. The code posts in the victim's name on the victim's friends pages, which results in the victim further spreading the scam, spam, and possibly malware. To see the code behind the plugin of the scam shown above, take a look at these next images:
Here is another example of a scam with the same concept. The next two images show a 'Cheesecake Factory' voucher scam offering to download a Chrome plugin and how the scam looks like in Facebook's news feed:
Websense Advanced Classification Engine, or ACE, helps protect users from such scams.