A new spam campaign has recently been seen spreading on Facebook, which allegedly contains sex videos of celebrities. In reality, it leads unsuspecting users into downloading a malicious Chrome extension.
Discovered by Cyren security researchers Magni Reynir Sigurðsson and Maharlito Aquino, the campaign is initially spread through private messages, as well as Facebook Groups. To make it truly enticing, the file name contains the name of a celebrity, which can vary, together with a "leaked-sextape" name, complete with a date, and an .mp4 extension, as shown below. Celebrities part of the leak list include Kim Kardashian, Rihanna, Jennifer Lawrence, and Hillary Duff, among many others.
Looking closely at the attached file, it really is a PDF document, and the MP4 name was only written to trick users into thinking that what they are about to download is indeed a video file. Indeed, as Microsoft hides file extensions by default, the file will appear as an MP4 file, lowering suspicions from the recipient.
If the PDF file is opened, it will display what seems to be a video player, which contains a thumbnail of a human body, and a play button. Clicking on the play button, it will not play the alleged video. Instead, it will open a browser page, which will aggressively bombard the victim with advertisements and pop-up messages. Mobile users who access the webpage will not be spared, serving them with the same intrusive content.
The spam campaign however seems to have a certain liking for Google Chrome; if the browser is used to open the page, the user will be led to a fake YouTube website, which asks them to install a Chrome extension to view the alleged video. This is a common tactic by cybercriminals, as landing on a YouTube page will not make users suspicious, even if the address bar says otherwise.
The malicious extension, once installed, will open a legitimate Facebook page, and will ask the user to "re-authenticate" the extension. Doing so will allow the cybercriminals behind the malicious extension to exploit the victim's Facebook account, collecting all the personal and social information it can get, as well as starting the campaign itself all over again by sending the PDF to the victim's friends list.
It doesn't stop there, however; the extension has the ability to prevent the user from accessing the Chrome extensions page, so the user cannot uninstall the malware. It also blocks the user from opening the browser's developer tools, and can run even more malicious scripts.
To get rid of the malware for good, a user has to delete the extension manually through Windows' registry editor. You can learn more on how to do it here.
We have contacted Facebook for a comment on the story, and will update this article once we hear more.
All things considered, even though the malware can be controlled and terminated, it pays to be careful of what we do on the internet, as malware can easily be contracted these days, which may gravely damage our computers.
Update: A Facebook spokesperson has provided the following statements to Neowin regarding the issue:
“We use automated systems to help stop harmful links and files from appearing on Facebook. These systems blocked the majority of the malicious activity, and the affected extensions are no longer active on our platform. The relevant parties have also removed these extensions from their browser stores.”
Moreover, the company stated that the malware's impact on Facebook is very limited, and that simply clicking on a link would not infect a computer on its own. Also, in order to keep users protected, Facebook will notify them if they see any suspicious behavior, and provide them with a free anti-virus scan.