Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    We spotted yet another threat lurking around social media sites targeting users of either Google Chrome or Mozilla Firefox. This threat uses fake extensions for both browsers to infiltrate user systems and hijack social media accounts – specifically, Facebook, Google+, and Twitter accounts.

    To install these fake extensions, users would see various lures on social media sites to try to get users to install a fake video player update. In reality, this player update is a malicious file detected as TROJ_FEBUSER.A, installs a browser plugin depending on the browser currently being used.

    One earlier version we saw for Google Chrome, detected as JS_FEBUSER.A, identifies itself as Chrome Service Pack 5.0.0. In the case of Mozilla Firefox, the fake plugin is Mozilla Service Pack 5.0.


    Figure 1. Names used by the malicious plugin

    Google Chrome has since flagged this particular plugin as malicious. An updated version of the plugin, detected as JS_FEBUSER.AB, is identified as F-Secure Security Pack 6.1.0 (for Google Chrome) and F-Secure Security Pack 6.1 (for Mozilla Firefox) .


    Figure 2. Names used by the updated malicious file

    Once installed, it connects to a malicious URL to download a configuration file. It uses the details on that configuration file to hijack the user’s social media accounts and perform the following actions, without any authorization from the user:

    • Like pages
    • Share posts
    • Join a group
    • Invite friends to a group
    • Chat with friends
    • Post comments
    • Update status

    This threat tries to perform the above actions on three different social networks: Facebook, Google+, and Twitter. Because of this, in effect, the attackers are able to hijack the accounts of the users and could, for example, use them to spread links to other malicious sites.

    One more thing to note: the fake video player update is digitally signed. Digital signatures are a way for developers and publishers to prove that a file did come from them and has not been modified. Potential victims may take this to mean that the file is legitimate and harmless.


    Figure 3. Valid digital certificate of the malicious video player update file

    It is not yet clear if this signature was fraudulently issued, or a valid organization had their signing key compromised and used for this type of purpose.

    Users are once more reminded to always be aware and vigilant of such scams. Cybercriminals are getting better at making their lures much more convincing, even resorting to abusing legitimate services and users in order to appear legitimate.

    Trend Micro already blocks all URLs associated with this threat and detects the malicious files.

    Update as of July 31, 2013, 6:38 PM PST
    Both TROJ_FEBUSER.AA and JS_FEBUSER.AA have been renamed to TROJ_FEBUSER.A and JS_FEBUSER.A respectively.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • alan

      Yep ,you are right coz it had happened to me about that.

    • http://www.apk-wd.com/ Amassine Omar

      steal using antiviruses don’t guaranty the total security :(

      thanks for information



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice