Just how effective is it for cybercriminals to keep using Google Chrome and Facebook to infect their victims with malware?
We’ve already seen both platforms be used as parts of malicious social engineering schemes. Both Google and Facebook are aware of this and have taken steps to protect their users. The number of times malicious Chrome extensions have sprouted, for example, has driven Google to restrict the use of any extension not available on the Chrome Web Store.
Unfortunately, initiatives like these have not deterred cybercriminal efforts. Our findings also show that many of these platforms users still get tricked.
Just recently, I received a message from a Facebook friend that piqued our curiosity. The message was rather short and to the point:
Figure 1. Message on Facebook
Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the malicious site led to the automatic download of a file titled Chrome_Video_installer.scr. The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.
Figure 2. Malicious page with the Facebook design
This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file—possibly the final payload—but the site is currently down. However, it should be noted that KILIM malware are known to be malicious Chrome extensions and plugins. KILIM variants have also been observed to spam Facebook messages and cause system infection.
Using feedback we gathered from the Smart Protection Network™, we decided to see which countries were the most affected by this particular attack.
We checked the landing page and found out that the Philippines had the most number of users who visited the site, followed by those from Indonesia, India, Brazil, and the U.S. What’s striking is the fact that these countries are the same ones reported to have the highest percentage in terms of Facebook penetration.
Table 1. Countries with the most visits to the malicious site
Facebook still remains the top social networking site in the world. Data from their company information page reveals that Facebook has 1.44 billion monthly and 1.25 billion mobile monthly active in March 2015. A sizeable percentage (around 83%) of users who are active on the site daily are from outside Canada and the U.S. This popularity obviously doesn’t come without pitfalls.
The compelling elements
In this attack, users might be fooled into clicking the link because of three things. First, the message comes from a Facebook friend, not a stranger. The message also addresses the user through the name he uses on Facebook. This makes it appear less like a random, spammed message. The informality of the message may compel the user to read the message.
The use of the shortened link also helps disguise the lure. Compared to a more innocent-looking shortened link, a suspicious-looking URL might cause a user to reconsider clicking.
The filename of the malware can also put the intended victim at ease. Extensions and plugins are part of the Chrome browser ecosystem. Meanwhile, a simple online search can inform the user that the .SCR file extension is often used for screensavers—not necessarily something they would immediately think as malicious.
Facing Facebook threats
Given the popularity of Facebook, members of the site must be discerning when it comes to dealing with the content they come across with. Never click links from unknown or unverified sites, especially if the content sounds too interesting to be true. Cybercriminals often use shocking or eye-catching content to convince users to visit malicious websites. It’s far better to click links that lead to a reputable source than some random blog or site. The Trend Micro Site Safety Center can also be used to check if websites are safe or not.
The same can be said for links or attachments sent by friends. It’s worth the effort to first confirm the message before clicking the link or opening the attachment.
Facebook safety doesn’t begin and end with safety measures for the website. Other precautions like screening emails and installing a security solution can prevent malware from infecting your computers and accessing your Facebook accounts.
We have reported this incident to Facebook. As of this publishing, Facebook has marked the message as spam.
With additional insight from Jed Valderama.
Hashes for related file:
Update as of June 26, 2015, 12:50 P.M. PDT (UTC-7)
A new scam has been spotted using Facebook to spread malicious Chrome extensions. Like the previously reported threat, this new one also send a Facebook message with a link to a friend then redirects to a malicious site that hosts an adult video and suggests to download a Chrome extension.
Should the user install the code, Google Chrome will inform him that the extension has the capability of performing the following routines:
- Read and change all your data on the websites you visited
- Capture content of your screen
- Communicate with cooperating websites
Further analysis of the extension reveals that its code has routines related to Facebook accounts. For example, it can get the user’s Facebook profile ID, create Facebook notes, send messages, and even “harvest” the user’s contact list.
This extension even uses the name of a legitimate business, Antelma Business Solutions, to further convince users to install the extension. But the discrepancy is jarring, considering that the extensions is supposed to be for managing web conferences—nothing remotely related to adult videos.
As of this writing, we have reported this extension, detected as BREX_KILIM.VVOX, to Google. We spotted another extension in the app store exhibiting the same name and routines but it is no longer available on Google Web Store.
Hashes for related file: