Security researchers at Trend Micro have issued a warning to Google Chrome and Mozilla Firefox users against yet another threatening malware. As per a detailed caution note on the security firm’s blog by Don Ladores (Threat Response Engineer), the malware was found lurking around social media sites and targets Chrome and Firefox users in particular.
The threat uses fake extensions for both browsers to trick unsuspecting users into installing them. Once installed, the browser extensions make their way into the systems of these users and hijack their social media accounts – Facebook, Google+ and Twitter, specifically.
The fake browser extension
Attempts are made in several ways to trick users into installing these fake extensions. Users may find many such "lures" on social media sites, trying to get them to install a fake video player update. Researchers, in fact, have detected this update to be a malicious file – TROJ_FEBUSER.A. If a user is tricked into installing this malicious file, it manages to install a browser plugin depending on the browser that the user is working on.
Trend Micro spotted an early version for Google Chrome, detected as JS_FEBUSER.A. This malicious file identifies itself as Chrome Service Pack 5.0.0, and Mozilla Service Pack 5.0, in the case of Firefox users.
Now while Google Chrome has flagged this particular plugin as malicious, researchers spotted an updated version of the plugin – JS_FEBUSER.AB is identified as F-Secure Security Pack 6.1.0 (for Google Chrome) and F-Secure Security Pack 6.1 (for Mozilla Firefox).
Once users are tricked into installing this updated malicious file, the latter manages to connect to a malicious URL to download a configuration file. The malware then takes the details on the configuration file to hijack the user’s social media accounts and goes ahead to carry out the following tasks, without the need of any authorisation from the user –
- Like pages
- Share posts
- Join a group
- Invite friends to a group
- Chat with friends
- Post comments
- Update status
Users should further note that the malware attempts to perform these aforementioned tasks across Facebook, Google+ and Twitter. For all you know, the attackers may continue this chain and use the compromised accounts to spread malware.
The digital signature on the fake video player update
Another worrying aspect to this entire episode is that the fake video player update is digitally signed. Simply put, unsuspecting users may take this as a sign that the file is legit and harmless. “It is not yet clear if this signature was fraudulently issued, or a valid organization had their signing key compromised and used for this type of purpose,” Ladores notes.
Updated Date: Aug 01, 2013 13:21 PM