Harmful extensions from Google Chrome web store are stealing Facebook accounts of victims

Recently, in the Google Chrome Web Store were found lots of malicious extensions for Google Chrome browser. All of those were tricking users to get on their pcs and then stealing social network accounts. In addition, the extensions could be used to carry out DDoS attacks, steal passwords, use the infected computer for Bitcoin mining – and this is not a complete list of threats that malicious extensions pose.

Malicious extensions were discovered by a Danish student – Maxime Kjaer. He noticed that cyber criminals were spreading links on Facebook to dubious websites that were checking the age of users. The age verification process was quite unusual: user needed to install a special browser extension. However, lots of users are unaware of cyber threats and they obediently do what they are asked to do.

All of the extensions that were distributed that way have similar names, which consists of various combinations of the words “age”, “verify” and “viral” and have been uploaded to the official Google Web Store. This have helped the cyber criminals to convince particularly cautious users in the safety of the operation. After the installation, the malicious extension demanded the maximum level of permissions and was operating as long as the web browser is opened.

These programs had nothing to do with the age verification. Extensions consist of three files. One of them is harmless module for parsing URL address, and the functionality of the malware was concentrated in two others: background.js and install.js. The first one simulates the age verification process and the other at the first opportunity downloads another script from the malicious server of cyber criminals. All of the malicious functionality is hidden in it. Such multi-layer installation scheme is needed to trick Google automatic verification, which can detect and stop the malware if it is included in the extension, however it cannot keep tracking the extension after the installation.

The downloaded script connects to a command server and executes the received instructions. At the moment, its primary function is to capture Facebook accounts. Kjaer says that after logging into a social network (Facebook) the extension transferred the account access token to the command server of cyber criminals. A software token allowed malware to use his Facebook account. The malware immediately took advantage of this opportunity and became to place likes on advertising posts. According to the calculations of Kjaer, malicious add-ons are installed on more than 132,265 computers.