Fake Browser Plug-in—A New Vehicle for Scammers

Facebook scams have become a common propagation vector for scammers to earn commissions. But once in a while, something interesting happens that makes security researchers sit up and take notice. One such case is a scam that is currently fooling victims into downloading a fake browser plug-in.  The scenario is very simple: the victim is lured into watching some video; but instead of asking the victim to share/like the video, (which we have seen in many scams) the scammers present the victim with a fake plug-in download image, which is required to see the video. One such case is described below.

The fake screen is nothing but an image that has been loaded from another site through an iframe. The iframe that loads the fake contents can be seen below:

Upon visiting the iframe-loaded site we are presented with the following image:

Once the victim clicks on the image, the User-Agent info is retrieved and accordingly, the fake plug-in is downloaded. Currently only Mozilla Firefox and Google Chrome plug-ins are being used. Below is the script that is responsible for retrieving the plug-in:

Below, we can see the browser asking the victim to install the plug-in:

The installed plugin, once opened, contains a number of scripts.  

One of the scripts is used to download another script from the server.

This script, in turn, downloads the final malicious script.

The final script, extra.js, is responsible for posting the fake image (that is pretending to be a video) on the victim’s profile, thus further spreading the scam.

In the end, the classic survey screen pops up, which the user is required to be complete in order unlock the video.

Scammers are always looking for different techniques to lure users into completing surveys and Symantec is always on the lookout to defeat these attacks in their purpose. Symantec applies a sophisticated and multilayered approach to protect its users from this attack. We at Symantec urge readers to install all security patches and definitions regularly.

Additional Facebook Security Tips:

  • Review your security settings and consider enabling login notifications. They’re in the drop-down box under Account on the upper, right-hand corner of your Facebook home page.
  • Don't click on strange links, even if they're from friends, and notify the person if you see something suspicious.
  • Don't click on friend requests from unknown parties.
  • If you come across a scam, report it so that it can be taken down.
  • Don’t download any applications you aren’t certain about.
  • For using Facebook from places like hotels and airports, text “otp” to 32665 for a one-time password to your account.
  • Visit Facebook’s security page, and read the items “Take Action” and “Threats.”