Social Scams – Part 2: How to Clean Up Your Browser and Facebook Timeline

During recent weeks, I have seen different scams on Facebook attempt to convince users to install Google Chrome extensions. I have noticed some conversations taking place around the scams; people not sure how to get rid of the scammer photos or how to prevent the scams from spreading further. Some users have unfortunately  gone as far as creating new Facebook profiles for themselves. This is not necessary.

If you have been tricked by one of these scams, here is how you can clean up your browser and Facebook timeline:

Remove bad browser extensions

If you have installed the Chrome extension for Facebook Black, Profile Spy ("See Your Profile Viewers"), or Free PS4, you will need to uninstall it from your browser:

  1. Open the Google Chrome browser.
  2. Type chrome://extensions into the browser address bar.
  3. Click the trash can icon to delete bad extensions
  4. Click Remove at the confirmation dialog

The Google Chrome extension page can help you identify any bad extensions that you have installed. In this preceding example you can see both the "Get PS4" and "See Your Profile Viewers" extensions that have been installed.

To delete a bad browser extension, just click the trash can icon and confirm.

Remove unwanted Facebook pages

The preceding Chrome extensions may be responsible for creating Facebook pages using your profile. Now you should confirm whether or not scammer Facebook pages were created in your account and then remove them:

  1. Click the gear icon at the top right corner of your Facebook profile and select the page you wish to modify.
  2. Once the Facebook page has loaded, click Edit Page at the top.
  3. Select Manage Permissions.
  4. Click Permanently delete [NAME OF PAGE] at the bottom.
  5. Click Delete to permanently remove the Facebook page.

As you can see in this preceding example, a randomly created Facebook page was found being used by scammers. You can prevent friends from being photo-tagged with scammer spam by permanently deleting these scammer Facebook pages.

After page deletion you should arrive back at your main Facebook profile.

Remove scammer posts from your Facebook timeline

In order to keep the scam in circulation, the previously mentioned Chrome extensions have downloaded JavaScript files. These files were responsible for performing scammer activity, including tagging your friends in photos to promote the scam in news feeds.

The last step is to remove the photos the scam extension has posted on your behalf and get a clean Facebook timeline:

  1. Go to your profile timeline.
  2. Scroll through your timeline to check for photos published by the scam.
  3. Hover over the timeline story item and click the pencil icon.
  4. Select Delete Photo.

Deleting the photos left by scammers on your timeline helps stop promotion of the scam.

However, in another scenario, you may be the one who is tagged by a scammer photo in a timeline. In that case, you should report the scam to Facebook:

  1. Hover over the timeline story item and click the pencil icon.
  2. Select Report/Remove Tag.
  3. Check I want to untag myself and I want this photo removed from Facebook and select It’s spam.
  4. Click Continue to confirm.

And now that you have removed bad extensions from your browser, cleaned up your Facebook profile timeline, and reported scammer spam, point your friends to this blog post so that they can clean up their own browsers and Facebook timelines.

Don't forget to stay vigilant

These clean-up instructions will help you remove scams circulating on Facebook that involve Google Chrome extensions. But, as mentioned before, scammers are relentless; they are likely to change their tactics again and again. Proceed with caution on social networks and avoid installing any browser extensions in exchange for free products or special features.

Symantec customers are protected against these types of attacks by our Web Attack: Fake Facebook Application 3 IPS signature.

Social Scams – Part 1: Reusing Old Scams to Push Browser Extensions

Last year, we talked about scams and spam circulating on Facebook in our whitepaper. Social networking scammers often reuse common lures to trick users, such as offering free products or additional features that are not available on their network of choice. What these scammers do differently is find new ways to get more eyeballs to view their specific links. Whether it is likejacking or even convincing users to paste code (an external JavaScript file) into the browser address bar, these scammers are relentless.

Just recently, we published a blog about the Facebook Black scam that has been spreading. While that scam continued to spread, we found two old lures being reused, and also two identical Google Chrome extensions being pushed onto the end user.

"Additional feature" lure

Users of social networks have often requested certain features and wondered whether they would ever be implemented on their favorite sites. One of the most commonly requested features across all social networks has been a way to see who has visited one's profile. This feature has never been available, yet this lure has been used in scams across many of the most popular social networks over the years.


Figure 1. Photo-tagging spam claiming additional feature

In fact, this lure—commonly found on social networks—is identical to the one used in the Facebook Black scam we posted about recently. Users are redirected through an iFrame on a Facebook page and then taken to a website where they are enticed to install a Google Chrome extension.


Figure 2. Browser extension claiming additional feature

Installing the extension does nothing—except present the user with a set of surveys to fill out in order to unlock the additional feature. The feature never gets unlocked. The only thing that happens is the scammers make money off of every survey completed successfully.


Figure 3. Scammer survey

"Get something free" lure

Let’s face it: people like free stuff. But free stuff on social networks is not really free. The newest products are the most valued by users and scammers know this. This is why they continue to reuse this lure.


Figure 4.  Web page claiming to get something free

For instance, in February Sony announced their new video game console, PS4. It is not scheduled to arrive in stores until the year-end holiday season. However, that has not stopped scammers from attempting to trick users by offering a free PS4 test unit that they can keep.


Figure 5. Browser extension claiming to get something free

The Web page for this scam claims that users can get a voucher for a free PS4. In reality, there is no voucher. There is just a browser extension created by scammers.

When users install this browser extension, JavaScript files are downloaded onto the user's computers. These files then perform various actions in the user's Facebook account, like creating a Facebook page with an iFrame and posting a photo the user's friends are subsequently tagged in (see previous Figure 1). And this is how the scam spreads.


Symantec customers are protected against these types of attacks by our Web Attack: Fake Facebook Application 3 IPS signature.

Be cautious when you see offers for free products on social networks, especially products that are highly sought after. Also, if a feature is not currently available on a social network, chances are there is a reason that it is not available. Do not install browser extensions from unverified sources—even if they offer free products or access to an unavailable feature—and be especially suspicious of anything that is promoted aggressively on your social networks.

Google, for their part, removes malicious Chrome extensions as they find them and are improving their automated systems to help them detect items containing malware.

However, in the next post we provide instructions on how to remove these scammer browser extensions yourself, and how to clean up your Facebook timeline from all the spam left by scammers.

Beware of Clicking the Web Translator Hyperlink

Foreign languages are no longer as difficult to understand as they once were, thanks to improvements in web translation services, which instantly translate words and web pages. The website translator plug-in can expand your global world with an amazing and effortless approach by automatically recognizing foreign-language identifiers. Website translators require JavaScript to be enabled to run. The command usually follows this form:

  • http://<web translate service provider domain >/translate?u=<website or link that you want to restate in your favorite language>

McAfee Labs Messaging Security recently observed a spam trait based around an Internet web translator application. Spammers never rely on just one strategy. We recently saw that these translator web services are exclusively marketed by cybercriminals who are using redirection techniques that employ URL shorteners to disguise the destination links. We observed the following URL prototypes during our investigation:

  • http://<web translate service provider domain >/translate?u=< some shorten URI Domain>/4cj0?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/Yi9Gsi?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/wqEZs?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/kK17V?/
  • http:// <web translate service provider domain >/translate?u=< some shorten URI Domain>/4cj4?/crowded answer.htm&hl=en

Because online web translators are very effective and powerful tools, spammers have targeted and spoofed these application links to bypass spam filters and get their victims to click the links.

In the past, security experts have come across incidences of spammers who employed URI shorteners to avoid domain blacklists. Now spammers have pioneered spamming with web translator links similar to the shortened URI sites. We have seen this campaign used especially for pharmacy spam using the following subject lines:

Subject-Line Examples

  • If your wife in bed resembles a log apply pure magic of pharmacy!
  • When sexual problems suddenly come into your life you’d better be prepared to meet it!
  • Autumn is the season of giant savings all over the world! Boost your health
  • One tiny pill can make your erection ten times harder. See the difference!
  • Doctors didn’t help me restore my sexual activity and health. But Tibetan monks did!

We have found that all the samples come from free-account web mailers with various accounts linked with them. Spammers spoofed and used web email accounts to send their messages.


“From” Header Examples

Spammers usually just crowd some spammed links using shortening services that redirect victims to a phishing pharmacy website. Once the user clicks on a spoofed URL, a query appears that is mapped to some other bogus-link location on a web-translation service provider domain search box. That link redirects to the pharmacy spam site. The following image shows the view after the connection to a redirected website:



Final Redirect

The translator engine tries to translate this website but cannot because the inserted fake link redirects the victim to a forged pharmacy site:



Email Sample

Most samples come with a single hyperlink and some spam content in the text body and subject lines. In this campaign,  spammers pick the translator service to make it tricky for antispam companies to filter or become aware of this latent spam. Spammers target the recipients with emails designed to tickle their curiosity.


As always, we advise users to follow best practices to avoid any targeted fraud/spam/phishing harassment.

  • Do not open or click any links in emails from unknown persons
  • Ignore unsolicited requests for sensitive personal information
  • Regularly update your security software, such as McAfee Email & Web security product
  • Don’t open any suspicious attachments in emails from unknown persons

Ongoing Google Play Attacks Plague Japanese with Variation on One-Click Fraud

In what may be the biggest security-related incident on Google Play this year, multiple Trojans targeting Japanese users were discovered carrying the strain of Android one-click fraud. McAfee Mobile Research has already identified multiple developer accounts that were used to spread the malware and confirmed that more than 80 applications of this type existed on Google Play as of this writing. We have also reported additional developer accounts to Google Play Security for investigation and revocation.


Our investigation into the apps have shown that new variants of one-click fraud have been altered so that the fraud is not immediately identifiable unless the victim interacts with the apps–in effect making the apps “two-click fraud” or even “three-click fraud”–and making the automated screening and scanning process difficult.

In fact, these applications simply invoke the web browser on the device or the web-view component inside the application to load the web contents. This extra step by the fraudulent activities makes the automated detection of this type of malware more difficult.


One-click fraud is a threat vector that is unique to Japan and has been around for more than a decade on PCs, but recent aggressive tactics during the past year show that the criminals behind this scam are committed to exploiting mobile devices.

By using two or more clicks to commit fraud, an attacker can more easily trick users into believing that they are actually registered in the fraudulent service. Victims are more likely to pay money or give detailed personal information to the attacker.

In the current fraud, the attacker used multiple developer accounts on Google Play, as well as almost the same description of the applications across these separate accounts. This indicates that this type of fraudulent application variant is easily created and distributed. Actually, the attacker created new developer accounts soon after old accounts were banned due to malware reporting and published almost the same applications with minor changes under these new accounts.

What is worse, the essential part of this fraud occurs on the websites rather than inside the Android application, so there are still risks that the number of victims will increase via web browsing even if these applications are removed from Google Play.

McAfee detects this malware family as Android/OneClickFraud. We also detect and block the web accesses to the URLs used in this series of online fraud to protect users when they encounter the malicious fraud sites using their browsers. Make sure to keep your McAfee security products updated and stay tuned to McAfee Labs blogs for additional information as we continue our investigation.