Chrome users, beware of an extension by the name of “Business Flash Player”.
According to Bitdefender senior e-threat analyst Bogdan Botezatu, the link to download it comes embedded in spam that hits the victims’ inbox, and takes them to the Chrome Web Store page where it is offered.
The extension is capable of doing many things, and they are all bad.
They typically use it to “Like” pages on the victims’ behalf, post malicious links to other phishing campaigns, and send spammy messages to their friends.
Botezatu shared with PCWorld that some of these pages that the compromised accounts “like” have over 40,000 likes, despite the fact that they hold no content.
These pages then get sold on underground forums in Russia – for as much as $200 for a page with 100,000 likes – to people looking for a handy platform for pushing things like counterfeit goods onto unsuspecting users.
When they buy the page, they simply change the name and content to match the name of a popular and pricy brand.
The rogue extension is also capable of stealing Facebook cookies and use them to directly hijack the users’ account.
Botezatu warns that AV software is unlikely to detect the extension as a rogue, unless it uses web filters.
The rogue extension has already been removed from the Chrome Web Store, but if you believe that you have fallen for this or a similar scheme, I suggest you first log out of Facebook, then manually remove the rogue plugin from your browser.
Next, log into Facebook again and change your password. Then proceed to clear your account: “unlike” pages that you know you haven’t “liked” on purpose, go through your Timeline and remove messages you haven’t posted yourself, and check whether the extension managed to send messages to your friends on your behalf – if it did, notify them about it.