Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions

by

Share this news now.

Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history.

More details:

Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension:

Fake_Change_Facebook_Color_Theme_02_Rogue_Google_Chrome_Extension

The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:

Fake_Change_Facebook_Color_Theme_01_Rogue_Google_Chrome_Extension

Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:

Fake_Change_Facebook_Color_Theme_05_Rogue_Google_Chrome_Extension

To further improve its legitimacy, and to play by Google’s newly introduced strategy to fight rogue Chrome extensions, the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:

Fake_Change_Facebook_Color_Theme_03_Rogue_Google_Chrome_Extension

In case users choose not to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning them money:

Fake_Change_Facebook_Color_Theme_04_Rogue_Google_Chrome_Extension

Sample Facebook Events spreading the bogus Tumblr URls:
hxxps://www.facebook.com/events/389748451108256/
hxxps://www.facebook.com/events/463366360367776/
hxxps://www.facebook.com/events/479634408745393/
hxxps://www.facebook.com/events/476440942398408/

Sample automatically registered Tumblr accounts participating in the campaign:
hxxp://ixhg7wadu.tumblr.com/?28479630128
hxxp://6upe014h7.tumblr.com/?3411365086213
hxxp://akecnjhpn.tumblr.com/?8892833241261
hxxp://zuodxt5yq.tumblr.com/?5593177247792
hxxp://xr8o8wc2t.tumblr.com/?1936588422396

Redirection takes place through the following IP:
hxxp://50.57.129.34/ping/redirect2.php (AS19994)

Amazon Cloud hosting URL:
hxxp://redf6.s3-website-us-east-1.amazonaws.com/last2.html

Google Chrome Web Store hosting URL:
https://chrome.google.com/webstore/detail/facebook-red/djicdajegmppedmnlgkhgjgejlgeblei

Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
1 comments

Trackbacks

  1. [...] Facebook, Tumblr, and Google Chrome to spy on its victims. The privacy-violating campaign was later detailed further by security firm [...]

  2. [...] Facebook, Tumblr, and Google Chrome to spy on its victims. The privacy-violating campaign was later detailed further by security firm [...]

  3. [...] este sentido, la empresa de seguridad Harewood ha detectado algunas extensiones para Tumblr y Facebook que, prometiendo cambios en el interfaz, escondían un acceso ilimitado los [...]

  4. [...] Webroot researchers have pointed out, the real danger lies within the fact that the rogue Chrome extension [...]

  5. [...] not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store,” says Webroot’s Dancho [...]

  6. [...] outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all [...]

  7. [...] outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all [...]

  8. [...] outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all [...]

  9. [...] outfit Webroot recently pointed out that some of the extensions in the store are illegitimate, data-sucking privacy invaders that trick users with offers to do things like change the colour of Facebook and then suck out all [...]

  10. [...] s’est toutefois pas révélée infaillible, ainsi que l’a montré une arnaque Facebook détaillée la semaine dernière par Webroot. L’add-on malveillant se trouvait sur le Chrome Web Store, alors même que Google avait [...]

  11. [...] ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the “Change Your Facebook Color” extension pointed out by Webroot, are privacy-violating scams peeping at the browsing [...]

  12. [...] ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the “Change Your Facebook Color” extension pointed out by Webroot, are privacy-violating scams peeping at the browsing [...]

  13. [...] article explains the privacy-violating campaign was later detailed further by security firm Webroot.The whole campaign is based on the hopes that Facebook users want to [...]