{"id":9096,"date":"2012-12-19T00:00:10","date_gmt":"2012-12-19T07:00:10","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=9096"},"modified":"2018-01-30T12:21:22","modified_gmt":"2018-01-30T19:21:22","slug":"fake-change-facebook-color-theme-events-lead-to-rogue-chrome-extensions","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/12\/19\/fake-change-facebook-color-theme-events-lead-to-rogue-chrome-extensions\/","title":{"rendered":"Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions"},"content":{"rendered":"

Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension:<\/strong><\/p>\n

\"Fake_Change_Facebook_Color_Theme_02_Rogue_Google_Chrome_Extension\"<\/a><\/p>\n

The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:<\/p>\n

\"Fake_Change_Facebook_Color_Theme_01_Rogue_Google_Chrome_Extension\"<\/a><\/p>\n

Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:<\/p>\n

\"Fake_Change_Facebook_Color_Theme_05_Rogue_Google_Chrome_Extension\"<\/a><\/p>\n

To further improve its legitimacy, and to play by Google’s newly introduced strategy to fight rogue Chrome extensions<\/strong><\/a>, the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:<\/p>\n

\"Fake_Change_Facebook_Color_Theme_03_Rogue_Google_Chrome_Extension\"<\/a><\/p>\n

In case users choose not to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning them money:<\/p>\n

\"Fake_Change_Facebook_Color_Theme_04_Rogue_Google_Chrome_Extension\"<\/a><\/p>\n

Sample Facebook Events spreading the bogus Tumblr URls:<\/strong>
\nhxxps:\/\/www.facebook.com\/events\/389748451108256\/<\/em>
\nhxxps:\/\/www.facebook.com\/events\/463366360367776\/<\/em>
\nhxxps:\/\/www.facebook.com\/events\/479634408745393\/<\/em>
\nhxxps:\/\/www.facebook.com\/events\/476440942398408\/<\/em><\/p>\n

Sample automatically registered Tumblr accounts participating in the campaign:<\/strong>
\nhxxp:\/\/ixhg7wadu.tumblr.com\/?28479630128<\/em>
\nhxxp:\/\/6upe014h7.tumblr.com\/?3411365086213<\/em>
\nhxxp:\/\/akecnjhpn.tumblr.com\/?8892833241261<\/em>
\nhxxp:\/\/zuodxt5yq.tumblr.com\/?5593177247792<\/em>
\nhxxp:\/\/xr8o8wc2t.tumblr.com\/?1936588422396<\/em><\/p>\n

Redirection takes place through the following IP:<\/strong>
\nhxxp:\/\/50.57.129.34\/ping\/redirect2.php (AS19994)<\/em><\/p>\n

Amazon Cloud hosting URL:<\/strong>
\nhxxp:\/\/redf6.s3-website-us-east-1.amazonaws.com\/last2.html<\/em><\/p>\n

Google Chrome Web Store hosting URL:<\/strong>
\nhttps:\/\/chrome.google.com\/webstore\/detail\/facebook-red\/djicdajegmppedmnlgkhgjgejlgeblei<\/em><\/p>\n

Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[12831,11519,12825,12823,3837,12843,10335,4497,12839,12833,12847,12841,12835,12827,3835,3821,12829,12837,3471,12845],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/9096"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=9096"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/9096\/revisions"}],"predecessor-version":[{"id":23677,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/9096\/revisions\/23677"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=9096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=9096"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=9096"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=9096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}