13 May 2013
Several malicious browser extensions hijack Facebook accounts, posting and sharing messages on behalf of users, Microsoft warns. The company first discovered the threat in Brazil and detects it as Trojan:JS/Febipos.A.
The scam posts a Portuguese message on users’ timeline. “15 year-old victim of bullying commits suicide after showing her breasts on Facebook,” the message reads. It also lures victims to a malicious video which Facebook has already blocked.
The browser extension specifically targets Chrome and Mozilla Firefox and, when installed, it attempts to update itself. Febipos starts the hijacking by monitoring users to see if they are currently logged-in to Facebook.
“It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php,“ Microsoft said in a blog post. “The file includes a list of commands of what the browser extension will do. It may also post links on Facebook profiles. For example, the posted link from the Facebook page […] redirects to a website that sells cars.”
Scam messages vary depending on the configuration file, and include voucher and gift offers such as “R$1000-voucher contest” and “a brand new Celta paying R$13 per day!” Febipos may also like a page, join a group, invite friends to a group or chat with them.