It's the eve of Valentine's Day and scammers are spreading the love. According to Trend Micro Researchers, Facebook users need to be careful, because there is malicious content going around the social network. The attack begins with a post on affected users' wall inviting other users to install a Valentine’s theme into their Facebook profile. Once users click on this post, they are redirected to another page that urges them to install the theme. Clicking the Install button on the page will prompt the download of the malicious file, FacebookChrome.crx which Trend Micro detects as TROJ_FOOKBACE.A. When executed, TROJ_FOOKBACE.A executes a script that is capable of displaying ads from certain websites.
Spreading the viruses through love
It also installs itself on the users’ browsers as an extension named Facebook Improvement |Facebook.com. Once this malicious browser extension is installed, it will monitor the users’ browsing activities and redirect their page to a survey page asking them for their mobile number. Users who clicked on the post using Internet Explorer (IE) will be redirected to the same survey, without them being asked to download anything.
The attack is much more effective, if the users are using either Google Chrome or Mozilla Firefox. It resembles a legitimate extension download, therefore requiring less user interaction than when Internet Explorer is used (in which case the user is redirected to surveys). Suchita Vishnoi, Head – Marketing, Trend Micro (India & SAARC) commented that “The fact that the attack itself is focused on Chrome and Firefox may mean that cyber criminals are targeting extension-compatible browsers, as well as going after more popular browser choices. This is not the first attack of its kind, but considering this the extension-capable browsers are coming to the forefront now.“
She further added that it's important for users to inspect links closely and be very cautious when clicking links. She said that it is typical for spammers to use prominent events and brands like Reader's Digest, or contests to cloak their malicious schemes. She said that users should first verify with trusted sources about the existence of these promos to avoid becoming victims of such ruse.
The attack is also a form of clickjacking, because it makes the users automatically like Facebook pages and appear on their walls. This puts the victim's friends in a position to become victims themselves. However, Trend Micro says that TROJ_FOOKBACE.A does not seem to have any information stealing techniques. But, you still want to be careful with your online activities this Valentine's Day. No glove, no love… on Facebook that is.