Facebook has long been a target for all kinds of scammers. The social network has often been leveraged in malware distribution campaigns. Cyren researchers just discovered a malicious Google Chrome extension that is spreading nude celebrity PDFs to Facebook groups. Apparently a user is uploading a PDF document to groups with the following name:
Jessice_Alba_Leaked-sextapeVide_oSun_Dec_4_2016_22_99.mp4.pdf
In fact this trick is one of the oldest phishing tricks, but there are still users who fall for the scam.
What Happens If Users Fall for the Scam?
Researchers say that opening the PDF leads to a nude picture with a ”Play“ button in the middle. If clicked, the picture opens up a Web browser for the video to be viewed. If the browser is Internet Explorer, Mozilla Firefox, or Safari, the potential victim will be taken to an aggressive advertising page that may contain nudity, fake lottery, etc:
If the user is running Google Chrome, the following link will be opened:
hxxps://rb-xxxxxx.xxx/gxxxxo.php
They will also be shown a fake YouTube website. Clicking the Play button will only open a pop-up window that invites the user to install the bad Google Chrome extension. Once the extension is installed, the browser will open a Facebook.com login page. The extension can read the user’s friend list, Facebook groups, and available personal information. It could also upload the PDF to groups, posts and to friends in private chat, researchers say.
The extension is able to read the user’s friend list, Facebook groups, plus all personal information and upload the PDF to groups, posts, and to friends in private chat.
Furthermore, the extension contains a list of antivirus and antispam domains to block. It will also prevent users from accessing the Chrome extensions settings page.
What Celebrity Names Are Used in the Scam?
Not surprisingly, the names of beautiful female celebrities were users: Jessica Alba, Jennifer Lawrence, Selena Gomez, Hilary Duff, Rihanna, Scarlett Johansson, Kim Kardashian, Kelly Brook, Doutzen Kroes and Nicki Minaj.
The only way to remove the extension is via deleting its registry key from the reg editor, as well as its folder in AppData.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: