Facebook has long been a target for all kinds of scammers. The social network has often been leveraged in malware distribution campaigns. Cyren researchers just discovered a malicious Google Chrome extension that is spreading nude celebrity PDFs to Facebook groups. Apparently a user is uploading a PDF document to groups with the following name:
In fact this trick is one of the oldest phishing tricks, but there are still users who fall for the scam.
What Happens If Users Fall for the Scam?
Researchers say that opening the PDF leads to a nude picture with a ”Play“ button in the middle. If clicked, the picture opens up a Web browser for the video to be viewed. If the browser is Internet Explorer, Mozilla Firefox, or Safari, the potential victim will be taken to an aggressive advertising page that may contain nudity, fake lottery, etc:
If the user is running Google Chrome, the following link will be opened:
They will also be shown a fake YouTube website. Clicking the Play button will only open a pop-up window that invites the user to install the bad Google Chrome extension. Once the extension is installed, the browser will open a Facebook.com login page. The extension can read the user’s friend list, Facebook groups, and available personal information. It could also upload the PDF to groups, posts and to friends in private chat, researchers say.
The extension is able to read the user’s friend list, Facebook groups, plus all personal information and upload the PDF to groups, posts, and to friends in private chat.
Furthermore, the extension contains a list of antivirus and antispam domains to block. It will also prevent users from accessing the Chrome extensions settings page.
What Celebrity Names Are Used in the Scam?
Not surprisingly, the names of beautiful female celebrities were users: Jessica Alba, Jennifer Lawrence, Selena Gomez, Hilary Duff, Rihanna, Scarlett Johansson, Kim Kardashian, Kelly Brook, Doutzen Kroes and Nicki Minaj.
The only way to remove the extension is via deleting its registry key from the reg editor, as well as its folder in AppData.