Anti-Malware Research

Rogue Google Chrome Extension Helps Crooks Harvest Facebook Likes

An impersonation of the Adobe Flash Player is being used by cyber-criminals to get page likes for various campaigns in just two clicks, then sell them to other customers.

The story of a page that has gathered 40,000+ likes starts with an apparently harmless link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain – xn--47aaeaba.com – that performs the redirect to the fast[removed]e.com domain (registered yesterday – 2013-02-17 – in Turkey and whose owner asked that their contact information not be published). This page asks the victim to install a fake version of the Flash Player in order to see the video content.

Fake plugin

Fig. 1: the fake player asks for a special plugin

Victims using Google Chrome are then taken to the plugin’s page on the Chrome store where they are asked to install an extension named Business Flash Player!, a rogue extension for the browser that can access Facebook cookies and like pages on the user’s behalf.

Rogue player

Fig. 2: The malicious plugin on the Chrome Web Store

The extension fetches a piece of Javascript code from a short link hard-coded into the plugin. At the moment of writing, the snippet of code looks like this (it can change at any time, depending on which “like” campaign the plugin’s creator runs):

code_snip

Fig.3: Javascript snippet used to “like” a page by ID

Please note the last line of code that instructs the user’s browser to artificially “like” a Facebook page with the ID of 274169846047328. A quick look on the social networking platform reveals it is associated with Mehmet Özbilen, a fan page that managed to get 40,319 likes since its creation on February 12 with no content posted on it.

liked_page

Fig. 4: Blank page with tens of thousands of “likes” ready to be purchased and customized

This type of scam is highly lucrative for its creators. With just a couple of lines of code – many of which have already been open-sourced on the web and are ready to be copied and pasted – crooks can gather significant numbers of likes from unwary Facebook users and grow a page that is ready to be sold to the highest bidder.

As the number of likes contributes to the page’s Edge Rank (a proprietary algorithm that decides which users see what is being posted on the page), shady companies and cyber-criminals alike are bidding for pages that already have a considerable number of likes.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

7 Comments

Click here to post a comment