Trend Micro threat response engineer, Don Ladores reported uncovering the scam, claiming that crooks are using a variety of techniques to dupe unwary web users into downloading the bogus account hijacking extensions.
"To install these fake extensions, users would see various lures on social media sites to try to get users to install a fake video player update. In reality this player update is a malicious file detected as TROJ_FEBUSER.AA, [and it] installs a browser plugin depending on the browser currently being used," he explained.
"Once installed, it connects to a malicious URL to download a configuration file. It uses the details on that configuration file to hijack the user's social media accounts."
Ladores said the crooks use the accounts to like pages, share posts, join and invite friends to groups, chat with the users' friends and post comments. He said the end goal of these actions is to spread malware.
The Trend researcher said the attack is doubly dangerous as the extensions it uses hold digital signatures, meaning at first glance they look entirely legitimate. "One more thing to note: the fake video player update is digitally signed.
Digital signatures are a way for developers and publishers to prove that a file did come from them and has not been modified. Potential victims may take this to mean that the file is legitimate and harmless," he wrote.
"It is not yet clear if this signature was fraudulently issued, or a valid organisation had their signing key compromised and used for this type of purpose."
Ladores said numerous security products already block the extensions used in the scam, but warned Chrome and Firefox users to be extra vigilant when prompted to download a new extension.
The scam is one of many detected using advanced detection-dodging techniques. Trend Micro researchers also detected an advanced campaign using header spoofing techniques to hide their activities.
No comments:
Post a Comment