Italian security researcher Carlo De Micheli told the New York Times’ Bits blog that the gambit is fairly straightforward: users receive an email or Facebook message claiming to be from a friend, with a link to click from within Facebook to view a video. After clicking, users are prompted to download a Google Chrome browser extension from the official Google store, to be able to watch the clip. But if they do, voila! – the malware is executed.
The attackers, which forensics has revealed to likely be of Turkish origin, are after stored information gold: The bug gives attackers access everything stored in the browser, thereby gaining access to accounts with saved passwords. Gaining social networking access is just the tip of the iceberg; online file-sharing sites, message board services, gaming sites, mail clients and even some corporate VPNs all allow users to store passwords in the browser for one-click sign-in.
It’s spreading quickly, and no wonder: It also signs into Facebook to send out infection messages to the victim’s friends. The messages aren’t spoofed like many phishing campaigns are; they’re actual Facebook messages that appear entirely legit. De Micheli told the Times that he’s seeing 40,000 attacks per hour so far, with 800,000 Google Chrome users already affected. He also said the authors were hard at work morphing the code for other browsers, with a Firefox version already developed.
Google, for its part, has removed the offending extension from the Chrome store. A spokesperson has sent out Google’s stock response by mail when such things occur: “When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances. We’ve already removed several of these extensions, and are continuing to improve our automated systems to help detect them even faster.”
Facebook said that its security systems had also detected the attack and it was working to clear the malicious links.
“In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” Michael Kirkland, a Facebook spokesman, told the Times. “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”
Unfortunately, the malware also inconveniently blocks the user’s access to the browser settings, making removal difficult. It also blocks sites that provide virus removal software. The best bet is to avoid clicking on browser extensions at all unless the message has been confirmed as being from a real friend and not a piece of code masquerading as one.
Google Chrome is widely considered to be one of the more secure web browsers out there, not least of which because of its aversion to Java, but that doesn’t mean issues don’t crop up. In 2012, Kaspersky researchers discovered a huge wave of attacks targeting Brazilian users of Facebook, based on the distribution of malicious extensions. There are several themes used in these attacks, including “Change the color of your profile” and “Discover who visited your profile,” and some bordering on social engineering such as, “learn how to remove the virus from your Facebook profile.”