Trend Micro has found two malicious browser extensions that hijack Twitter, Facebook, and Google+ accounts.
The attackers plant links on social media sites that, if clicked,
implore users to install a video player update. It is a common method
hackers use to bait people into downloading malicious software.
The bogus video player update lures people in a macabre manner: it
says it leads to a video of a young woman committing suicide, according
to Trend’s description.
The video player update carries a cryptographic signature that is
used to verify that an application came from a certain developer and has
not been modified, wrote Don Ladores, a threat response engineer, with
“It is not yet clear if this signature was fraudulently issued, or a
valid organization had their signing key compromised and used for this
type of purpose,” he wrote.
Hackers often try to steal legitimate digital certificates from other
developers in an attempt to make their malware look less suspicious.
If the video update is executed, the malware then installs a bogus
Firefox or Chrome extension depending on which browser the victim uses.
The malicious plugins try to appear legitimate, bearing the names
Chrome Service Pack 5.0.0 and the Mozilla Service Pack 5.0. Ladores
wrote that Google now blocks the extension that uses its name. Another
variation of the extension claims it is the F-Secure Security Pack
6.1.0, a fake product from the Finnish security vendor.
The plugins connect to another website and download a configuration
file, which allow them to steal the login credentials from a victim’s
social networking accounts such as Facebook, Google+, and Twitter. The
attackers can then perform a variety of actions, such as like pages,
share posts, update statuses and post comments, Ladores wrote.