Google Chrome users are being targeted these days by a wave of attacks that uses malicious extensions hosted in the official Chrome Web Store. The attack appears to be of Turkish origin and is using Facebook to spread. We saw users of different nationalities infected with the malicious extensions, which the cybercriminals are sending to the official store regularly, in a cat-and-mouse game.

As we already reported in March 2012, Brazilian cybercriminals were able at that time to host a malicious extension in the Chrome Web Store. Since then in June 2012 Google has changed the way users can add third party browser extensions i.e. not allowing the installation that are not hosted on the official Web Store. More recently Google removed the possibility of silent installations, which has been widely abused by third parties.

Maybe for these reasons bad guys started to concentrate their efforts to upload bad extensions to the official store. Now it’s the turn of Turkish cybercriminals; they were able to host several extensions there in the last few days.

Brazilian cybercrime is based primarily on the spread of Trojan bankers. For some time now the country’s bad guys have been investing their efforts in new monetization schemes, the latest includes the use of adware. And the perfect place for distributing this sort of malware? Yes, that’s right – social networks. This is how "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works.

To spread quickly among innocent users the adware uses a "change the color of your profile" option that recently surfaced. The infected profiles are used to spread automatic messages to your Facebook contacts:

Many things have been told already about the latest Skype malware spread via instant messages. However I just wanted to add something not mentioned yet. The first thing is about when the attack was launched first. According to Google Short URL service it first surfaced on Oct 6th :

Since November 2011, according to recent statistics, Google Chrome has become the most popular browser in Brazil (more than 45% of the market share).

The same has is true for Facebook, which now is the most popular social network in Brazil, with a total of 42 million users, displacing Orkut.

These two facts are enough to motivate Brazil’s bad guys to turn their attentions to both platforms. This month we saw a huge wave of attacks targeting Brazilian users of Facebook, based on the distribution of malicious extensions. There are several themes used in these attacks, including “Change the color of your profile” and “Discover who visited your profile” and some bordering on social engineering such as “Learn how to remove the virus from your Facebook profile”:

1) Click on Install app, 2) Click on Allow or Continue, 3) Click on Install now, After doing these steps, close the browser and open again

This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension it’s hosted at the official Google's Chrome Web Store. If the user clicks on “Install aplicativo” he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”:

At the time of writing there is a new Facebook phishing attack going on. It will not just try to steal your Facebook credentials; it will also try to steal credit card information and other important information such as security questions.

This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website. It will reuse the stolen information and login to the compromised account and change both profile picture and name. The profile picture will be changed to the Facebook logo and the name will be translated to “Facebook Security” but containing special ascii characters replacing letters such as “a” “k” “S” and “t”.

Once an account is compromised it will also send out a message to all contacts of the compromised account. The message looks like this:

When logging into Facebook this morning I saw that many of my friends posted a link to a video on their wall, and also everyone liked the link. The video was of a girl with a nice butt and it had the title "Laura Frisian: the most beautiful ass in the world!", it was pretty obvious that it was a scam because it looked like all the other Facebook scams we have seen, but because soo many of my friends were posting this video I still decided to take a look at it.

I quickly ended up in a JavaScript hell, with obfuscated code and multiple domains. It seems that the server used in this scam is hosting about 300 pages similar to the one im writing about. All of the pages look the same, but have many different videos, a few examples are:

• If you like Nutella, never look this video!!!
• Drill a tooth abscess! Disgusting :s
• Compilation of Embarrassing and Busted! Photos, Awesome :D
• Transgender 10-Year-Old, Boy Happier As A Girl !
• A Really Giant Baby ! Amazing it looks so real :D
• Air Race Plane Crashed in the crowd during a show !
• The worst thing that can happen to a girl!
• A fisherman catches a couple when they make ... :D

It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be blacklisted.