’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan
Facebook users worldwide may be exposed to the Carfekab Trojan spreading in a new virulent campaign on the social network. The ‘Profile Viewers’ add-on entices users with the promise of seeing their stalkers on Facebook. Over 2,400 .tk domains have already been registered for malicious purposes.
The browser extension fraudulently gathers ‘likes’ and spreads from one timeline to another. The downloaded “.exe” installs a malicious file, detected by antivirus software Bitdefender as Trojan.JS.Carfekab.A. The malware is capable of posting messages on users’ behalf and sending their personal data to the attackers’ servers. The Trojan may also be used for browser spying.
The infection propagates through Facebook messages in which victims share a random number of times their profile has been viewed. They also unwittingly tag their friends.
Top Visitors is then followed by a malicious link that leads to a browser add-on titled “Profile Viewers” or “Who Views.”
“Ever wanted to know who is viewing your profile or who has viewed it while you were offline?,” the website of the fake app reads. “Now you can! Just click the ‘Start Now’ button below to find out.”
The code allows cyber-criminals to spread several variations of the scam. The number of profile visitors could never be “0.”
Malware writers gain immediate access to victims’ contact lists after they click on the dangerous web site. By showing that the victim’s friends liked the app and tagging them, cyber-crooks increase both the scam’s credibility and its spreading rate on Facebook.
They also seem to hijack the number of likes of the social network’s official Facebook page. As far as it gets new likes, the malicious page also claims to have gathered the same number of likes. So far, over 111 million users clicked the ‘like’ button on Facebook’s product and service page, and scammers pretend the same number likes theirs.
Bitdefender experts have been studying malicious browser add-ons for several years. One study published in 2012 in the Virus Bulletin showed malware developers continuously exploit the general belief that add-ons are benign. By developing cross-platform malicious extensions, attackers can gain access to users’ sensitive information.
In May 2013, Microsoft warned about the Febipos Trojan, which was hijacking Facebook accounts by luring users with messages such as “15 year-old victim of bullying commits suicide after showing her breasts on Facebook”, “R$1000-voucher contest” or “a brand new Celta paying R$13 per day!” Febipos was able to ‘like’ a page, join a group, invite friends to a group and even chat with them.