Jump to content

Browser Extension Hijacking Facebook Profiles


Recommended Posts

We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.

When installed, it attempts to update itself using the following URLs:

Chrome browser:


Mozilla Firefox browser:


Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.

To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.

Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:

  • Like a page
  • Share
  • Post
  • Join a group
  • Invite friends to a group
  • Chat to friends
  • Comment on a post

At the time of writing this blog, we have also seen the following behavior.

The configuration file contains a command to post the following message in Facebook:

    Vìdeo no link abaixo:<Currently unavailable link>

It is written in Portuguese and here’s an English translation:

    Video on the link below: <Currently unavailable link>

The above URL is unavailable and already blocked by Facebook.

We also found this threat tries to "like" and "comment" on a Facebook page:



It also attempts to comment on a post from this Facebook page with one of the following messages, written in Portuguese:

  • Tenha um Celta 0km pagando R$13,00 por dia!!
    English translation: Get a brand new Celta paying R$13 per day!!

  • Concurso valendo um Vale-Compras de R$1000,00!
    English translation: R$1000-voucher contest!

Note: This message may vary depending on the configuration file.As we can see on the Facebook page, there’s a link that has been shared with about 165 comments and 167 likes. There is a possibility that these people are infected with Trojan:JS/Febipos.A.

This trojan may also send out the following message via chat, posts or comments:

  • Desculpa ai galera, mas isso eh um absurdo!!!
    English translation: Sorry guys, but this is ridiculous!!!

  • Sonzinho sensação do momento. Muito show!!
    English translation: The coolest tune at the moment. It’s really nice!

  • <em>©</em>o Max e Renan - Rebolada de Gama (Clipe Oficial)
    English translation: <song title> (Official Clip)

  • Eu, não tenho carro do ano, não tenho grana sobrando, mas chego junto e...â<em>™</em>«â<em>™</em>«
    English translation: I don’t have a new car, I don’t have spare cash, but I get really close...

It may also post links on Facebook profiles. For example, the posted link from the Facebook page in the image above redirects to a website that sells cars.

At the time this blog was written, there were more users “liking” and “commenting” on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected.

The number of “likes” for this page grew as we analyzed this malware. When we began analysis the page statistics looked like this:

  • Facebook page likes: 2,746
  • Facebook shared link likes: 167
  • Number of comments: 165

After several hours this had risen to:

  • Facebook page likes: 3,177
  • Facebook shared link likes: 201
  • Number of comments: 183

All of the information above is what we found at the time of our analysis. There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.

Jonathan San Jose



Here is a related article from CNET: http://news.cnet.com/8301-1009_3-57584111-83/microsoft-warns-of-new-trojan-hijacking-facebook-accounts/?tag=nl.e757&s_cid=e757&ttag=e757

Link to comment
Share on other sites

That's hard to say if a HIPS program would detect this Trojan since it's disguising itself as a browser extension. It may go undetected since it's working from within the browser itself as a seemingly legitimite extension checking for updates.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...