Pierluigi Paganini June 01, 2015

The use of malicious Chrome extensions in the criminal ecosystem, so Google decided to restrict the use of extensions not available on the Chrome Web Store.

The use of malicious Chrome extensions in the criminal ecosystem, so Google decided to restrict the use of extensions not available on the Chrome Web Store.

With new policies in place create by Google to protect users from installs malicious extensions in chrome we would expect by now that the use of Chrome and Facebook to infect people with malware would have decreased, but is that true?

Until now we have seen all sorts of malicious campaigns using Google Chrome and Facebook to spread infections, and of course both companies (Google and Facebook) know that, and their goal, it’s to protect their users, and for that reason lately Google has restricted the use of extensions (available in Chrome Web Store), since it was full of “bad” extensions.

When the new policies were applied, Google was expecting that the number of “bad” extensions would reduce, but unfortunately that didn’t happen, and cybercriminals are keeping using all sorts of tricks in these platforms to keep doing their “work”.

In a recent blog entry of TrendMicro, Christopher Talampas, a Fraud Analyst received a message from a friend that piqued his curiosity, the message was direct and short:

 “Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the malicious site led to the automatic download of a file titled Chrome_Video_installer.scr.  The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.” explained Christopher.

The downloaded fake “videos installer” is in fact a threat known as “TROJ_KILIM.EFLD”. This malicious piece of code attempts to download another file (but at the moment of the article it was impossible to be sure since the site was already down). The KILIM malware is known to be a malicious chrome extension and plugin, and it’s used to spam Facebook messages and infect systems.

Using information provided by Smart Protection Network™ they got the following number that shows the countries with the most access to the malicious site:

Crossing this numbers, with the countries that more use Facebook, we came to striking conclusions, the Countries that more use Facebook are the ones that you can see in the table above, Curious, no?

But why people fall for this type of attack?

In my opinion, there are some key points that can explain the phenomenon:

• Message is sent by a Facebook friend, that supposedly they know each other in real life, creating a trusting relationship with the source of the infection.

• The “fake” message uses the name of the victim making it look legit

• The use of a short link gives the victim more confidence that it’s a legit site.

• The malware name led the victim to believe that it’s just another extension and plugin that will make him able to check the video on the site

• At a first look, a file with .SCR doesn’t look malicious.

Keep alert:

Even if in Virustotal the threat is detected by 38 of 57 antivirus. Always keep alert for this type of approach in Facebook, even if it’s your brother, wife, husband, etc. etc. since it can be created a variant that it’s not so known. Never forget that Facebook has widely used, making the perfect source of infection if you want to infect a lot of people, keep also in mind that all that its links and attachments should be handled with extra care, and if you suspect, ask your friend what he just sent to make sure he is aware of what he sent.

When writing this article Facebook has already marked the message as SPAM.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  Spam,  Chrome extensions)