{"id":12006,"date":"2018-04-13T08:10:08","date_gmt":"2018-04-13T16:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/13\/news-5775\/"},"modified":"2018-04-13T08:10:08","modified_gmt":"2018-04-13T16:10:08","slug":"news-5775","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/13\/news-5775\/","title":{"rendered":"Facebook spammers making things worse"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 13 Apr 2018 15:00:00 +0000<\/strong><\/p>\n

Facebook’s having a bad couple of weeks. Between Congressional testimony and new information coming forward about Cambridge Analytica’s use of user data<\/a>, the tech giant is having\u00a0problems keeping its users aboard<\/a>. Unfortunately, misery loves company. We noticed a few Facebook spam campaigns this week that can only make things worse.<\/p>\n

Should a browser extension be able to add a Facebook app?<\/h3>\n

The first of the Facebook spammers was pointed out by one of our forum visitors<\/a>. While the campaign was aimed at Finnish Facebook users, the origin is probably not Finnish, so this one could be coming to a Facebook timeline near you anytime soon.<\/p>\n

The modus operandi was like this: A website was set up to install a forced Firefox extension claiming you need a Flash update.<\/p>\n

\"install<\/p>\n

Translation: your Flash player has expired, and you need to update in order for the website to work properly. Accept\/install flash updates and add them into your browser.<\/em><\/p>\n<\/div>\n

Once installed, the extension looked like this:<\/p>\n

\"Flash<\/p>\n

Looks legit, right?<\/em><\/p>\n

What has this got to do with Facebook, you ask? Users that installed this extension and were logged into Facebook at the same time in the same browser got a bonus: A Facebook app, reportedly using several different names like HTC Sense, Spotify, and Pandora. This app started spamming the user groups the affected Facebook account belonged to with messages like this:<\/p>\n

\"Facebook<\/p>\n

An English version of this post (courtesy of Facebook) would look like this:<\/p>\n

\"Facebook<\/p>\n

So the threat actors<\/a> would have you Google a certain key phrase and made sure you ended up at a sponsored result that would offer high-end phones for unbelievable prices. And you know what they say about things that are to good to be true. The top search result for the keyword now goes to a Facebook page warning about this scam:<\/p>\n

\"Scam<\/p>\n

So, this about sums up how this intricate scheme worked, but the question that kept nagging at me is: Why can a Firefox extension install a Facebook app? Well, that\u2019s a simple matter of permissions.<\/p>\n

\"extension<\/p>\n

If you allow extensions to access your data for all websites (in this case, Facebook), even on other tabs, it can \u201cborrow\u201d your login session and install an app for you. Note that the extension needs you to “auto-login” to Facebook when it opens Facebook in a new tab (or pop-up).<\/p>\n

In the xpi file that is the “de facto” Firefox extension, there are two heavily obfuscated JavaScripts called background.js and tokeneo.js. Together, they are able to open a pop-up asking for your permission to install a Facebook app and confirming that action at the same time. All it needs is for you to be logged in to Facebook on one of the other tabs. And most Facebook users will automatically be logged in as soon as they open the site.<\/p>\n

\"partially<\/a><\/p>\n

Partially deobfuscated snippet from tokeneo.js<\/em><\/p>\n<\/div>\n

Removal<\/h3>\n

Malwarebytes can remove the extension for you, as pointed out in our removal guide for Flash-paivitys<\/a>, but you will have to remove the Facebook app manually<\/a>. Look for the \u00a0names we have mentioned earlier:<\/p>\n