Threat Management, Incident Response, Malware, Network Security, TDR

Chrome browser extensions discovered engaging in Facebook click fraud

Google has removed a group of malicious browser extensions from its Chrome Web Store, after an independent Danish security researcher discovered that the programs were hijacking users' Facebook accounts for click fraud purposes, using them to “like” links to sketchy webpages.

Maxime Kjaer, a 19-year-old computer science student, reported on his Output blog site that he uncovered the scheme after clicking one of several trashy links on Facebook that a friend of his supposedly liked. The link brought him to an adult-oriented content site requiring an age verification process that could only be completed, strangely enough, by first installing a Chrome extension that asks permission to “read and change all your data on the websites you visit.” Needless to say, this is a rather excessive request.

The suspicious extension allegedly came from the viral content site, and was available in the Chrome store, along with nine other identical programs that collectively amassed over 132,000 users.

After analyzing the extension's metadata, Kjaer determined that the age verification pop-up screen was entirely nonfunctional, merely serving as a decoy that concealed the true motives for obtaining such sweeping user permissions. However, another script within the code was more enlightening: this script was coded to download a payload from an external server and execute it.

The payload, naturally, was malicious, designed to send links that direct users to a web page containing Facebook tokens, which the extension program can then grab and exfiltrate to the command-and-control server. Cybercriminals can potentially use these access tokens to hijack victims' accounts and use them to read and post messages, statuses and links – though it is unclear at this time exactly what the perpetrators did with the stolen tokens.

Additionally, the malware instructs the extension to use victims' accounts as bots to generate false likes in Facebook-based click fraud campaigns. The malware's code also contained a function designed to subscribe victims to YouTube channels.

And so, as Kjaer suspected, his friend did not really like those sketchy links. “As soon as I found out about the extension, I told him to uninstall it, log out and then log in again to his Facebook account to gain new access tokens,” said Kjaer, in an email interview with “My friend told me that I was the first to notice it. He immediately unliked everything that the malware had liked for him, and I definitely think that he was glad to have it gone.”

Underhanded as this sounds, the creators of this malicious extension may have had even more nefarious plans in mind. Though no such activity appears to have taken place, Kjaer noted in his blog that the malware ultimately could have allowed its operators to read emails, steal additional credentials, obtain credit card information, launch distributed denial of service (DDoS) attacks, and more. “What I find scary… is the fact that it is set up to auto-update regularly. Clearly the malware operators wanted it to be able to evolve,” said Kjaer, who currently studies at the Swiss Federal Institute of Technology.

Upon learning of Kjaer's discovery, Google removed and blacklisted the offending browser extensions, effectively removing the infection from the 132,000-plus users who were already impacted, according to the blog.

“It is against the Chrome Web Store Content Policies to distribute malware. When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances,” said a Google spokesperson in response to a query from

In his blog, Kjaer states that browser extensions are “still quite unregulated territory, and although there are inherent limits to what they can do, there exists little to no protection against extension malware – your anti-virus can't help you here.”

Kjaer come down even harder on Google, and its Chrome Web Store, which he calls “one of the largest single security threats to the web right now.” Kjaer believes Google should take steps to manually verify extensions or vet the reputation of their developers before offering them for download.

“I think Google could do a better job of warning users. Right now, an extension that asks for the ability to do unsafe code evaluation does not trigger a warning on the user's side,” Kjaer told In addition, “Maybe there is a way to make a more advanced malware detection algorithm.”

Tempering his criticism, Kjaer did acknowledge that Google “has acted to secure their Web Store in recent years” by including  basic malware checks and enforcing stricter Content Security Policies. “However, all of the above apparently haven't been sufficient in stopping malware,” he told “If it can spread to 132,000 people through their Web Store, then that clearly indicates a problem, and I'm sure they don't find it acceptable either.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.