Incident Response, Malware, TDR, Threat Management

Malicious Firefox, Chrome browser extensions targeting Facebook users

Malicious browser extensions downloaded by Google Chrome and Mozilla Firefox users are being leveraged to take over victims' Facebook accounts, according to Microsoft.

The software giant detected the malicious Chrome and Firefox add-ons actually was a trojan called “Febipos,” which is being used to spread spam on Facebook.

After users login to the social networking site, the trojan tries to obtain a configuration file from Facebook that gives it a list of commands to launch, including sharing and commenting on posts, "liking" Facebook pages, joining groups, inviting victims' friends to groups, and even chatting with users' friends. 

Researchers did not say how attackers are delivering the malware to victims.

Jonathan San Jose, a researcher for Microsoft's Malware Protection Center, wrote in a Friday blog post that Facebook messages written in Portuguese were being spammed to victims in Brazil. In some cases, it advertised cars or included links to a website that sold cars.

Satnam Narang, a security response manager at Symantec, told on Monday that this is a tactic spammers often use to increase their profile on Facebook for self-marketing purposes.

"It's likely they are trying to gain traction with these pages in the underground market to get more 'likes' because they have their own currency in today's social media world," Narang said.

In addition to luring users to download malicious extensions on official stores, attackers can also trick victims by passing the malware off as plug-ins that enhance their Facebook profiles or allow them to upgrade movie players, Narang said.

"I'm not sure how they are delivering them, but I've seen a few [malicious plug-ins] that have been in the Chrome store," Narang said. "And we've reported them to Google to get them taken out in the past." 

Microsoft's San Jose advised users to keep their security software up to date.

Fred Wolens, a Facebook spokesman, told in a Monday email that he wouldn't characterize the malware's exploits as "hijacking" victims' accounts.

"It's important to note that these browser extensions do not hijack Facebook accounts; instead, as these browser extensions essentially exist between the browser and our service, they act on behalf of the user," Wolens wrote.

"We advise all our users to report any spam they find on the Facebook site, and remember Facebook will never ask for your credit card [or] Social Security [numbers], or any other sensitive information other than your username and password while logging in," Wolens said. reached out to Google and Mozilla, but did not immediately hear back.

UPDATE: In a Monday email to, Michael Coates, director of security assurance at Mozilla, said the malicious extension was "never present" in its official site for Mozilla add-ons. The company did issue a block for the add-on, however, "as an additional precaution to protect" users.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.