Discovered the presence of Chrome's harmful extension to spread cowardly nude images and spread malware on Facebook

According to a survey of the Internet security company "Cyren", there is an attack method to exploit Google Chrome's extended function to extract personal information and expand damage to Facebook friends.

Malicious Google Chrome extension spreads nude celebrity pdf's to Facebook
http://blog.cyren.com/articles/malicious-google-chrome-extension-spreads-nude-celebrity-pdfs-to-facebook.html

Facebook malware allegedly spreading celebrity sex tapes through Chrome extension [Update]
https://www.neowin.net/news/facebook-malware-allegedly-spreading-celebrity-sex-tapes-through-chrome-extension

When a malicious extension is installed, a PDF file with a file name that makes reminiscent of a celebrity's nude picture to his Facebook group will be uploaded. The file name is "Jessice_Alba_Leaked - sextapeVide_oSun_Dec_ 4 _ 2016 _ 22 _ 99 mp 4. Pdf", a character string and date with the content of "Leaked - sextape Video (leaked sex movie tape)" as a name of a famous person, and an association that it is a moving image file Let's make it contain ".mp4" letters.


Since the extension is ".pdf" if you look closely, careful people should be aware of doubt. However, malware of this type targets the recipient to inadvertently open the file, so if anyone is caught, the damage gradually spreads.

If you open the PDF file, a screen like a video player will be displayed. If you click on the icon that disguised the play button in the center on this screen ... ...


Browser that you normally use at the main stands up. If the browser set as "default" is Internet Explorer, Firefox, Opera, etc., ads of pornographic sites and fake betting sites will be displayed one after another on the screen.


However, when users are using Chrome, circumstances will differ. When the browser opens, it is skipped to the php address "hxxps: // rb - xxxxxx.xxx / gxxxxo.php (fetch)", and a fake site simulating YouTube is displayed. When you click the play button on that screen, the following dialog prompting you to install Chrome extension will be displayed.


Once you install the extensions here, Chrome will display your Facebook login screen, pull out all of your friends list, Facebook group, and personal information, then send similar malicious PDF files to Facebook You will start spreading one after another in groups, your own posts, and chats with friends.

In addition, the damage is not limited to this. Installed extensions said that users will not be able to access Chrome's extension settings page, so it will be in a state that can not be uninstalled. Also, it will not be possible to open the "development tool" of the browser, so it will not be possible to uninstall as well.

Therefore, there is no way to rewrite the registry of Windows in order to delete the installed extension. That wayBleeping Computer ArticlesFirst, delete the folder named "HKEY_LOCAL_MACHINE \ Software \ Google \ Chrome \ Extension" in the registry editor, and then delete the folder "C: \ Users \ USER \ AppData \ Local \ Google \ Chrome \ User Data \ Default \ Extensions "must be deleted. At this time, all the extended functions already installed in Chrome will be deleted, so you will need to reinstall the necessary extensions again.

Regarding this matter, Facebook also informed Neowin, "We use an automated system to prevent harmful links and files from appearing on Facebook on Facebook, because of this many systems of malicious activity Has been blocked and the affected extension has not already done anything on the Facebook platform and the related party has deleted the corresponding extension from the browser store " It is.