Scammers use browser extensions to hijack Facebook accounts

New Facebook scams instruct users to install rogue browser extensions that hijack their accounts

Facebook spammers have started using rogue browser extensions to prolong the life of their scams, researchers from Web security vendor Websense warned.

Attacks using social engineering techniques have plagued Facebook for years and despite the company's best efforts to block them, scammers have always found alternative methods of tricking users.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

In a new type of scam detected by Websense researchers, attackers are encouraging users to install rogue browser extensions in order to view certain videos or receive free vouchers.

The add-ons, which are advertised as DivX plug-ins or coupon generator, use the Facebook API (Application Programming Interface) to post unauthorized messages on behalf of Facebook users who log in from the affected browsers.

So far, Websense has detected scams that are capable of determining the user's browser and distribute rogue extensions for Mozilla Firefox or Google Chrome.

These scams are likely to generate a smaller number of victims than those using traditional methods because browsers display security warnings when users attempt to install extensions from unverified sources.

However, once a browser has been compromised in this way, the Facebook accounts accessed through it can be used for spamming purposes for long periods of time.

Scams that use rogue Facebook apps, malicious JavaScript pasted in address bars (self-XSS) or clickjacking for propagation are usually short-lived because Facebook can take steps to block them on the server-side.

However, the company will probably have a much harder time convincing users to uninstall rogue extensions from their browsers, especially since people tend to check their Facebook accounts from multiple computers.

"As much as these offers look tempting, if you're asked to install plugins in order to get vouchers or watch a video -- remember it could be a trick to spread scams, spam and malware," said Elad Sharf, a security researcher at Websense.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform