Browser Extensions Steal Account Info

Wednesday, August 7, 2013 @ 03:08 PM gHale


There are two malicious browser extensions that hijack Twitter, Facebook and Google+ accounts, researchers said.

The attackers plant links on social media sites that, if clicked, ask users to install a video player update, said researchers at Trend Micro. That is a common method hackers use to bait people into downloading malicious software.

RELATED STORIES
Mac Attack: Ransomware Targets Safari
Ransomware Forces Survey on Victim
Music App a Political Android Trojan
Android Master Key Open to Attack

The bogus video player update lures people in saying it leads to a video of a young woman committing suicide, according to Trend Micro.

The video player update carries a cryptographic signature used to verify an application came from a certain developer and has not undergone modification, said Don Ladores, a threat response engineer with Trend Micro.

“It is not yet clear if this signature was fraudulently issued, or a valid organization had their signing key compromised and used for this type of purpose,” he said.

Hackers often try to steal legitimate digital certificates from other developers in an attempt to make their malware look less suspicious.

If the video update ends up executed, the malware then installs a bogus Firefox or Chrome extension depending on which browser the victim uses.

The plugins appear legitimate, bearing the names Chrome Service Pack 5.0.0 and the Mozilla Service Pack 5.0. Ladores said Google now blocks the extension that uses its name. Another variation of the extension said it is the F-Secure Security Pack 6.1.0, a fake product from the Finnish security vendor.

The plugins connect to another website and download a configuration file, which allow them to steal the login credentials from a victim’s social networking accounts such as Facebook, Google+, and Twitter. The attackers can then perform a variety of actions, such as like pages, share posts, update statuses and post comments, Ladores said.



Leave a Reply

You must be logged in to post a comment.