The Latest in IT Security

Facebook Valentine’s Theme Leads to Malware


It’s never too early to get ready for Valentine’s day, it seems, even when it comes to malicious attacks. Recently, I came across a scam in Facebook that leverages the upcoming occasion.

The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile.

Click for larger view
Once users click on this post, they are redirected to another page that urges them to install the said theme. Note that this attack only works on either Google Chrome or Mozilla Firefox browsers.

Click for larger view
Clicking the Install button on the page will prompt the download of the malicious file, FacebookChrome.crx which Trend Micro detects as TROJ_FOOKBACE.A . When executed, TROJ_FOOKBACE.A executes a script that is capable of displaying ads from certain websites.


Click for larger view Click for larger view

It also installs itself on the on the users’ browsers as an extension named  Facebook Improvement |


Click for larger view Click for larger view

Once this malicious browser extension is installed, it will monitor the users’ browsing activities and redirect their page to a survey page asking them for their mobile number. Users who clicked on the post using Internet Explorer (IE) will be redirected to the same survey, without them being asked to download anything.



Click for larger view

Upon further analysis, we discovered that the attack is much more effective if the users are employing either Google Chrome or Mozilla Firefox. It resembles a legitimate extension download, thus requiring less user interaction than in the case where Internet Explorer is used (in which case the user is redirected to surveys).

With the focus of the attack mainly built around the concept of pretending to be a valid Chrome extension, we can reasonably conclude that Chrome users are the main target of this particular attack, with the IE redirection as more of an afterthought. But while there may be browser activity monitoring involved, TROJ_FOOKBACE.A does not seem to have any information theft techniques.  It fits the criteria of a clickjacking attack more, where it automatically ‘likes’ several Facebook pages as well as automatically posts a message on the affected user’s wall.

The fact that the attack itself is focused on Chrome and Firefox may mean that cybercriminals are targeting extension-compatible browsers, as well as going after more popular browser choices. This is not the first attack of its kind, but considering that extension-capable browsers are coming to the forefront now, it serves as a warning to all of us that this may be a continuing a trend that the malicious entities of the Internet are going to follow in the foreseeable future.

Trend Micro protects users from this attack via Trend MicroT Smart Protection NetworkT  that detects the malicious file and blocks all related malicious URLs.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments