Ah, Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles.
Today, on the eve of the rumored EoW, it has decided to rear its ugly head once more.
During Profile Spy’s random stints on the Web, we have observed that the criminals behind it have used a number of tactics to make users hand over their credentials or give them money-like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store.
This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared.
Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser.
Based on the Web page’s code, only users from certain countries can download and install the Profile Spy rogue extension onto their Chrome browser once they click “Add to Chrome”. Users outside of these countries won’t be able to experience this. Below is a screenshot of the extension’s page that is being served on the Chrome Web Store:
File name: extension_1_0_1.crx; MD5: 27f74e08871094fad6446686847b709d.
This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it-
-secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation-
-and lastly, it inserts ads, most of them adult in nature, on every website the mark visits. Below are just some sample screenshots:
As a last act of getting as much as they can from their mark, the scammers display a pop-up survey after the extension is successfully installed for the mark to fill in.
Filling in surveys, of course, generate affiliate commissions for the scammers.
Not long ago, our friends at Webroot documented the rise of the bogus “Change Facebook Theme Color” scam, and its method is similar to Profile Spy’s. Could the two be somehow related?
GFI Labs has already notified Google regarding the rogue Chrome extension, which we detect as Adware.FSpy.
Watch that mouse pointer, dear Reader, and careful where you direct and click it.
Jovi Umawing (Thanks to Adam for additional screenshots and analysis)
Leave a reply