The Latest in IT Security

Rogue Google Chrome Extension Helps Crooks Harvest Facebook Likes


An impersonation of the Adobe Flash Player is being used by cyber-criminals to get page likes for various campaigns in just two clicks, then sell them to other customers.

The story of a page that has gathered 40,000+ likes starts with an apparently harmless link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain – – that performs the redirect to the fast[removed] domain (registered yesterday – 2013-02-17 – in Turkey and whose owner asked that their contact information not be published). This page asks the victim to install a special version of the Flash Player in order to see the video content.

Fake plugin

Fig. 1: the fake player asks for a special plugin

Victims using Google Chrome are then taken to the plugin’s page on the Chrome store where they are asked to install an extension named Business Flash Player!, a rogue extension for the browser that can access Facebook cookies and like pages on the user’s behalf.

Rogue player

Fig. 2: The malicious plugin on the Chrome Web Store

The extension fetches a piece of Javascript code from a short link hard-coded into the plugin. At the moment of writing, the snippet of code looks like this (it can change at any time, depending on which “like” campaign the plugin’s creator runs):


Fig.3: Javascript snippet used to “like” a page by ID

Please note the last line of code that instructs the user’s browser to artificially “like” a Facebook page with the ID of 274169846047328. A quick look on the social networking platform reveals it is associated with Mehmet Ozbilen, a fan page that managed to get 40,319 likes since its creation on February 12 with no content posted on it.


Fig. 4: Blank page with tens of thousands of “likes” ready to be purchased and customized

This type of scam is highly lucrative for its creators. With just a couple of lines of code – many of which have already been open-sourced on the web and are ready to be copied and pasted – crooks can gather significant numbers of likes from unwary Facebook users and grow a page that is ready to be sold to the highest bidder. After the transaction is done, the buyer gets administrative rights on the page and gets to pick a relevant username for it.

As the number of likes contributes to the page’s Edge Rank (a proprietary algorithm that decides which users see what is being posted on the page), shady companies and cyber-criminals alike are bidding for pages that already have a considerable number of likes.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments